Home Security ‘Defanged’ NotPetya released in a controlled environment
‘Defanged’ NotPetya released in a controlled environment Featured

The UK-based cyber security company, NCC Group, has been able to replace the destructive parts of NotPetya with telemetry and safeguards. It was then released into a live environment.

In June 2017, an unnamed client requested NCC Group to assist with research on the likely impact of the NotPetya malware in their live environment.

The client was fortunate in that they had not been affected, but wanted to know how bad it would have been if the alleged Russian-derived attack had impacted them.

The client asked, “So, would NCC Group be interested in producing a NotPetya simulation program? i.e. a NotPetya clone that we can run inside of our network, but with the ransomware removed and safeguards to ensure it stays within our network. Also could you create some reporting so that we can understand what mechanism it used to move between each host and how long it took to move around the network?”

After discussions, a set of requirements were created:

  • Target operating systems
  • Target enumeration mechanisms
  • Propagation mechanisms
  • Exploits
  • Enable/propagate switches
  • Kill/remove switches
  • Telemetry and reporting
  • Clean-up and removal
  • Anti-network saturation algorithm

The first four essentially mirrored NotPetya’s functionality, while the remaining five acted as safeguards and included data collection:

  • IP address whitelists to target and ensure we only run within
  • DNS held pre-shared secrets that were checked and validated for their ability to run and be killed/removed
  • Regular heartbeats
  • State reporting
  • Success/failure reporting

After development and testing, the pseudo-malware, dubbed EternalBlue, was released onto the customer’s engineering network (a live environment, but not the corporate systems) on 7 December 2017.

According to NCC, the release generated far more data than was expected and was able to move through the network very quickly.

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel-level access.
  • It infected those three machines.
  • Within 10 minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • A total of 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Anti-virus on some target computers detected the virus – it will be adjusted to bypass this problem and then it will be deployed into the full production environment very soon.

More results to come.

Image: © User:Colin / Wikimedia Commons / CC BY-SA 4.0


With 4 keynotes + 33 talks + 10 in-depth workshops from world-class speakers, YOW! is your chance to learn more about the latest software trends, practices and technologies and interact with many of the people who created them.

Speakers this year include Anita Sengupta (Rocket Scientist and Sr. VP Engineering at Hyperloop One), Brendan Gregg (Sr. Performance Architect Netflix), Jessica Kerr (Developer, Speaker, Writer and Lead Engineer at Atomist) and Kent Beck (Author Extreme Programming, Test Driven Development).

YOW! 2018 is a great place to network with the best and brightest software developers in Australia. You’ll be amazed by the great ideas (and perhaps great talent) you’ll take back to the office!

Register now for YOW! Conference

· Sydney 29-30 November
· Brisbane 3-4 December
· Melbourne 6-7 December

Register now for YOW! Workshops

· Sydney 27-28 November
· Melbourne 4-5 December



Australia is a cyber espionage hot spot.

As we automate, script and move to the cloud, more and more businesses are reliant on infrastructure that has the high potential to be exposed to risk.

It only takes one awry email to expose an accounts’ payable process, and for cyber attackers to cost a business thousands of dollars.

In the free white paper ‘6 Steps to Improve your Business Cyber Security’ you’ll learn some simple steps you should be taking to prevent devastating and malicious cyber attacks from destroying your business.

Cyber security can no longer be ignored, in this white paper you’ll learn:

· How does business security get breached?
· What can it cost to get it wrong?
· 6 actionable tips



Popular News




Sponsored News