Security Market Segment LS
Monday, 19 February 2018 13:03

‘Defanged’ NotPetya released in a controlled environment Featured


The UK-based cyber security company, NCC Group, has been able to replace the destructive parts of NotPetya with telemetry and safeguards. It was then released into a live environment.

In June 2017, an unnamed client requested NCC Group to assist with research on the likely impact of the NotPetya malware in their live environment.

The client was fortunate in that they had not been affected, but wanted to know how bad it would have been if the alleged Russian-derived attack had impacted them.

The client asked, “So, would NCC Group be interested in producing a NotPetya simulation program? i.e. a NotPetya clone that we can run inside of our network, but with the ransomware removed and safeguards to ensure it stays within our network. Also could you create some reporting so that we can understand what mechanism it used to move between each host and how long it took to move around the network?”

After discussions, a set of requirements were created:

  • Target operating systems
  • Target enumeration mechanisms
  • Propagation mechanisms
  • Exploits
  • Enable/propagate switches
  • Kill/remove switches
  • Telemetry and reporting
  • Clean-up and removal
  • Anti-network saturation algorithm

The first four essentially mirrored NotPetya’s functionality, while the remaining five acted as safeguards and included data collection:

  • IP address whitelists to target and ensure we only run within
  • DNS held pre-shared secrets that were checked and validated for their ability to run and be killed/removed
  • Regular heartbeats
  • State reporting
  • Success/failure reporting

After development and testing, the pseudo-malware, dubbed EternalBlue, was released onto the customer’s engineering network (a live environment, but not the corporate systems) on 7 December 2017.

According to NCC, the release generated far more data than was expected and was able to move through the network very quickly.

  • The customer ran it on one machine in their engineering network with no privileges.
  • It found three machines unpatched.
  • It exploited those three machines to obtain kernel-level access.
  • It infected those three machines.
  • Within 10 minutes it had gone through the entire engineering network using recovered/stolen credentials.
  • It then took the domain about two minutes later.
  • A total of 107 hosts were owned in roughly 45 minutes before the client initiated the kill and remove switch.

Anti-virus on some target computers detected the virus – it will be adjusted to bypass this problem and then it will be deployed into the full production environment very soon.

More results to come.

Image: © User:Colin / Wikimedia Commons / CC BY-SA 4.0


You cannot afford to miss this Dell Webinar.

With Windows 7 support ending 14th January 2020, its time to start looking at your options.

This can have significant impacts on your organisation but also presents organisations with an opportunity to fundamentally rethink the way users work.

The Details

When: Thursday, September 26, 2019
Presenter: Dell Technologies
Location: Your Computer


QLD, VIC, NSW, ACT & TAS: 11:00 am
SA, NT: 10:30 am
WA: 9:00 am NZ: 1:00 pm

Register and find out all the details you need to know below.



iTWire can help you promote your company, services, and products.


Advertise on the iTWire News Site / Website

Advertise in the iTWire UPDATE / Newsletter

Promote your message via iTWire Sponsored Content/News

Guest Opinion for Home Page exposure

Contact Andrew on 0412 390 000 or email [email protected]


David Heath

David Heath has had a long and varied career in the IT industry having worked as a Pre-sales Network Engineer (remember Novell NetWare?), General Manager of IT&T for the TV Shopping Network, as a Technical manager in the Biometrics industry, and as a Technical Trainer and Instructional Designer in the industrial control sector. In all aspects, security has been a driving focus. Throughout his career, David has sought to inform and educate people and has done that through his writings and in more formal educational environments.



Recent Comments