Teardown of ‘NotPetya’ Malware: Here’s What We Know

Malicious Code Moves Laterally, Can Infect Fully Patched Windows PCs

Malware known as NotPetya, SortaPetya or GoldenEye continues to spread globally, infecting endpoints via leaked Equation Group exploits as well as built-in Windows tools. Here’s a roundup of what we know about the supposed ransomware and its spread so far.

A cleverly built piece of malware, based in part on previously seen Petya ransomware, continues to spread globally in an outbreak rivaling last month’s WannaCry campaign.

Security firms are referring to the malware tied to the global outbreak by various names: NotPetya, SortaPetya, Petna, ExPetr, GoldenEye and Nyetya.

Unfortunately, the malware appears to lack WannaCry’s inadvertent kill switch. Plus, it has the ability to infect even fully patched Microsoft Windows systems.

“This one’s more dangerous than WannaCry,” says Rob Wainwright, head of EU law enforcement intelligence agency Europol, via Twitter (see Massive Petya Variant Outbreak: More Clever Than WannaCry).

But much about the malware – hereafter referred to as NotPetya – remains unclear. That includes the identity of the individual or group who launched the attack and their motivation, as well as the “patient zero” in the attacks and how long related infections might propagate before being brought under control.

Here is what is known so far:

Affected: 65+ Countries

Security experts say NotPetya first appeared Tuesday in Ukraine and quickly spread across Europe and beyond.

On Tuesday, Microsoft counted at least 12,500 infected systems across 65 countries. Those include Belgium, Brazil, Britain, Denmark, Germany, Russia and the United States.

Continue reading…