Cybereason Detects and Stops NotPetya Ransomware

NotPetya ransomware has affected hundreds of organizations across Europe and across the world.

Since we discovered the attack, our team has been quite busy. In addition to discovering a kill switch that stops NotPetya in it’s tracks we’ve also:

  • Built and issued an update to the Cybereason Sensor for Windows that detects and prevents NotPetya as well as other MBR-based ransomware
  • Built and issued a new version of Cybereason RansomFree that detects and prevents NotPetya as well as other MBR-based ransomware

What’s unique about NotPetya?

NotPetya encrypts files only after the machine is rebooted - unlike most ransomware that encrypts files as soon as it executes. NotPetya spreads throughout the network, extracts admin credentials, and schedules a task to reboot the machine. As soon as a victim reboots their machine, NotPetya overwrites the Master Boot Record (MBR) with a malicious payload that encrypts the full disk.

How does Cybereason detect NotPetya?

Cybereason collects and analyzes behavioral data to identify if and when malicious activity occurs in an environment. In the case of NotPetya and other MBR-based ransomware, the solution detects malicious activity that attempts to affect the MBR. If a protected machine is infected with NotPetya, Cybereason will detect the activity and block NotPetya from encrypting any data. An infected machine will still be rebooted, but Cybereason will restore the original MBR to annihilate NotPetya’s ability to succeed.


Download RansomFree for free ransomware protection.


Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.