{
	"id": "0a87e880-ee69-4a28-81ad-43c552f197e2",
	"created_at": "2026-04-06T00:22:07.849012Z",
	"updated_at": "2026-04-10T03:21:44.152731Z",
	"deleted_at": null,
	"sha1_hash": "eb7096f3e9ac02a59a7267c4f274d3cae9baa3aa",
	"title": "Why NotPetya Kept Me Awake (\u0026 You Should Worry Too)",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 70583,
	"plain_text": "Why NotPetya Kept Me Awake (\u0026 You Should Worry Too)\r\nBy hacks4pancakes\r\nPublished: 2017-06-28 · Archived: 2026-04-05 16:52:55 UTC\r\nNotPetya may not have been the most sophisticated malware ever written. However, it was exceptionally effective\r\ndue to the authors’ savvy exploitation of common security misconceptions and their deep understanding of poor\r\nsecurity architecture. I want to briefly express my personal thoughts on why I found NotPetya particularly\r\nconcerning and a bad omen for things to come for the digital world.\r\nLiving Off The Land\r\nA lot of the news coverage on NotPetya is focusing heavily on the use of the stolen EternalBlue (MS17-010)\r\nexploit. In my opinion, this distracts from something more sinister, because patching Windows is in many cases a\r\nrelatively clear and simple fix.\r\nNotPetya has a choice of several means to move across a LAN once it is inside a perimeter. As well as exploiting\r\nMS17-010, it can also use PsExec and WMIC to move from system to system after using a stripped down version\r\nof the Mimikatz tool to steal passwords from the system it is on. PsExec and WMI are common methods of\r\nadministering Windows systems and are provided by Microsoft.\r\nI’m honestly a little surprised we haven’t seen worms taking advantage of these mechanisms so elegantly on a\r\nlarge scale until now. They are very popular tools in modern hacking. A good hacker avoids the use of malware\r\nand code exploits whenever possible. He or she may use them occasionally where no other practical option exists\r\n– for instance, exploits might be needed to escalate privileges on a system, or malware for initial phishing\r\ncompromise – but every use of malicious code is one more potential detection point for traditional signature-based\r\nantivirus and Intrusion Prevention Systems (which are relied on exclusively far too often). There’s no sense in\r\nusing malicious code when simpler and quieter means are available.\r\nThe use of WMI to move laterally across a network is increasingly trendy, and the use of PsExec to do so is nigh\r\narchaic now. Both methods remain stunningly effective, because they are popular avenues for systems\r\nadministration and often inadequately monitored. Logging of WMI lateral movement was quite tricky until\r\nWindows 8, and with large swathes of Windows 7 (and older) still in use in business it’s still frequently neglected.\r\nThe use of these propagation methods alone is not likely to fire any built-in attack signature in traditional,\r\nsignature-based security tools. There’s nothing to sandbox nor an unusual unique file hash to scan for. On the\r\nsurface, this activity will look like administration, and might only be detected by more detailed behavioral\r\nanalysis. With the speed that NotPetya was able to spread, this isn’t particularly practical.\r\nAbusing Mandatory Software\r\nhttps://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/\r\nPage 1 of 3\n\nOne of the primary initial infection vectors of NotPetya was the compromise of the update package for a piece of\r\nUkrainian financial software, M.E.Doc. According to reports, this software is one of only two software options\r\nUkrainian businesses have to pay their taxes. This was a clever choice for three reasons:\r\n1. Attacks were constrained somewhat to Ukraine (and companies that have interests there).\r\n2. The distribution base within the country was extremely comprehensive. Ukrainian businesses would have a\r\nhigh chance to have this software on a computer.\r\n3. The software company was relatively small and may potentially have been compromised previously,\r\nindicating it was potentially under-equipped to rapidly respond to a sophisticated attack on this scale.\r\nThis is obviously not a new thought pattern – attackers have leveraged popular, commonly deployed software for\r\nexploitation for decades. Adobe Flash and Java were two of the more abused programs in recent history because\r\nthey had extremely wide installation bases. However, that was within the context of commodity malware and\r\ncrimeware which typically infect victims fairly indiscriminately. NotPetya delivery combined elements of a\r\ntargeted watering hole attack we’ve traditionally seen used by nation states with traditional software exploitation\r\nto devastate a specific user base. Obviously, the potential of this avenue of attack can be explored further in the\r\ncontext of nearly any country or demographic.\r\nMasquerading as Ransomware?\r\nIn both the case of WannaCry and NotPetya, we saw malware that was ostensibly ransomware end up not looking\r\nas much like it after a deep dive under the hood and into attacker behavior. WannaCry had lackluster response to\r\nhandling actual payments, and NotPetya looked deceptively identical to the older ransomware Petya on the\r\nsurface while functioning quite fundamentally differently (and not being particularly well designed to make\r\nmoney). This sowed confusion for responders, and eager security companies posted early misleading reports.\r\nMasking targeted attacks as crimeware is an interesting strategic choice which could indicate a number of very\r\ntroubling things. I will leave further speculation on those to my natsec and threat intelligence colleagues.\r\nRansomware is loud. Until Cryptolocker in 2013, the majority of crimeware tended to be purposefully quiet –\r\nstealing data and performing other nefarious tasks without its victim’s knowledge. Ransomware is intentionally\r\ndisruptive. Independent of anything “cyber” it is also a tremendously effective criminal enterprise model, so it has\r\nbecome increasingly popular. There is plenty of clear evidence in the form of money and news stories that\r\ndemonstrates how much ransomware can impact victim organizations and individuals’ lives. This means\r\nransomware is also a great pretense for groups with other motives. They know their attack will cause misery and\r\nlost money, and news organizations cover ransomware attacks enthusiastically (often without much further\r\ndigging).\r\nAbuse of Poor Network Security Architecture\r\nBeyond the use of native tools, NotPetya’s lateral movement mechanisms were extremely effective because they\r\nexploited common weaknesses in many big networks. Of course, unpatched (or not recently rebooted) Windows\r\nhosts were vulnerable to MS17-010 exploitation. Beyond that,  lateral movement with WMI and PsExec is very\r\neffective in environments with poor network security architecture and implementation. Flat networks without\r\nsegmentation were vulnerable. Networks where their use was permitted were vulnerable. Networks where desktop\r\nhttps://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/\r\nPage 2 of 3\n\nusers commonly had workstation admin or domain admin permissions were vulnerable, and networks where these\r\nprivileges were not restricted or tightly controlled were more so. Windows 10 credential guard was a potential\r\nmitigation against the theft of passwords from system memory, but it is infrequently deployed and not backwards\r\ncompatible (or indeed, even compatible with every computer running Windows 10).\r\nAll of these design and implementation problems are woefully common, repeatedly bemoaned by security\r\nprofessionals auditing and consulting on those networks. They are not easy or cheap problems to fix in many\r\ncases, and this is likely not going to be the case that pushes a lot of vulnerable organizations over the edge in\r\nmitigation.\r\nYes, I’m Concerned\r\nIf you work outside Ukraine, you probably got really lucky, yesterday. Many enterprises were tremendously\r\nvulnerable to this type of attack, had they merely been targeted by the initial attack vector one time.\r\nBlood is in the water. Not only have criminals found that ransomware is a great money-making scheme, but\r\nnation states and terrorist organizations have realized pseudo-ransomware makes a misleading and effective\r\nweapon. A weapon that can cause collateral damage, globally.\r\nThings are going to get worse, and the attack landscape is going to deteriorate. Malware relying more on\r\nlegitimate credentials and native tools may easily render signature-based and hash-based solutions fundamentally\r\nless effective defenses. Organizations must no longer rely on black boxes with good sales pitches to band-aid\r\nfundamental architectural failures and neglected security best practices like out of date operating systems, liberal\r\nadministration policies, legacy protocols, or flat networks. Defense in depth, including human threat hunting and\r\neffective detection and prevention at many points, is key. This will involve policy and financial buy-in from many\r\nlagging organizations at a new level.\r\nhttps://twitter.com/HackingDave/status/879864060392742913\r\nEdit: 6/28 10PM – Minor technical corrections to clarify the purpose of M.E. Doc, the debate over encryption\r\nissues in NotPetya, and grammatical errors. Thanks to MalwareTech, grugq, and Jim Moore for pointing out my\r\nomissions, and duplicate words!\r\n7/5 3PM – A video was posted of the seizure of M.E.Doc’s equipment which shows the equipment and approximate\r\nnumber of employees at the firm. https://www.youtube.com/watch?v=TY5f2fmwcDE\r\nThis blog will be updated as further information is available.\r\nSource: https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/\r\nhttps://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/"
	],
	"report_names": [
		"why-notpetya-kept-me-awake-you-should-worry-too"
	],
	"threat_actors": [],
	"ts_created_at": 1775434927,
	"ts_updated_at": 1775791304,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/eb7096f3e9ac02a59a7267c4f274d3cae9baa3aa.pdf",
		"text": "https://archive.orkl.eu/eb7096f3e9ac02a59a7267c4f274d3cae9baa3aa.txt",
		"img": "https://archive.orkl.eu/eb7096f3e9ac02a59a7267c4f274d3cae9baa3aa.jpg"
	}
}