struppigel/Petna.txt

## Petna.txt
Petna / Eternalblue Petya
-------------------------

Hashes:
Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
0df7179693755b810403a972f4466afb
42b2ff216d14c2c8387c8eabfb1ab7d0

Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya

Tips for users:
* don't pay, files won't be decrypted
* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
* vaccination script is linked below, but use with caution; vaccines are often detected by security software.

Contact email (has been locked down): wowsmith123456@posteo.net
BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
Payment will not get any files back, because the contact email is blocked!

Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
It was suspected that the update servers of a financial software called MEDoc were hacked.
This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)

Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
* EternalBlue and EternalRomance
* code similar to Mimikatz dumps credentials
* scans the local network for admin$ shares, copies itself across the network, executes with psexec
* wmic used to find remote shares to spread to

Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050

User mode encryption component (prev. Mischa): Yes, this component exists.

Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
The ransomware does not rename any files.

Low-level encryption component: The MFT is encrypted.

Decryption:
Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713

Reboot via 2 methods:
* scheduled task shutdown.exe /r /f
* NtRaiseHardError

KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
Vaccination script: https://pastebin.com/BxZ8CEzc

Victims:
Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
Maersk: https://twitter.com/campuscodi/status/879712143133872132
Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
WPP: https://twitter.com/WPP/status/879706256612761600
Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906

Home users have not been the target yet.
	Petna / Eternalblue Petya
	-------------------------

	Hashes:
	Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
	Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
	Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
	PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
	64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
	32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
	Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
	DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
	0df7179693755b810403a972f4466afb
	42b2ff216d14c2c8387c8eabfb1ab7d0

	Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya

	Tips for users:
	* don't pay, files won't be decrypted
	* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
	* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
	* vaccination script is linked below, but use with caution; vaccines are often detected by security software.

	Contact email (has been locked down): wowsmith123456@posteo.net
	BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
	Payment will not get any files back, because the contact email is blocked!

	Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
	It was suspected that the update servers of a financial software called MEDoc were hacked.
	This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
	A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)

	Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
	* EternalBlue and EternalRomance
	* code similar to Mimikatz dumps credentials
	* scans the local network for admin$ shares, copies itself across the network, executes with psexec
	* wmic used to find remote shares to spread to

	Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050

	User mode encryption component (prev. Mischa): Yes, this component exists.

	Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
	The ransomware does not rename any files.

	Low-level encryption component: The MFT is encrypted.

	Decryption:
	Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713

	Reboot via 2 methods:
	* scheduled task shutdown.exe /r /f
	* NtRaiseHardError

	KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
	Vaccination script: https://pastebin.com/BxZ8CEzc

	Victims:
	Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
	Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
	Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
	Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
	Maersk: https://twitter.com/campuscodi/status/879712143133872132
	Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
	Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
	WPP: https://twitter.com/WPP/status/879706256612761600
	Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
	Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
	Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
	Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
	Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

	The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906

	Home users have not been the target yet.