struppigel · July 3, 2017 09:17
diff --git a/Petna.txt b/Petna.txt
 Petna / Eternalblue Petya
 -------------------------

 Hashes: 
 Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
 Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
 Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
 PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
 64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f 
 32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
 Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
 DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
 0df7179693755b810403a972f4466afb
 42b2ff216d14c2c8387c8eabfb1ab7d0
 
 Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya

 Tips for users:
 * don't pay, files won't be decrypted
 * if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
 * infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
 * vaccination script is linked below, but use with caution; vaccines are often detected by security software.

 Contact email (has been locked down): [email protected]
 BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
 Payment will not get any files back, because the contact email is blocked!
 
 Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
 It was suspected that the update servers of a financial software called MEDoc were hacked. 
 This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
 A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)
 
 Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
 * EternalBlue and EternalRomance
 * code similar to Mimikatz dumps credentials
 * scans the local network for admin$ shares, copies itself across the network, executes with psexec
 * wmic used to find remote shares to spread to
 
 Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050
 
 User mode encryption component (prev. Mischa): Yes, this component exists.

 Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
 The ransomware does not rename any files.

 Low-level encryption component: The MFT is encrypted.

 Decryption:
 Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713

 Reboot via 2 methods:
 * scheduled task shutdown.exe /r /f 
 * NtRaiseHardError
 
 KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
 Vaccination script: https://pastebin.com/BxZ8CEzc
 
 Victims:
 Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
 Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
 Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
 Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
 Maersk: https://twitter.com/campuscodi/status/879712143133872132
 Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
 Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
 WPP: https://twitter.com/WPP/status/879706256612761600
 Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
 Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
 Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
 Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
 Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

 The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906

 Home users have not been the target yet.
	Petna / Eternalblue Petya
	-------------------------

	Hashes:
	Main DLL: 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745
	Hashes below via McAfee article: https://securingtomorrow.mcafee.com/mcafee-labs/new-variant-petya-ransomware-spreading-like-wildfire/
	Main DLL: 64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1
	PSEXEC.EXE: f8dbabdfa03068130c277ce49c60e35c029ff29d9e3c74c362521f3fb02670d5
	64-bit EXE: 02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f
	32-bit EXE: eae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998
	Hashes below via Kaspersky article: https://securelist.com/schroedingers-petya/78870/
	DLL: 45ef8d53a5a2011e615f60b058768c44c74e5190fefd790ca95cf035d9e1d5e0
	0df7179693755b810403a972f4466afb
	42b2ff216d14c2c8387c8eabfb1ab7d0

	Names in the media: Petna, NotPetya, EternalPetya, PetyaBlue, PetyaWrap, Petrwrap, SortaPetya, Nyetya, Expetr, Pnyetya

	Tips for users:
	* don't pay, files won't be decrypted
	* if you realize that a machine got infected, shut it down immediately, don't reboot, ask an expert for help
	* infection prevention via: Windows-Patches, no admin rights for standard user, up-to-date AV
	* vaccination script is linked below, but use with caution; vaccines are often detected by security software.

	Contact email (has been locked down): [email protected]
	BTC address: 1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX
	Payment will not get any files back, because the contact email is blocked!

	Initial infection vector: The ransomware spread via MEDoc updates: https://twitter.com/CyberpoliceUA/status/879772963658235904
	It was suspected that the update servers of a financial software called MEDoc were hacked.
	This tweet states a malicious email led to update server propagation via MEDoc: https://twitter.com/VK_Intel/status/879780368089534464
	A second initial infection vector may have been a whaterhole attack on http://bahmut.com.ua/news/ (see: https://twitter.com/craiu/status/880011103161524224)

	Spreading through LAN (not Internet!): https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/
	* EternalBlue and EternalRomance
	* code similar to Mimikatz dumps credentials
	* scans the local network for admin$ shares, copies itself across the network, executes with psexec
	* wmic used to find remote shares to spread to

	Petya or not Petya: The boot loader code is the same as in version 3 of green Petya, the high-level code (dropper and user mode portion prev. Misha) is different: https://twitter.com/hasherezade/status/879777725493506050

	User mode encryption component (prev. Mischa): Yes, this component exists.

	Target extensions: .3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
	The ransomware does not rename any files.

	Low-level encryption component: The MFT is encrypted.

	Decryption:
	Petna is deemed uncrackable by hasherezade: https://twitter.com/hasherezade/status/880027379544051713

	Reboot via 2 methods:
	* scheduled task shutdown.exe /r /f
	* NtRaiseHardError

	KillSwitch: No, this does not exist. People claiming there is one are just jumping on the PR wagon. They are actually referring to a possible vaccine (not confirmed yet whether that works).
	Vaccination script: https://pastebin.com/BxZ8CEzc

	Victims:
	Ukraine government: https://twitter.com/RozenkoPavlo/status/879677026256510976
	Russian oil giant Rosneft: https://twitter.com/RosneftRu/status/879665160012673024
	Rotterdam port: https://twitter.com/OpiniePaultje/status/879680984219779072
	Targets in spain: http://www.elconfidencial.com/tecnologia/2017-06-27/ataque-ransomware-dla-piper-wannacry_1405839/
	Maersk: https://twitter.com/campuscodi/status/879712143133872132
	Supermarket in Kharkov, Ukraine: https://twitter.com/golub/status/879707965179088896
	Ukraine ATM: https://twitter.com/mikko/status/879735944907296768
	WPP: https://twitter.com/WPP/status/879706256612761600
	Merck pharma giant, USA: https://twitter.com/JackPosobiec/status/879734999196602369
	Kiev metro station: https://ain.ua/2017/06/27/kievenergo-i-ukrainskie-banki-podverglis-xakerskoj-atake
	Saint-gobain: https://twitter.com/AnimalDubz/status/879684389860454402
	Mars, Nivea, and Auchan offices in Urkaine: https://www.buro247.ru/technology/news/27-jun-2017-petya-wannacry.html
	Chernobyl's radiation monitoring: http://www.independent.co.uk/news/world/europe/chernobyl-ukraine-petya-cyber-attack-hack-nuclear-power-plant-danger-latest-a7810941.html

	The Ukraine is pretty humorous about their situation: https://twitter.com/Ukraine/status/879706437169147906

	Home users have not been the target yet.