{
	"id": "4d97ef87-d1c8-44c6-88a6-c6ede3c5d4e4",
	"created_at": "2026-04-06T00:19:38.686055Z",
	"updated_at": "2026-04-10T03:21:55.824656Z",
	"deleted_at": null,
	"sha1_hash": "26b438f7a82c6a6d3cf49699dcaef575383e4c04",
	"title": "Pnyetya: Yet Another Ransomware Outbreak",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 906554,
	"plain_text": "Pnyetya: Yet Another Ransomware Outbreak\r\nBy thaddeus t. grugq\r\nPublished: 2017-07-04 · Archived: 2026-04-05 17:13:40 UTC\r\nHiding the small movement inside the big movement\r\nToday saw a massive outbreak of not-really ransomware that has caused significant damage to both Ukrainian\r\ntargets and strategic global logistics companies. The worm uses three different infection vectors:\r\nETERNALBLUE\r\nHarvested password hashes\r\npsexec\r\nThe code is well written, obfuscated to protect against AV detection using at least two techniques:\r\nFake Microsoft signature (apparently fools some AV)\r\nXOR encrypted shellcode payload (to bypass signature checks)\r\nAlthough the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment\r\npipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large\r\namount of complex strings (something that a novice computer victim is unlikely to get right.)\r\nhttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nPage 1 of 5\n\nPredictably, within hours the email address had been disabled by the service provider. If this well engineered and\r\nhighly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options\r\n(short of “send a personal cheque to: Petya Payments, PO Box …”)\r\nGet thaddeus t. grugq’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nThe superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya\r\nwas a criminal enterprise for making money. This is definitely not designed to make money. This is designed to\r\nspread fast and cause damage, with a plausibly deniable cover of “ransomware.”\r\nUpdate: congratulations, it’s a wiper!\r\nResearch by Kaspersky has revealed that the pseudo-ransomware is in fact a wiper, with no potential for\r\nsuccessfully recovering from an attack. The key material displayed as “installation ID” – necessary for decryption\r\nin real ransomware – is just random data. There is no possible way to recover the encrypted files as the key is not\r\npreserved and given to the user to request a decryption key.\r\nThere are at least three issues (post MBR sector corruption, random garbage installation ID, buggy encryption\r\ncode) that indicate successful decryption of an infected computer was not a developer priority compared with fast\r\nand thorough propagation.\r\nhttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nPage 2 of 5\n\nOnce is an accident. Twice is a coincidence. Three times is an enemy action. — Goldfinger, by Ian\r\nFleming\r\nThis was a straight forward cyber attack with a target space of basically every company that does business in\r\nUkraine.\r\nWorth mentioning that whomever developed Pnyetya had source code to Petya. UPDATE nope, that is incorrect.\r\nNote: Originally this assessment rested on analysis by\r\nregarding the cavalier attitude Pnyetya has towards preserving the sectors after the MBR. However, more recent\r\nanalysis suggests that this failure to preserve those sectors would not impact the integrity of the system. The\r\nfoundations for the wiper assessment has thus been moved from “doesn’t preserve post-MBR sectors” to the far\r\nmore damning “decryption key is random garbage.”\r\nPatient Zero\r\nInterestingly, it seems that Maersk was also using MeDoc:\r\nIn fact, everyone that does business requiring them to pay taxes in Ukraine has to use MeDoc (one of only two\r\napproved accounting software packages.) So an attack launched from MeDoc would hit not only Ukraine’s\r\ngovernment but many foreign investors and companies.\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nPage 3 of 5\n\nE\u0026Y job posting for Ukraine accountant\r\nhttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nPage 4 of 5\n\nThe MeDoc infection vector has been confirmed by the Ukrainian police.\r\nThe immaculate infection\r\nRosneft, a Russian state controlled company (that does not use MeDoc), was also hit by the worm. They managed\r\nto escape practically unscathed, evading all the lateral traversal mechanisms of the worm and simply switching to\r\ntheir backup system. Fortunately, all this without even an interruption to their operations.\r\nAlthough there has been talk that the Russian oil sector was also hit, their infinitely superior cybersecurity skills\r\nmeant that they suffered no downtime or outages. Curious that they were so poorly protected they got infected —\r\nespecially since they aren’t connected to MeDoc (the initial infection vector) — however they were so well\r\nprotected they were able to remediate the infection (which didn’t spread… although it can take out 5000\r\ncomputers in less than 10 minutes.) It’s a miracle!\r\nUpdate:\r\nFalse alarm. Seems unrelated.\r\nIn other news\r\nCombined arms cyber operations?\r\nDoes a bear shit in Ukraine?\r\nIt doesn’t take a weatherman to know which way the wind blows.\r\nSupport more analysis like this.\r\nThanks to @marasawr for discussion and analysis.\r\nSource: https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nhttps://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"references": [
		"https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4"
	],
	"report_names": [
		"pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4"
	],
	"threat_actors": [],
	"ts_created_at": 1775434778,
	"ts_updated_at": 1775791315,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/26b438f7a82c6a6d3cf49699dcaef575383e4c04.pdf",
		"text": "https://archive.orkl.eu/26b438f7a82c6a6d3cf49699dcaef575383e4c04.txt",
		"img": "https://archive.orkl.eu/26b438f7a82c6a6d3cf49699dcaef575383e4c04.jpg"
	}
}