A Closer Look at NotPetya

What is NotPetya?

NotPetya is a notorious strain of malware that first emerged in June 2017, causing widespread damage and disruption across the globe. It was initially believed to be a variant of the Petya ransomware, which encrypts a computer system's files and demands a ransom for their release. However, further analysis revealed significant differences, leading to the understanding that NotPetya was not primarily designed for financial gain but rather as a tool for sabotage.

Key characteristics of NotPetya include:

  1. Wiper Malware Masquerading as Ransomware: Unlike typical ransomware that allows victims to recover their files upon payment of a ransom, NotPetya was designed to permanently damage or destroy data. It displayed a ransom note, but the mechanism for decrypting the files was ineffective, indicating that the attackers never intended to restore the affected systems.
  2. Propagation Mechanisms: NotPetya spread rapidly through networks by exploiting vulnerabilities in Microsoft Windows, including the EternalBlue exploit, previously leaked from the U.S. National Security Agency (NSA). This allowed it to infect computers within the same network without user interaction, leading to its fast spread across organizations.
  3. Impact: The malware caused significant disruptions and financial losses for numerous multinational corporations, governmental agencies, and other organizations. Companies in various sectors, including shipping, law, and manufacturing, reported severe operational disruptions and substantial financial impacts. The total damages caused by NotPetya are estimated to be in the billions of dollars, making it one of the most costly cyber incidents in history.
  4. Geographic Origin and Targets: The initial outbreak of NotPetya was in Ukraine, affecting many Ukrainian organizations, including banks, media outlets, and transportation services, before spreading worldwide. The selection of initial targets and the timing—coinciding with Ukraine's Constitution Day—led to speculation that the malware was part of a state-sponsored cyberattack.
  5. Political and Strategic Implications: NotPetya has been attributed by several countries, including the United States and the United Kingdom, to state-sponsored actors associated with the Russian government. This attribution is based on the malware's characteristics, targets, and the geopolitical context, suggesting its use as a cyber weapon in the broader context of political tensions between Russia and Ukraine.

NotPetya is a prime example of how cyber warfare and cyber sabotage have become integral components of modern geopolitical conflicts, demonstrating the potential for malware to cause widespread and severe damage to national economies and global infrastructure.

What is the motive of NotPetya?

The motive behind NotPetya is widely believed to be disruption and sabotage, particularly targeting Ukraine, rather than financial gain. This assessment is based on several key observations:

  1. Design and Functionality: NotPetya was designed as wiper malware, disguising itself as ransomware. It encrypted files and displayed a ransom demand, but the encryption was irreversible, suggesting that the attackers did not intend for the victims to recover their data. The absence of a reliable decryption mechanism indicates that the primary goal was to destroy data and disrupt operations rather than to collect ransom payments.
  2. Initial Targets and Timing: The malware initially targeted Ukrainian organizations, including government institutions, financial services, and critical infrastructure, on the eve of Ukraine’s Constitution Day. This timing and focus suggest a strategic intent to undermine Ukraine's state functions and economic stability.
  3. Geopolitical Context: The deployment of NotPetya occurred against the backdrop of ongoing tensions and conflict between Ukraine and Russia. The targeting of Ukrainian institutions, followed by the spread of the malware to other countries, aligns with what analysts and governments believe to be a broader strategy of cyber warfare employed by Russia against Ukraine. This context supports the interpretation of NotPetya as a state-sponsored cyberattack aimed at destabilizing Ukraine and demonstrating cyber capabilities.
  4. Global Spread and Collateral Damage: Although initially focused on Ukraine, NotPetya quickly spread worldwide, affecting companies and organizations in numerous countries. This global impact may have been collateral damage, resulting from the interconnectedness of modern digital infrastructures. The indiscriminate nature of this spread underscores the disruptive intent of the malware, highlighting the challenges in containing cyberattacks within geopolitical borders.
  5. State Attribution: Several countries and cybersecurity organizations have attributed NotPetya to state-sponsored actors associated with the Russian government. This attribution is based on technical analysis, the malware’s behavior, and the geopolitical context, further supporting the view that the motive was political disruption rather than criminal financial gain.

In summary, the motive behind NotPetya appears to be the use of cyber operations to achieve geopolitical objectives, specifically the destabilization and sabotage of Ukraine, within the broader context of Russian-Ukrainian tensions. The attack demonstrates the evolving nature of cyber threats, where state actors employ malware not just for espionage or theft, but as a means of direct sabotage against perceived adversaries.

What's the difference between Petya and NotPetya?

Petya and NotPetya are both types of malware that initially appear similar because they both encrypt the master boot record (MBR) of infected Windows computers, preventing the operating system from booting until a ransom is paid. However, despite these superficial similarities, there are significant differences between the two, both in terms of their operation and their underlying motives.

Origin and Evolution

  • Petya: First identified in 2016, Petya was a genuine piece of ransomware designed to extort money from victims by encrypting files on their computer and demanding a ransom for the decryption key.
  • NotPetya: Emerging in 2017, NotPetya masqueraded as ransomware similar to Petya but was primarily designed for disruption and destruction. It is considered a wiper malware disguised as ransomware.

Mode of Operation

  • Petya: Petya encrypts the file system's master file table (MFT) and the MBR, rendering the system inoperable until a ransom is paid for the decryption key. The original Petya aimed to encrypt files for ransom, with a functioning system for payment and obtaining decryption keys.
  • NotPetya: While NotPetya also targets the MBR, its encryption process is more destructive and less reversible than Petya's. NotPetya spreads more aggressively within networks by exploiting vulnerabilities like EternalBlue, along with other methods for lateral movement. Notably, NotPetya’s encryption is designed to be irreversible, with no genuine intention of allowing victims to recover their files, even if they attempt to pay the ransom.


  • Petya: The motive behind Petya is financial gain. It operates as typical ransomware, aiming to profit from victims willing to pay to recover their encrypted data.
  • NotPetya: NotPetya’s motive is not financial but rather disruptive and destructive, aimed at causing maximum disruption, particularly targeting Ukrainian businesses and institutions initially before spreading globally. The lack of a reliable decryption mechanism, despite displaying a ransom note, indicates its primary purpose was sabotage.


  • Petya: The impact of Petya was significant but more confined compared to NotPetya. It affected numerous organizations worldwide but was part of the broader landscape of ransomware attacks.
  • NotPetya: NotPetya had a massive, global impact, causing billions of dollars in damages across many countries and industries. Its design for rapid propagation and destruction made it one of the most devastating cyberattacks in history.


  • Petya: Petya is attributed to cybercriminals aiming for financial profit.
  • NotPetya: NotPetya is widely attributed to state-sponsored actors, specifically the Russian military, as part of cyber operations against Ukraine. This attribution is based on its targets, timing, and destructive nature, aligning with geopolitical motives rather than criminal profit.

In summary, while Petya and NotPetya share some superficial similarities, they are fundamentally different in their operation, motives, and impacts. Petya functions as traditional ransomware with a financial motive, whereas NotPetya is a state-sponsored tool for cyber warfare, designed to disrupt and destroy.

How can NAC help to stop NotPetya?

Network Access Control (NAC) can play a crucial role in mitigating the spread of malware like NotPetya within an organization's network. NAC solutions enforce security policies that control access to the network and its resources, ensuring that only authorized and compliant devices can connect. While NAC itself might not stop the initial infection by NotPetya, it can significantly reduce the malware's ability to spread and cause further damage. Here's how NAC can help:

Endpoint Compliance Checks

NAC systems can perform health checks on devices attempting to connect to the network. This process involves assessing whether the device has up-to-date security patches, antivirus signatures, and other security controls that can reduce the vulnerability to NotPetya and similar threats. Devices failing these checks can be quarantined or restricted to limited network access until they are updated and compliant.

Segmentation and Role-based Access

By enforcing network segmentation and role-based access controls (RBAC), NAC can limit a device's access to only those resources necessary for its user's role. This approach minimizes the potential pathways for malware to spread across the network. If a device is infected, the damage can be contained to a smaller segment of the network, reducing the overall impact on the organization.

Detection of Anomalous Behavior

Some advanced NAC solutions offer behavioral monitoring features that detect unusual activity on the network, which could indicate the presence of malware like NotPetya. For instance, rapid propagation attempts or unusual data encryption activities can trigger alerts. Upon detection, the NAC system can automatically block or isolate the affected device, mitigating the spread of the malware.

Quarantine and Remediation

NAC systems can automatically quarantine devices that are suspected of being compromised or that have failed compliance checks. This quarantine capability stops the spread of malware by isolating infected devices from the rest of the network. Furthermore, NAC solutions can sometimes facilitate the remediation process by directing users to resources that help them clean their devices or by automatically applying security updates and patches.

Integration with Other Security Tools

NAC solutions often integrate well with other security tools like Security Information and Event Management (SIEM) systems, firewalls, and intrusion prevention systems (IPS). This integration allows for a coordinated response to threats. For example, if an IPS detects NotPetya-like activity, it can inform the NAC system to isolate the affected device immediately.

Implementing NAC as part of a layered security strategy can significantly enhance an organization's ability to prevent the spread of sophisticated malware like NotPetya. However, it's important to note that NAC is just one component of a comprehensive cybersecurity approach. Effective defense against such threats also requires updated software, employee training, regular backups, and a robust incident response plan.