NotPetya: How a Russian malware created the world's worst cyberattack ever

Imagine you wake up one day for work and realise that the IT hub in the office is acting fishy. All your colleagues, donning sharp suits, carrying compact laptops and tablets in one hand, a flask of coffee on the other, head to their desks for the day's operations to begin, only to find out that their files, both official and personal, are being "encrypted". A daunting idea, isn't it? And what if these files in your C drive are mysteriously being repaired or, maybe in a more surreal way, you are being ordered to pay a sum of $300 worth of bitcoin to decrypt the files -- all this is not just a wicked idea, but this is what happened at the time when the most devastating cyberattack took place in today's history.

Andy Greenberg, a senior writer with WIRED and author of his forthcoming Doubleday publication, Sandworm, chronicled the birth of the biggest cyberattack, that began, at least, as an assault on one nation by another. In an excerpt from his book, Greenberg says,"For the past four and a half years, Ukraine has been locked in a grinding, undeclared war with Russia that has killed more than 10,000 Ukrainians and displaced millions more. The conflict has also seen Ukraine become a scorched-earth testing ground for Russian cyberwar tactics. In 2015 and 2016, while the Kremlin-linked hackers known as Fancy Bear were busy breaking into the US Democratic National Committee’s servers, another group of agents known as Sandworm was hacking into dozens of Ukrainian governmental organisations and companies. They penetrated the networks of victims ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data." In this conflict between the two nations, the Russian hackers, in June 2017 came out with one of the most devastating cybersecurity breaches to attack networks of victims via encrypted code, ranging from media outlets to railway firms, detonating logic bombs that destroyed terabytes of data. This idea of destruction gave birth to NotPetya, a much bigger threat to the world than the infamous Wannacry malware.

So, what is NotPetya malware and how to recognise it?

Before we talk about NotPetya attacks, we should first talk about its previous avatar, Petya. Petya is a family of encrypting ransomware that was first discovered in 2016 - a piece of criminal code that surfaced in early 2016 and extorted victims to pay for a key to unlock their files. 

This ransomware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts a hard drive's file system table and prevents Windows from booting. It subsequently demands that the user make a payment in Bitcoin in order to regain access to the system.'

NotPetya took its name from its resemblance to the ransomware Petya 

Petya and NotPetya are two kinds of malware that affected thousands of computers worldwide in 2016 and 2017. Both Petya and NotPetya aim to encrypt the hard drive of infected computers, and there are enough common features between the two. Unlike the fact that the latter is a form originating from the former, NotPetya has many more potential tools to help it spread and infect computers. Moreover, while Petya is a standard piece of ransomware that aims to make few quick Bitcoin from victims, NotPetya is widely viewed as a state-sponsored Russian cyberattack masquerading as ransomware.

Although NotPetya was targetting war-ridden Ukraine, the aftermath was felt by the world. The malware had immense potential to destruct computers, data and wired machines across the world. In the excerpt from Sandworm published by WIRED, the author recounts how the spread of the malware affected not just its intended victim, i.e. Ukraine, but went out to numerous machines around the world, from hospitals in Pennsylvania to a chocolate factory in Tasmania. It ­ate into multinational companies including Maersk, pharmaceutical giant Merck, FedEx’s European subsidiary TNT Express, French construction company Saint-Gobain, fmcg giants Mondelez, and Reckitt Benckiser. And, as not even expected by its inventors NotPetya spread back to Russia, striking the state oil company Rosneft.

According to confirmation received by WIRED from former Homeland Security adviser Tom Bossert, the result of this attack was more than $10 billion total loss in damages. Bossert during the investigation and study of the malware was US President Donald Trump’s most senior cybersecurity-­focused official. Even the infamous WannaCry, that spread a month before NotPetya in May 2017, is estimated to have cost between $4 billion and $8 billion.

Apart from the US presidential elections that the Russians were prying over, NotPetya malware spread like wildfire across the world, eating into every electronics, computers, extracting data and demanding exorbitant amount for recovery in form of Bitcoins. Greenberg in his book paints a bleak picture of the havoc the malware caused across countries and the loss that citizens had to bear, both in cash and kind. 

The attacks, which started as a catalyst to win the war against Ukraine, precisely targeting several electronics and computers in hotels, hospitals, government offices etc in the country, ultimately ended up causing vast devastation across the world. Right from losses witnessed in the shipping terminal in Elizabeth, New Jersey to Manhattan’s skyscrapers and from offices in the UK to Ghana, the worm slid through every government data, eating its way to wiping away important historical documents, sabotaging records and creating panic over the world. 

However, even after more than a year, the barbaric acts of the NotPetya malware has not been wiped out completely. According to the WIRED, several experts argue that the malware can emerge as bouts in different parts of the world or even reoccur taking a larger form. 

Therefore, to protect your data from cyber breach, the advice more or less remains the same. Don’t click on unknown attachments, always use strong and unique passwords, somewhat like a phrase or an idiom, and keep an up-to-date backup, because even if not visible right away, it looks like ransomware's here to stay.

Business Standard is now on Telegram.
For insightful reports and views on business, markets, politics and other issues, subscribe to our official Telegram channel