News/Trends, Tech/Engineering, Product

From Ransomware to Wipeware: How NotPetya is Changing the Threat Landscape


One thing that you learn in security over time is that things repeat themselves. While the world was busy crying over the WannaCry ransomware, another threat was looming around the corner. It was only 45 days ago that I was writing about WannaCry and now we are dealing with a new variant of the same attack: NotPetya. While initially classified as a ransomware attack, NotPetya actually turned out to be a Wipe attack, shifting the motive from financial gain to data destruction.

How Bad Is It?

The first infections of NotPetya were seen in the Ukraine where it affected nearly 13,000 machines and expanded rapidly, hitting countries like Brazil, Belgium, Germany, Russia and the United States. In total, it has emerged in 65 countries and is thought to have originated from a Ukrainian company’s tax software called MEDoc via an auto-update process. NotPetya also claimed two internationally recognized victims: Maersk, a global shipping conglomerate, Merck, a pharmaceutical giant, and a subsidiary of FedEx. Additionally, NotPetya infiltrated some healthcare organizations as well.

How Does It Work?

NotPetya works somewhat similarly to what we saw with WannaCry back in May. One of those techniques include “EternalBlue” (and yes, the same Microsoft Patch that prevented WannaCry works here, too). NotPetya works by overwriting the Master Boot Record (MBR) of the infected system causing it to crash after a number of minutes. After the reboot, the use is presented with a phony “chkdsk” screen that looks like it is being repaired. In reality, the user is watching their files being encrypted in real-time. There are also instructions presented for the user to seed $300 in BitCoin to an email address that has been shutdown. Additionally, NotPetya does not provide the attacker with an installation ID or encryption, but also seeks to harvest credentials and move laterally within the network. This behavior has caused many security experts to believe that NotPetya is focused on data destruction by means of crypto-shredding rather than revenue generation.

Cloud Data Protection Is Data Security

It is one thing to demand a ransom for data and yet another to actively destroy data.  While Druva has always maintained that the best defense for ransomware is a good backup in the cloud, new threats like NotPetya are changing the game. Only the cloud can provide the necessary layer of separation from an infection or a strain of new laterally-moving malware that runs unchecked on the internet and within your network. Given the speed of the lateral movement of NotPetya, this means that data on-premises, including your backup servers, can be compromised as well. Cloud data protection provides a layer of isolation from primary attack vectors to your on premises data.  If there has ever been a better reason to consider cloud data protection as part of your organization’s data security strategy, that time is now.

If you are serious about data protection, Druva addresses wipeware with:

Complete Data Protection—for endpoints, cloud applications (Office 365, Box, G Suite and Salesforce) and servers—optimal for ransomware and wipeware scenarios.

Immediate Recovery—get your files back in minutes with instant-access data restores, from anywhere to any device, including cloud applications.

Real-time Data Threat Intelligence—proactively look for threats and compliance violations within your data attack surface no matter where that data lives.

While it is pretty much guaranteed that NotPetya will continue to spread as we head into the weekend, there are two ways to respond to this attack: Either you have a good backup or you don’t. To learn about how Druva can expand your data protection strategy beyond backup, check out these resources: