Content uploaded by Sharifah Fayi
Author content
All content in this area was uploaded by Sharifah Fayi on Jul 01, 2020
Content may be subject to copyright.
15
What Petya/NotPetya Ransomware Is and What
Its Remidiations Are
Sharifah Yaqoub A. Fayi
Abstract
Ransomware attacks have been growing worldwide since
they appeared around 2012. The idea of ransomware
attacks is, encrypting and locking the files on a computer
until the ransom is paid. These attacks usually enter the
system by using Trojans, which has malicious programs
that run a payload that encrypts and locks the files. The
basic goal of this type of attack is getting money, so
hackers usually unlock the files when they receive the
money, but really there is no guarantee of that. Ran-
somware attacks have various versions such as Reveton,
CryptoWall, WannaCry, and Petya. The Petya attack is the
attack that this paper discusses, especially the most recent
version of it, which is referred as NotPetya. This paper
defines the NotPetya attack, explains how it works, and
where and how it spreads. Also, this paper discusses four
solutions available to recover after a system infected by
the NotPetya attack and propose the best solution depend-
ing on intense research about the recovering solutions of
this attack.
Keywords
NotPetya recovering · NotPetya ransomware · NotPetya
ransomware removing · NotPetya ransomware
solutions · NotPetya ransomware prevention
15.1 Introduction
This paper especially discusses the most recent ransomware
attack, which appeared on June 27, 2017, called NotPetya
ransomware and recently has been the second global infor-
S. Y. A. Fayi ()
Department of Computer and Information Systems, Robert Morris
University, Moon Township, PA, USA
mation security issue in the world [1,2]. This ransomware
is a modified version of Petya that is referred as NotPetya
to distinguish this attack from the old version of Petya
attacks. NotPetya differs from old versions by taking a high
level of encryption that doesn’t encrypt just the files but it
also encrypts the whole system. It encrypts the Master File
Table (MFT) after rebooting the infected system, therefore
the Master Boot Record (MBR) becomes impracticable [3,
4]. As a result, by locking the MBR, the infected system
eventually becomes useless, so you can’t reach your files or
even the operating system on the drive because the MBR,
which is a sector of a hard drive, is essential to identify
the location of the operating system and files. NotPetya
spreads by taking advantages of the EternalBlue, which is
a vulnerability in the Windows operating system, and this
vulnerability also exploits by the WannaCry attack. In addi-
tion, the EternalBlue is not the only vulnerability NotPetya
uses, it tries to exploit other Windows vulnerabilities, such as
PsExec, Windows Management Instrumentation (WMI), and
EternalRomance to propagate through the infected network
[1]. NotPetya attack can for example, use the WMI tool to
propagate by getting the administrator access information in
one unpatched computer in the network and propagate itself
to other computers in the same network. Robert Lipovsky
who is an ESET researcher said, “It only takes one unpatched
computer to get inside the network, and the malware can
get administrator rights and spread to other computers.” [6].
Also, this ransomware can extend and affect other computers
through the network by getting the users’ logins information
[5]. Another way the attack uses to spread is by phishing
emails that contain malware-laden attachments [2,7]. After
that, if the computer is affected by NotPetya, a message
telling your computer files are encrypted will appear, and it
demands you $300 Bitcoins to decrypt the files as Fig. 15.1
shown [6].
Ukraine is the country where the attack started and af-
fected many government offices, banks and the airport [2].
According to the Ukrainian Cyber Police, the attack is
© Springer International Publishing AG, part of Springer Nature 2018
S. Latifi (ed.), Information Technology – New Generations, Advances in Intelligent Systems and Computing 738,
https://doi.org/10.1007/978-3-319-77028-4_15
93
94 S. Y. A. Fayi
Fig. 15.1 Note displays on
computers infected with
NotPetya
Fig. 15.2 Top 20 countries
depend on number of infected
organizations
distributed through the accounting software, which is called
MeDo, which Ukrainian companies need to work with the
government [2].
This attack doesn’t affect just Ukraine, it is also detected
in other 64 countries in the world including Europe and
the USA [6]. Based on the following Fig. 15.2,theUSA
is the second highest country affected by the NotPetya after
Ukraine [8].
It is obvious from the number of countries and organiza-
tions which NotPetya infected that this ransomware attack
spreads rapidly and affects great spots of the world. In
addition, this spreading of the NotPetya leads to significant
disruptions because it targets the important organizations in
a country like advertising firm WPP, shipping giant Maersk,
and Heritage Valley Health System [2,5]. Such organizations
require their systems to be operational all the time to do their
job completely and perfectly. As a result, and as we know that
prevention is better than remediation, you must prevent your
network from being infected this by, for example, requesting
help from IT specialists if you have a big organization or
learning about security threats if you have a small business
and don’t want to spend much money for an IT expert.
To prevent your network, US CERT recommends you, for
instance, to update your computer system to last Microsoft’s
patch for MS17-010 SMB vulnerability, to make regular
backups for your data and test them, to set anti-virus & anti-
malware regularly scanning, to manage the use of privileged
account, to secure the use of WMI by setting permissions [1].
However, if your prevention system is not that strong and the
NotPetya ransomware is running in your computer or your
network, there are some solutions to recover from it and this
paper reviews four solutions.
15.2 Literature Review
The aim of this paper is to discuss four existed solutions to
remediate infected devices after NotPetya Ransomware in a
clear and easy way that doesn’t require a depth experience in
computer fields or a technician who cost much money.
The first solution is a solution that CrowdStrike Blog
explains. This blog explains tools for decrypting the MFT,
which has the system files and their information and helps
recovering files after the attack. These tools exploit the
shortcomings of the implementation of the Salsa20 cipher in
NotPetya to restore the files from MFT by at first extracting
the MFT from a corrupted hard disk, then using the De-
cyptpetya.py tool that you can find in the CrowdStrike code
15 What Petya/NotPetya Ransomware Is and What Its Remidiations Are 95
warehouse [9]. This solution in my opinion is a good solu-
tion because CrowdStrike Blog has proved that their tools
can extract and decrypt the most decryption MFT records.
However, this solution requires depth technical information
in the computer and technology fields, so I think it is difficult
for the people who don’t have enough technical information
or small businesses that don’t have enough budget to follow
this solution that requires a technician who costs a lot. I
suggest those businesses or any person who uses a computer
for personal purposes to use an easier way that doesn’t cost
much money to recover their files because those people and
the small business in my opinion don’t have that much of
sensitive data or files that deserve spending much money to a
technician to restore their files. They can try the one of other
following solutions that the paper discusses, which doesn’t
require intensive information in dealing with NotPetya ran-
somware threats.
The idea of the second solution which, the @HackerFan-
tastic mentioned on Twitter, is interrupting the encryption
process by utilizing the waiting time that NotPetya ran-
somware takes to reboot the system. The account advises
you to turn off your computer instantaneously if you see the
following message (Fig. 15.3)[2].
The second solution seems to be a great solution to
prevent files from encryption, but I assume that the disad-
vantages of it are, you must be concentrated and turn off your
computer as quickly as you can without any delay, which is
sometimes easier said than done, and there is no practical
proof that I can find. As a result, I believe that if you don’t
have that much information about security attacks, you can’t
do this quick response.
The third solution which 2-SpyWare.com provides, is
recommending you use some anti-spyware like, Reimage and
Malwarebytes Anti Malware for removing the attack [10].
They explain two manual removal methods which eliminate
NotPetya by using Safe Mode with Networking or by using
System Restore. In the first method, you must enter the Safe
Mode after you restart the system to escape NotPetya and
access a security tool, so you can download any anti-spyware
software that helps you to eliminate the NotPetya, but if
the ransomware denies the Safe Mode with Networking, try
the second method [10]. The second method is removing
NotPetya by using System Restore which also required to
reboot the computer to the Safe Mode, but with Command
Prompt. When the Command Prompt appears, you can use
some commands that 2-SpyWare.com demonstrates visibly
to restore your system to prior date. After that, you should
Fig. 15.3 Message shows
encryption process
96 S. Y. A. Fayi
scan your computer and make sure that NotPetya is suc-
cessfully removed [10]. After that, you can try to restore
data by using Data Recovery Pro Method software, which
can help to restore damaged files or ShadowExplorer, which
can help to decrypt infected files [10]. Even if you cannot
decrypt the files by an official NotPetya decryption program
because 2-SpyWare.com indicates that “NotPetya decryption
is not available yet.”, I think the third solution if you have
plenty technical information is the perfect way to recover
your computer by just following the clearly guide in the
website.
The final solution is acceptable for those who want the
easiest and clearest way to eliminate NotPetya and their
files worthless to try hardly and costly to redeem them. The
solution is formatting the infected hard drive and reinstalling
the operating system and after that, with a fluke you can
restore the files from backups if you back up your files
routinely [2,6]. Consequently, keep your anti-virus up to date
and set automatically backup for your files even if on another
device or on the cloud [2,6].
15.3 Proposed Solution
I reviewed four solutions in this paper that deal with Not-
Petya ransomware, and I believe that the best and easiest
solution depends on the ability and the experience of the
person in dealing with security attacks. However, I propose
to try a solution that a small business or a person who has
enough information in technology can follow. This solution
obviously is not paying the ransom to obtain the key that
decrypts the files because there is no guarantee of that but the
solution is the third one in this paper that I think is the perfect
solution you can follow to recover after the ransomware
attack. The idea of this solution is restarting your computer
and entering the Safe Mode, then removing NotPetya by
downloading an anti-spyware and after that restore your
infected files by using some software that help you in this
recovering.
At first, to access your files, you have to eliminate Not-
Petya from your system by following the manual removing
guidelines that 2-SpyWare.com clearly explains. The first
step in this guide is requiring you to enter the Safe Mode
to discard the NotPetya ransomware and then you can access
a security tool. There are two methods to enter the Safe Mode
which are, entering by using Safe Mode with Networking or
using Safe Mode with Command Prompt, but in this paper, I
will review just how to enter the Safe Mode with Networking
in Windows 7, and assume that the ransomware doesn’t block
entering Safe Mode with Networking.
The first step to enter the Safe Mode with Networking
in Windows 7 is restarting your computer and when your
computer turns on, press F8 button many times until the
Advanced Boot Options window appears and then choose the
Safe Mode with Networking from the menu [10] (Fig. 15.4).
The second step is opening the browser in your infected
account and downloading one of the anti-spyware software
that 2-SpyWare.com recommends like Reimage, or Malware-
bytes Anti-malware. Before you start scanning and removing
the ransomware, ensure that the anti-spyware that you down-
loaded is up to date. In this paper, I choose Malwarebytes to
delete NotPetya because it is a free removal program, and it
can remove malicious files and programs easily by its tools
[11]. You can download the Malwarebytes on your Windows
from My Anti Spyware website and follow provided instruc-
tions to complete set it up. After downloading it, double-click
the setup file called “mb3-setup” and click ‘Yes’ if the User
Account Control Window appears [11].
After that, follow the Setup Wizard to install Malware-
bytes on your computer and don’t change the default settings
Fig. 15.4 Advanced boot
options window
15 What Petya/NotPetya Ransomware Is and What Its Remidiations Are 97
Fig. 15.5 Malwarebytes main screen
Fig. 15.6 Threats detected report window
[11]. When the installation is completed successfully, the
main screen of the software will appear automatically as
shown in Fig. 15.5 [11].
After checking the update version, press the Scan Now
button and therefore the scanning process will begin to detect
the NotPetya ransomware and any other malicious programs
[11]. After that, assess the report, which usually you wait
much time until it appears, and click the Remove Selected
button [11] (Fig. 15.6).
As a result, the Malwarebytes software begins to remove
NotPetya and any security threats found [11]. After the
cleansing process finishes, a prompt window that requires
you to restart your computer will appear and after restarting
your computer, it should be free of malicious software or files
[11].
The second step is recovering the corrupted files by trying
one of the procedures that 2-SpyWare.com suggests.
The first method is downloading Data Recovery Pro soft-
ware, which helps you to recover corrupted and encrypted
files, and then follow the instructions that Viruses Removal
Pro website provides in its guide to remove NotPetya ran-
somware [11,12]. After downloading the software and
opening it, choose Quick Scan or Full Scan as shown in Fig.
15.7 and then click Start Scan to find the files that NotPetya
corrupts [12].
After that, check the type of all files you need to restore
and then press the Recover button as Fig. 15.8 shown [12].
The second recovering method is decrypting files with
ShadowExplorer software that has a high chance to restore
infected files successfully because as 2-SpyWare.com states
that “At the moment, the malware does not manifest the
ability to delete volume shadow copies, so you are likely
to succeed in restoring affected files with the assistance
of this tool” [10]. After downloading the software, you
can follow the guideline that the Security Affairs website
explains [13]. After you choose the drive and identify the
files that you need to recover from the list in the main window
of ShadowExplorer, then you can export the files by pressing
right-click on the folder as Fig. 15.9 shown below [13].
In the case that the Security Affairs website used, they can
successfully recover 100% of the files that you can see in Fig.
15.10 [13].
As a result, by following the solution that I suggested,
you can recover your system after the NotPetya Ransomware
infection. In addition, based on what I represented previously
that demonstrates the success of the recovering process, you
obviously have a great chance in removing the ransomware
and restoring your files [14].
15.4 Conclusion
To sum up, this paper explains what NotPetya is, how it
works, and when and where it appears. Also, it mentioned
some ways to prevent NotPetya and reviewed four existed
solutions that can help to remove NotPetya and restore files.
The four solutions are, using tools for decrypting the MFT,
which you can use to recover files by taking advantage of
the limitation of the Salsa20 cipher in NotPetya and you
can find the full explanation of this solution in CrowdStrike
Blog, the interception of the encryption process by exploiting
the waiting time that NotPetya need to reboot the system,
entering the Safe Mode, removing the NotPetya and then
restoring the files by using the way that 2-SpyWare.com
provides, and reinstalling the operating system and then
restoring the files from a backup if you usually back up
your files. When I reviewed these four solutions I tried to
focus on showing their disadvantages to help you choose the
appropriate solution for you.
98 S. Y. A. Fayi
Fig. 15.7 Data recovery Pro
scanning options
Fig. 15.8 Items available to
recover
Fig. 15.9 Files available to
export
15 What Petya/NotPetya Ransomware Is and What Its Remidiations Are 99
Fig. 15.10 Files after recovering successfully
After reviewing all four solutions, I state that the second
solution, which is entering the Safe Mode, removing the
NotPetya and then restoring the files by using the way that 2-
SpyWare.com provides is a perfect solution because it covers
how to remove the NotPetya ransomware and how to restore
the files. I support this solution by adding more details to
how removing NotPetya by using Malwarebytes software,
and how to restore your files by using Data Recovery Pro
software or ShadowExplorer software.
At the end, don’t forget that deciding which the best
or easiest solution depends on you, on your ability and on
your experience in dealing with security threats, and on the
solution that makes the least possible losses. Moreover, don’t
forget that prevention is better than remediation, so always
back up your files on another device or in the cloud and
test these backups, make sure that patches and anti-viruses
or anti-spyware on your computer are up to date. Finally,
always be aware of everything on security threats to secure
your system or your organization’s system.
References
1. Alert (TA17-181A) Petya Ransomware, US-CERT (2017). [On-
line]. https://www.us-cert.gov/ncas/alerts/TA17-181A. Accessed 7
Nov 2017
2. O. Solon, A. Hern, Petya’ ransomware attack: what is it
and how can it be stopped?, The Guardian (2017) [Online].
https://www.theguardian.com/technology/2017/jun/27/petya-
ransomware-cyber-attack-who-what-why-how. Accessed 7 Nov
2017
3. Q. Yeh, A.J. Chang, Threats and countermeasures for information
system security: a cross-industry study. Inf. Manag. 44, 480–491
(2007)
4. P. Bedwell, A deep dive into the NotPetya ransomware attack,
Lastline (2017) [Online]. https://www.lastline.com/blog/notpetya-
ransomware-attack/. Accessed 7 Nov 2017
5. L. Abrams, Petya Ransomware skips the Files and Encrypts your
Hard Drive Instead, BleepingComputer (2016). [Online]. https:/
/www.bleepingcomputer.com/news/security/petya-ransomware-
skips-the-files-and-encrypts-your-hard-drive-instead/. Accessed 7
Nov 2017
6. A. Kharpal, ‘Petya’ ransomware: All you need to know about
the cyberattack and how to tell if you’re at risk, CNBC (2017).
[Online]. https://www.cnbc.com/2017/06/28/petya-ransomware-
cyberattack-explained-how-to-tell-if-youre-at-risk-or-been-
attacked.html. Accessed 7 Nov 2017
7. T. Fox-Brewster, 3 Things You Can Do To Stop ‘NotPetya’
Ransomware Wrecking Your PC, Forb e s (2017). [Online]. https:/
/www.forbes.com/sites/thomasbrewster/2017/06/28/three-things-
you-can-do-to-stop-notpetya-ransomware-wrecking-your-pc/
#6f276e377b05. Accessed 7 Nov 2017
8. I. Thomson in San Francisco 2017 at 03:19 tweet_btn(), Ev-
erything you need to know about the Petya, er, NotPetya nasty
trashing PCs worldwide, The Register®—Biting the hand that
feeds IT (2017). [Online]. https://www.theregister.co.uk/2017/06/
28/petya_notpetya_ransomware/. Accessed 8 Nov 2017.
9. Symantec Security Response, Petya ransomware outbreak: Here’s
what you need to know, Symantec (2017). [Online]. https://
www.symantec.com/connect/blogs/petya-ransomware-outbreak-
here-s-what-you-need-know. Accessed 8 Nov 2017
10. S. Eschweiler, Decrypting NotPetya/Petya: Tools for recovering
your MFT after an attack, CrowdStrike (2017). [Online]. https:/
/www.crowdstrike.com/blog/decrypting-notpetya-tools-for-
recovering-your-mft-after-an-attack/. Accessed 7 Nov 2017
11. J. Splinters, NotPetya ransomware virus. How to remove?
(Uninstall guide), 2-spyware (2017). [Online]. https://www.2-
spyware.com/remove-notpetya-ransomware-virus.html#data-
recovery! Accessed 7 Nov 2017
12. Patrik, Petya.A/NotPetya virus removal——How to protect
computer, My AntiSpyware (2017). [Online]. http://
www.myantispyware.com/2017/06/28/petya-notpetya-virus/.
Accessed 7 Nov 2017
100 S. Y. A. Fayi
13. CASPAR, Guide to remove NotPetya ransomware
permanently, Viruses Removal Pro (2017). [Online]. http://
provirusesremoval.com/guide-remove-notpetya-ransomware-
permanently/. Accessed 7 Nov 2017]
14. P. Paganini, Ransomware: How to recover your encrypted
files, the last guide, Security Affairs (2016). [Online]. http://
securityaffairs.co/wordpress/53438/malware/ransomware-recover-
guide.html. Accessed 7 Nov 2017