A ransomware dubbed Petya has been rapidly spreading throughout Europe, infecting airlines, financial institutions and utilities. The Petya ransomware, also known as Petrwrap, has been around since 2016. It initially targeted HR departments with phishing emails containing links to a DropBox with a tainted resume file. It has recently been upgraded to allow it to spread using EternalBlue, the Windows SMB exploit released by The Shadow Brokers and the same attack vector used by the WannaCry ransomware.

Even though this may look like a WannaCry copycat, Armor’s Security Operations team believes it has the potential to be far more devastating. Unlike WannaCry, Petya goes beyond just encrypting the files and actually modifies the Master Boot Record of the machine. This renders the affected computer unable to boot. Instead, it displays a phony check disk operation while the malware is encrypting the master file table. Without the master file table to reference, the operating system is unable to access the files. Microsoft now has evidence that the ransomware initially started from the legitimate MEDoc updater process – a dangerous trend involving software supply chain attacks. With this lateral movement capability, Petya only takes a single infected machine to affect a network.

The ransomware spreading functionality is composed of multiple methods responsible for:

  • Stealing credentials or re-using existing active sessions
  • Using file-shares to transfer the malicious file across machines on the same network
  • Using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines

Since Petya utilizes the same exploit as WannaCry, our proactive security measures remain the same. Learn more in our ransomware response kit.


Related IPs:

  • 165.29[.]78
  • 200.16[.]242
  • 90.139[.]247
  • 141.115[.]108

Related Domains: COFFEINOFFICE[.]XYZ

Crypto Currency Address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX


admin Image


Jun 272017

Vigilance Required: European Ransomware Petya Moves into Russia and U.S.

| Head of Threat Resistance

Following in the footsteps of WannaCry, a new ransomware named Petya appears to be instigating similar global havoc with EternalBlue. Follow Armor for the latest intelligence on this emerging threat.

Chris Hinkley, OSCP, CISSP

Head of Threat Resistance

As Head of Threat Resistance at Armor, Chris Hinkley utilizes a decade of security expertise to design, test and deploy next generation security processes and techniques for the cloud. His work at Armor was instrumental in Armor being one of the first cloud companies globally to achieve PCI DSS compliance. Prior to Armor, Hinkley worked as a Web Developer for TargetScope, an interactive marketing and Web development company. In that role he created everything from website animations to complex and dynamic product configurations using the latest technology and development frameworks. With Armor, Hinkley has held a number of security and technology-related roles, including security engineer, lead engineer, support manager and lead ethical hacker. In those roles he has serviced thousands of FireHost customer servers, including Windows and Linux, and overseen the security of all hosting environments to meet PCI, HIPAA and other compliance guidelines. Hinkley is a sought after speaker and author on cloud, security and open source topics, publishing regular columns in SecurityWeek and other industry magazines. Hinkley is a Certified Information Systems Security Professional (CISSP).

Jun 282017

Petya: Using Blast Radius to Deduce Attribution

As the global ransomware attack coined Petya continues to proliferate globally, identifying the culprits is an important piece of the puzzle. At this point, it’s prudent to attempt to rule out who it doesn’t appear to be through process of elimination. While there was clear forensic evidence connecting the code used by the WannaCry actors […]