{ "id": "22380144-e6ec-4ffe-a1b5-270d042fa16b", "created_at": "2026-04-06T00:15:26.614625Z", "updated_at": "2026-04-10T03:37:09.424997Z", "deleted_at": null, "sha1_hash": "0b610391fbbe2a57074d7e8a74cd8d28f2e0c12d", "title": "Who is behind Petna?", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 48073, "plain_text": "Who is behind Petna?\r\nBy Ralf Benzmüller\r\nPublished: 2017-07-03 · Archived: 2026-04-05 17:11:44 UTC\r\n07/03/2017\r\nReading time: 6 min (1512 words)\r\nThe news talk about a cyber attack when reporting about Petna and WannaCry. This implies purposeful activities\r\naiming at causing damage. On the other hand, cyber-criminals who are in the blackmailing business with\r\nransomware are mainly interested in making easy money. They failed both with WannaCry and even more with\r\nPetna. This leaves some open questions.\r\nFrom Petya via GoldenEye to Petna\r\nWhen Petya spread for the first time in March 2016, the ransomware stood out by in terms of efficiency, the new\r\ntechnical approach and the well-designed phishing campaign. Emails with typical job applications written in\r\nflawless German point to a file in Dropbox. If you download and open it, the first sectors of the harddrive will be\r\noverwritten. After a reboot the Master File Tabel (MFT) is encrypted: the files are still on the harddrive, but the\r\nsystem cannot access them. The technical sophistication consists in the few hundred bytes of code written to the\r\nfirst sectors of the harddrive, which manage the whole logic of decryption and system recovery. It even contained\r\nthe infamous \"skull\" screen.\r\nPetya had a few drawbacks. First and foremost, it needs admin privileges. That's why Petya after a short while got\r\na companion: Mischa. Mischa only needed user rights and was a classic file encrypting ransomware. The\r\ncombination of both circulated in May 2016 and were merged with slight changes under the new name of\r\nGoldenEye in December 2016. Again, it used a phishing scam based on job applications in perfect language, some\r\nof which were actually referring to real, existing job offers. The payment of the ransom was automated with a\r\nTOR hidden service. Both Petya and GoldenEye were very effective ransomware campaigns, and as such were\r\nquite profitable. Then it became silent around the actors behind of GoldenEye, who were acting under the name of\r\nJanus.\r\nA now, half a year later, a ransomware has been spreading that also triggers a reboot, and encrypts the Master File\r\nTable. The evident similarity to Petya caused many researchers to name the new threat \"Petya\", too. But first\r\ndoubts emerged soon, which are reflected in names like NotPetya, Nyetya, or Petna.\r\nHow much Petya is in Petna?\r\nIt soon turned out that Petya's code for encrypting the MFT is almost a complete copy of the original Petya-code\r\nfrom the GoldenEye version. It utilizes Salsa20 for encryption and the implementation is done in a way, that\r\nhttps://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna\r\nPage 1 of 4\n\ndecryption is not possible. There were only small changes: The original key of Petya was replaced by anonther\r\none, which is constructed from random numbers. Not even the authors of Petna know this key. I.e. decryption of\r\nthe data is not possible by any stretch of the imagination.\r\nAnd that's already the end of similarities. The two other components of GoldenEye - the dropper for the\r\nencryption component, and the user-mode ransomware Mischa - are completely rewritten. This might have been a\r\nusual maintenance of the software. GoldenEye also had major modifications in relation to the original Petya\r\nespecially in these two components. But it may also be the case that someone reused the code of GoldenEye's\r\nPetya. All it needs is an infected machine, and a hex editor. The malicious code is available in the first sectors of\r\nthe harddrive. The changes mentioned above do not need a recompilation and hence not the original source code.\r\nMore interesting than the similarities are the differences. It starts with the infection method. Petya and GoldenEye\r\nwere using phishing mails addressed to German human resource managers. And now Petna is infecting  systems \r\nwith drive-by-infections on websites in a waterhole attack? Or even more outlying it abuses the update mechanism\r\nof a financilal software called MEDoc which is popular in Ukrainian enterprises.  It is not very likely that Janus is\r\nsuddenly changing an established strategy. After months of silence they announced to participate in the search for\r\nthe decryption key. Obviously there is another group behind this. There are some clues that the Telebots group has\r\nrelations to Petna.  \r\nFew similarities to WannaCry\r\nThe last big wave of ransomware WannaCry is slowly fading out, and there are some parallels with Petna. Petna\r\nuses the same vulnerability from the NSA leaks: EternalBlue. But Petna does not propagate over the internet. It\r\nonly spreads in local networks. Petna also has some additional characteristics. EternalBlue is combined with\r\nanother vulnerability from the NSA leaks: EternalRomance. In addition Petna identifies domain controllers and\r\nruns special searches in order to locate other machines on the network. It also spreads by using the WMI\r\nadministration console, and by probing admin$ shares with passwords and starting the infection with the tool\r\npsexec. WannaCry lacks all of these additional propagation vectors.\r\nIt is also exceptional that Petna is deleting USN journals and certain Event-Logs of infected computers. This is\r\nwhere Windows is logging the system's activities. By deleting these entries Petna impedes the analysis of affected\r\nsystems, and - even more important - evades detection by logfile analysis as it is used in Security Information and\r\nEvent Management (SIEM) systems, which are often used in huge enterprises. Thus the malware specialists in the\r\nSecurity Operation Centers (SOC) might notice the malicious activities too late.\r\nWhat the intention of Petna's creators?\r\nBy addressing human resource managers, Petya was sort of targeting enterprises. Petna is obviously aiming at\r\nmajor companies in a certain region. A tax and accounting software that is frequently used in Ukraine is part of the\r\ninitial infection vector, it only spreads in local networks, and it hides from detection methods, which are only used\r\nin large enterprises. Looking at the list of victims this worked out well: oil production, banks, cash desks,\r\nproduction lines, logistics, etc. were shut down. PCs of private users are not affected.\r\nhttps://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna\r\nPage 2 of 4\n\nThere are several ransomware families, which are specialised on enterprises or at least identify that they are\r\nrunning in a company network. This usually implies higher ransom. 4-figure sums are quite common, but it could\r\nalso be a 5-figure or a 6-figure digit. Petna is asking a ransom of 300 USD in BitCoins. This is the lower end for\r\nprivate users. This small price strongly indicates that this ransomware was not about making money. This\r\nconclusion is is supported by the sloppy implementation of the payment process. It is based on a single email\r\naddress from a German provider. The email address was blocked promptly. So victims who paid could no longer\r\nsend the notification. As Petna is not able to decrypt the files anyway, there is no point in paying. The associated\r\nBitCoin account is currently holding about 4 BTC which is a little bit more than 10,000 USD. Given the current\r\nexchange rate this means that there were 29 victims who paid the ransom (with 46 transactions). From a financial\r\npoint of view Petna is a flop.\r\nCyber attacks\r\nMaybe money was not the primary motivation for Petna. Come to think of it, why is someone putting so much\r\neffort into intruding the networks of large Ukranian and worldwide enterprises, and the lets it all down with a\r\npoorly implemented payment system? On a second thought, it appears that it might be an act of targeted sabotage.\r\nBut then, the fact that Petna spread so widely is not typical for a targeted attack. It could have been contained\r\nbetter to remain under the radar. It might have been a test run 'gone wild'. This is further backed by the fact that no\r\nupdated versions were used after the first wave.\r\nAn international law enforcement team is trying to find out where the attacks were originating. It is too early to\r\nsay whether there are nation states involved. But NATO is making clear that it is considering \"cyber\" as a military\r\ndomain , and that attacks in this domain may trigger Article 5, assuming that reliable attribution is possible with. It\r\nis currently not known who is behind the current attacks.\r\nLessons learned\r\nSome companies were hit very hard. The trouble that logistics giant Maersk was affected, too, shows how much\r\nan entire business area is reliant on a working computer infrastructure. Petna and WannaCry also showed, that in\r\nmany enterprises or at least areas of enterprises the protection measures are suitable to prevent and block the\r\nattack or at least deal with it swiftly. Petna also demonstrated that there are other areas where protection is not yet\r\nsufficient. It is necessary for companies to improve the protection of these areas and that there is homework to be\r\ndone. The protection methods are as individual as companies are. When in doubt, companies should ask advice\r\nfrom security experts (e.g. G DATA Advanced Analytics). If Petna was indeed a test run, then its evaluation is now\r\nin progress and the lessons learned will be considered in the next round. There is not much time left to safeguard\r\nyour IT.\r\nRelated articles:\r\nShare Article\r\nhttps://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna\r\nPage 3 of 4\n\nSource: https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna\r\nhttps://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna" ], "report_names": [ "29859-who-is-behind-petna" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "39842197-944a-49fd-9bec-eafa1807e0ea", "created_at": "2022-10-25T16:07:24.310589Z", "updated_at": "2026-04-10T02:00:04.931264Z", "deleted_at": null, "main_name": "TeleBots", "aliases": [], "source_name": "ETDA:TeleBots", "tools": [ "BadRabbit", "Black Energy", "BlackEnergy", "CredRaptor", "Diskcoder.C", "EternalPetya", "ExPetr", "Exaramel", "FakeTC", "Felixroot", "GreyEnergy", "GreyEnergy mini", "KillDisk", "LOLBAS", "LOLBins", "Living off the Land", "NonPetya", "NotPetya", "Nyetya", "Petna", "Petrwrap", "Pnyetya", "TeleBot", "TeleDoor", "Win32/KillDisk.NBB", "Win32/KillDisk.NBC", "Win32/KillDisk.NBD", "Win32/KillDisk.NBH", "Win32/KillDisk.NBI", "nPetya" ], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-10T02:00:02.959797Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "IRIDIUM", "Blue Echidna", "VOODOO BEAR", "FROZENBARENTS", "UAC-0113", "Seashell Blizzard", "UAC-0082", "APT44", "Quedagh", "TEMP.Noble", "IRON VIKING", "G0034", "ELECTRUM", "TeleBots" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "a66438a8-ebf6-4397-9ad5-ed07f93330aa", "created_at": "2022-10-25T16:47:55.919702Z", "updated_at": "2026-04-10T02:00:03.618194Z", "deleted_at": null, "main_name": "IRON VIKING", "aliases": [ "APT44 ", "ATK14 ", "BlackEnergy Group", "Blue Echidna ", "CTG-7263 ", "ELECTRUM ", "FROZENBARENTS ", "Hades/OlympicDestroyer ", "IRIDIUM ", "Qudedagh ", "Sandworm Team ", "Seashell Blizzard ", "TEMP.Noble ", "Telebots ", "Voodoo Bear " ], "source_name": "Secureworks:IRON VIKING", "tools": [ "BadRabbit", "BlackEnergy", "GCat", "NotPetya", "PSCrypt", "TeleBot", "TeleDoor", "xData" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "b3e954e8-8bbb-46f3-84de-d6f12dc7e1a6", "created_at": "2022-10-25T15:50:23.339976Z", "updated_at": "2026-04-10T02:00:05.27483Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "Sandworm Team", "ELECTRUM", "Telebots", "IRON VIKING", "BlackEnergy (Group)", "Quedagh", "Voodoo Bear", "IRIDIUM", "Seashell Blizzard", "FROZENBARENTS", "APT44" ], "source_name": "MITRE:Sandworm Team", "tools": [ "Bad Rabbit", "Mimikatz", "Exaramel for Linux", "Exaramel for Windows", "GreyEnergy", "PsExec", "Prestige", "P.A.S. Webshell", "AcidPour", "VPNFilter", "Neo-reGeorg", "Cyclops Blink", "SDelete", "Kapeka", "AcidRain", "Industroyer", "Industroyer2", "BlackEnergy", "Cobalt Strike", "NotPetya", "KillDisk", "PoshC2", "Impacket", "Invoke-PSImage", "Olympic Destroyer" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434526, "ts_updated_at": 1775792229, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0b610391fbbe2a57074d7e8a74cd8d28f2e0c12d.pdf", "text": "https://archive.orkl.eu/0b610391fbbe2a57074d7e8a74cd8d28f2e0c12d.txt", "img": "https://archive.orkl.eu/0b610391fbbe2a57074d7e8a74cd8d28f2e0c12d.jpg" } }