Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Petna / Eternalblue Petya
Petna / Eternalblue Petya
-------------------------
Hashes:
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya
Tips for users:
* don't pay, files won't be decrypted
* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
* vaccination script is linked below, but use with caution; vaccines are often detected by security software.
Contact email (has been locked down): wowsmith123456@posteo.net
BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Payment will not get any files back, because the contact email is blocked!
Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
It was suspected that the update servers of a financial software called MEDoc were hacked.
This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)
Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
* EternalBlue and EternalRomance
* code similar to Mimikatz dumps credentials
* scans the local network for admin$ shares, copies itself across the network, executes with psexec
* wmic used to find remote shares to spread to
Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050
User mode encryption component (prev. Mischa): Yes, this component exists.
Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
The ransomware does not rename any files.
Low-level encryption component: The MFT is encrypted.
Decryption:
Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713
Reboot via 2 methods:
* scheduled task shutdown.exe /r /f
* NtRaiseHardError
KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
Vaccination script: https://pastebin.com/BxZ8CEzc
Victims:
Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
Maersk: https://twitter.com/campuscodi/status/879712143133872132
Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
WPP: https://twitter.com/WPP/status/879706256612761600
Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html
The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906
Home users have not been the target yet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment