The Non-Petya cyber-attack and how to protect yourself from others like it

What is ransomware, and how does it differ from malware?

Ransomware is malware. The term ‘malware’ is short for malicious software, and applies to a broader group of software tools which all aim at harming and infecting the end user’s system. Malware includes viruses, worms, trojan horses, spyware, adware and ransomware. Ransomware is a particularly intrusive form of malware, which is used by cyber-criminals for financial gain. Ransomware, once placed in the end users system, will encrypt all the files and request money (most commonly in the form of a bitcoin payment of around $300 (£230)).

Where and why did the “Petya” attack start?

The Petya (or rather “Not-Petya”, as it was soon dubbed) cyber-attack started its journey in Ukraine, where a software update on a widely-used accounting programme enabled it to rapidly spread to both public and private entities. As opposed to WannaCry, it did not use the Internet to spread – instead, it used local networks to infect all devices connected to the same network. Non-Petya targeted big businesses, more likely to pay out quickly and with a larger number of vulnerable systems. This allowed it to quickly spread to the Netherlands, Lithuania, Russia, India, Israel and beyond.

Why are cyber-attacks becoming more and more common?

This year alone we have witnessed the NHS being rendered speechless by the WannaCry outburst (which spread to over 150 countries), followed closely by what looked like a second Non-Petya attack at the end of June. However, it was soon discovered that the Non-Petya attack might not have been as straightforward of a ransomware attack as initially believed. The attack hit many of Ukrainian businesses, including the central bank, state telecom, municipal metro, Kiev’s Boryspil airport and even some operations at the Chernobyl nuclear power plant. This, combined with a single e-mail address for all the payments sparked discussion regarding whether or not it was actually an attack targeted at Ukraine itself.

How did Non-Petya work?

This particular ransomware exploited the auto-update feature in a Ukrainian accounting system, MeDoc. It initiated an auto-update from within the software, which led to the ransomware being installed on all of the computers using the software. It has been indicated that MeDoc’s servers were using severely outdated software, which enabled the attackers to easily access them and spread the malware. It then targeted big companies, such as Danish shipping company Maersk, Russian oil company Rosneft and American pharmaceutical company Merck by leveraging Microsoft Windows tools such as the Windows Management Instrumentation to infect other computers on the same network.

What happened to the files?

With traditional ransomware, once the bitcoin ransom is paid, the user gets a key to decode the encrypted files. However, in this instance, because the attackers used one e-mail address, it soon became impossible to inform them of the ransom being paid. German e-mail provider, Posteo, which hosts the e-mail address used by the attackers shut it down a few hours after the attack, meaning any person affected was left without the chance to send a message and demand the files being decrypted. What’s more, the Non-Petya seems to have covered itself as ransomware, when in fact it was a for of a wiper virus – rendering the encrypted files gone for good.

What can we learn from it?

As with the WannaCry attack of May, there are a few lessons to be taken:

  1. Make sure that your computers are running the most recent update of Microsoft’s software
  2. Check you have installed the latest version of Windows
  3. Refrain from clicking on any malicious links

As to the burning question of “to pay or not to pay the ransom?”, the answer always will be no. Paying the ransom only encourages attackers, and with attacks such as Non-Petya, does not guarantee you will be able to recover the files.

Aftermath of Non-Petya

On July 5th, the group responsible for the attack posted a message on the DeepPaste service (accessible solely by the Tor anonymity network), asking for 100 bitcoins (»$250,000) in return for a universal key to unlock what’s left of the encrypted files. So far no one has stepped forward to pay the price. The delay in the pay-out demand has further stressed the theory of the Non-Petya being a targeted attack, rather than a stride for financial gain.

By Stefan GarczynskiHead of Cyber Security at Equilibrium Risk


GDPR Summit London is a dedicated event which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.

Further information and conference details are available at http://www.gdprsummit.london/