Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Petna / Eternalblue Petya
Petna / Eternalblue Petya
-------------------------
Hashes:
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0
Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya
Tips for users:
* don't pay, files won't be decrypted
* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
* vaccination script is linked below, but use with caution; vaccines are often detected by security software.
Contact email (has been locked down): wowsmith123456@posteo.net
BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Payment will not get any files back, because the contact email is blocked!
Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
It was suspected that the update servers of a financial software called MEDoc were hacked.
This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)
Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
* EternalBlue and EternalRomance
* code similar to Mimikatz dumps credentials
* scans the local network for admin$ shares, copies itself across the network, executes with psexec
* wmic used to find remote shares to spread to
Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050
User mode encryption component (prev. Mischa): Yes, this component exists.
Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
The ransomware does not rename any files.
Low-level encryption component: The MFT is encrypted.
Decryption:
Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713
Reboot via 2 methods:
* scheduled task shutdown.exe /r /f
* NtRaiseHardError
KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
Vaccination script: https://pastebin.com/BxZ8CEzc
Victims:
Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
Maersk: https://twitter.com/campuscodi/status/879712143133872132
Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
WPP: https://twitter.com/WPP/status/879706256612761600
Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html
The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906
Home users have not been the target yet.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.