S0368: NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]
Analyst context for executives and security teams
NotPetya matters because ATT&CK describes it as destructive Windows malware that looked like ransomware but was intended to destroy data and disk structures, with worm-like spread using SMBv1 exploits. For leaders, the lesson is not “ransomware payment readiness”; it is whether the business can contain rapid Windows lateral movement and restore operations when encrypted or damaged systems are not recoverable by design.
Executive priority
Treat this as a resilience and segmentation test case. Executives should ask whether critical Windows environments, including any IT systems connected to operational or ICS environments, can withstand SMB-based propagation, credential abuse, remote execution, forced reboots, and destructive impact. Priority decisions should focus on patch/vulnerability governance for remote services, backup and restore confidence, network segmentation, privileged account exposure, and incident response authority to isolate systems quickly. The ICS relationship to Loss of Productivity and Revenue makes this especially relevant where IT disruption can halt operations.
Technical view
ATT&CK provides no official detection text for S0368, so validation should be relationship-driven. SOC and IR teams should map coverage across Windows behaviors associated with NotPetya: LSASS credential access, SMB and admin share lateral movement, exploitation of remote services, WMI, scheduled tasks, rundll32 execution, service execution, file and security software discovery, Windows event log clearing, data encryption for impact, and system shutdown/reboot. The key defensive question is whether telemetry links these events into a fast-moving propagation-and-impact chain rather than treating each event as an isolated alert.
Likely telemetry
- Windows process creation and command-line telemetry for rundll32.exe, schtasks, service control activity, WMI execution, shutdown or reboot commands, and event log clearing utilities
- Windows Security, System, and Application event logs, including evidence of log clearing where retained centrally
- Endpoint detection telemetry for LSASS access, credential material access attempts, discovery activity, and destructive file or disk behavior
- SMB and Windows admin share access records, including lateral connections between peer systems
- Network telemetry for SMBv1 or SMB-based movement and remote service exploitation indicators
Detection direction
- Build correlation around rapid internal spread: SMB/admin share access, remote service use, WMI or service execution, and tool/file transfer between Windows hosts.
- Prioritize detections where credential access or local account abuse is followed by lateral movement and impact activity.
- Validate alerting for Windows event log clearing, but assume local logs may be impaired; confirm centralized log forwarding and retention.
- Tune for administrative false positives by baselining legitimate WMI, scheduled task, service control, and admin share usage, then alert on unusual source hosts, timing, scale, or target sets.
- Use relationship context to include impact-stage monitoring for encryption-like activity and shutdown/reboot events, not only initial execution.
Mitigation priorities
- First, reduce propagation paths: remove or tightly control SMBv1 exposure and prioritize patching of remotely exploitable services referenced by the ATT&CK description and relationships.
- Second, constrain lateral movement: limit local administrator reuse, monitor and restrict admin shares, and enforce least privilege for local and service accounts.
- Third, harden execution pathways commonly abused on Windows, including WMI, scheduled tasks, service execution, and rundll32 where business-appropriate.
- Fourth, protect evidence and recovery: forward Windows logs centrally, protect backups from endpoint compromise, and regularly test restoration of business-critical Windows systems.
- Fifth, segment critical operational or ICS-connected environments so IT malware propagation is less likely to create productivity or revenue loss.
Analyst notes and limits
The supplied object identifies NotPetya as Windows malware used by Sandworm Team in a worldwide attack beginning June 27, 2017, with destructive/wiper intent and worm-like SMBv1 propagation using EternalBlue and EternalRomance. Relationship context expands the defensive map to credential access, lateral movement, execution, discovery, defense impairment, and impact techniques, plus ICS impact relationships. This take uses those relationships to frame practical validation priorities without asserting current activity or local exposure.
ATT&CK does not provide official detection guidance for this object, and the object itself lists tactics as not specified. Several related technique records include broad platform lists, but the malware object platform is Windows; environment-specific validation is required before assuming relevance to non-Windows assets, cloud assets, or ICS systems. Local telemetry quality, segmentation, patch status, backup architecture, and administrative practices determine actual risk and coverage.
NotPetya
NotPetya is malware that was used by Sandworm Team in a worldwide attack starting on June 27, 2017. While NotPetya appears as a form of ransomware, its main purpose was to destroy data and disk structures on compromised systems; the attackers never intended to make the encrypted data recoverable. As such, NotPetya may be more appropriately thought of as a form of wiper malware. NotPetya contains worm-like features to spread itself across a computer network using the SMBv1 exploits EternalBlue and EternalRomance.[1][2][3][4]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1569.002 | Service Execution Sub-technique | |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | NotPetya creates a task to reboot the system one hour after infection.CitationTalos Nyetya June 2017 |
| Enterprise | T1021.002 | SMB/Windows Admin Shares Sub-technique | |
| Enterprise | T1685.005 | Clear Windows Event Logs Sub-technique | NotPetya uses |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | NotPetya determines if specific antivirus programs are running on an infected host machine.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | NotPetya can use |
| Enterprise | T1210 | Exploitation of Remote Services | NotPetya can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network.CitationTalos Nyetya June 2017CitationUS-CERT NotPetya 2017CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1083 | File and Directory Discovery | NotPetya searches for files ending with dozens of different file extensions prior to encryption.CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1003.001 | LSASS Memory Sub-technique | |
| Enterprise | T1529 | System Shutdown/Reboot | NotPetya will reboot the system one hour after infection.CitationTalos Nyetya June 2017CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1486 | Data Encrypted for Impact | NotPetya encrypts user files and disk structures like the MBR with 2048-bit RSA.CitationTalos Nyetya June 2017CitationUS-CERT NotPetya 2017CitationUS District Court Indictment GRU Unit 74455 October 2020 |
| Enterprise | T1036 | Masquerading | |
| Enterprise | T1218.011 | Rundll32 Sub-technique | |
| Enterprise | T1078.003 | Local Accounts Sub-technique |
Groups, software, and campaigns
G0034: Sandworm Team
Sandworm Team is a destructive threat group that has been attributed to Russia's General Staff Main Intelligence Directorate (GRU) Main Center for Special Technologies (GTsST) military unit 74455.[1][2] This group has been active since at least 2009.[3][4][5][6]
In October 2020, the US indicted six GRU Unit 74455 officers associated with Sandworm Team for the following cyber operations: the 2015 and 2016 attacks against Ukrainian electrical companies and government organizations, the 2017 worldwide NotPetya attack, targeting of the 2017 French presidential campaign, the 2018 Olympic Destroyer attack against the Winter Olympic Games, the 2018 operation against the Organisation for the Prohibition of Chemical Weapons, and attacks against the country of Georgia in 2018 and 2019.[1][2] Some of these were conducted with the assistance of GRU Unit 26165, which is also referred to as APT28.[7]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 2.0 | Current bundle | 138515a61280… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Talos Nyetya June 2017
Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019.
Open source URL -
[2]
US-CERT NotPetya 2017
US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019.
Open source URL -
[3]
ESET Telebots June 2017
Cherepanov, A.. (2017, June 30). TeleBots are back: Supply chain attacks against Ukraine. Retrieved June 11, 2020.
Open source URL -
[4]
US District Court Indictment GRU Unit 74455 October 2020
Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
Open source URL -
[5]
Diskcoder.C
(Citation: ESET Telebots June 2017)
-
[6]
ExPetr
(Citation: ESET Telebots June 2017)
-
[7]
GoldenEye
(Citation: Talos Nyetya June 2017)
-
[8]
Nyetya
(Citation: Talos Nyetya June 2017)
-
[9]
Petrwrap
(Citation: Talos Nyetya June 2017)(Citation: ESET Telebots June 2017)
-
[10]
mitre-attack S0368Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.