Microsoft says the outbreak of NotPetya – aka SortaPetya, Petna, ExPetr, GoldenEye, Nyetya and Diskcoder.C – that began June 27 resulted in “a less widespread attack” than WannaCry, aka WannaCrypt. That was despite NotPetya being even more sophisticated than WannaCry – by many security experts’ reckoning – as well as NotPetya targeting the same EternalBlue server message block exploit in Windows that had enabled WannaCry to spread far and fast.
By way of explanation, Microsoft surmises in a blog post that NotPetya’s global impact was blunted because whoever designed the malware limited its attack capabilities by design. In particular, the malware is set by default to reboot an infected system in 60 minutes, although attackers can provide a different time value, it says. After the time is up, the system reboots, and the malware does not persist after the reboot. “This means that the threat can only do lateral movement and exploitation of other machines during this limited time,” Microsoft says. “This reduced the reach of the attack.”
In addition, Microsoft notes, NotPetya appeared to be a very targeted malware campaign – more than 70 percent of all systems that encountered NotPetya were in Ukraine.