AT

AttackTrace

Browse techniquesThreat activityBrowse ATLASSearch
HomeThreat Activity
Home

Reviewed threat activity

NotPetya Destructive Malware Outbreak

NotPetya demonstrated how ransomware-like tradecraft could produce destructive enterprise disruption, combining credential abuse, lateral movement, and data destruction at scale.

CISAConfidence: medium
T1003.001T1021.002T1486T1485

How The Activity Unfolds In ATT&CK

NotPetya unfolds like a destructive enterprise event: credentials are abused, remote services move the activity laterally, and impact techniques create severe business disruption.

  1. T1003.001 LSASS Memory. Credential material enables spread beyond the first host.
  2. T1021.002 SMB/Windows Admin Shares. Remote service paths support lateral movement.
  3. T1486 Data Encrypted For Impact. Encryption-like behavior creates immediate operational pressure.
  4. T1485 Data Destruction. The destructive effect makes recovery and continuity the core defensive concern.

Defender Readout

This activity belongs in the top set because it shows why ransomware-looking events must be investigated for destructive intent and lateral movement, not only ransom notes.

Evidence And Mapping Rationale

T1003.001LSASS Memory
Petya ransomware

Public analysis of the outbreak identifies credential theft behavior used to support spread.

T1021.002SMB/Windows Admin Shares
ransomware

SMB and administrative share movement are central to the enterprise propagation pattern.

T1486Data Encrypted for Impact
ransomware

The activity presented as encryption for impact against affected systems.

T1485Data Destruction
Petya

The destructive effect aligns with ATT&CK data destruction impact behavior.