Dameon Welch-Abernathy

NotPetya: Under the Microscope Presentation and Recording

Discussion created by Dameon Welch-Abernathy Moderator on Jul 11, 2017
Latest reply on Jul 11, 2017 by Moti Sagey

If you missed today's informative webinar on NotPetya, you can download the slide deck and watch a recording of the presentation below.


Note: You must be logged into to CheckMates in order to view the presentation and recording.


NotPetya: Under the Microscope Slidedeck

NotPetya: Under the Microscope Webinar Recording


Here is a brief outline:


  • Intro (short summary of events + presentation goals)
  • Timeline – What happened prior to the attack? (M.E.Doc supply chain attack story + watering hole attack)
  • Lateral Movement – How does the malware spread?
    • Embedded Credential Stealing Tool – Explanation
    • Methods used to run remote code
    • WMI
    • PsExec
    • EternalBlue + DoublePulsar Lateral Movement
  • Overview of the Ransomware’s MBR Encryption Method
    • MBR, VBR, MFT – Terminology Explanation
    • How does the MBR encryption in NotPetya work?
  • General Malware Flow
  • Should you Pay the Ransom?
  • Double Pulsar Finding (Our Research + Reference to Blog Post for Full Story)
  • Speculations + Fiction
    • TeleBots Team Connection
    • Russian Government Involvement
    • Malware is Not Designed for Profit – explanation
    • Confusion with CVE-2017-0199 Downloader
  • How can we protect ourselves from the next strain for free (besides patching and backing up )
  • Summary



Related: How Endpoint Forensics sees NotPetya