{
	"id": "17fd5818-8309-4854-81e3-d3f64324a422",
	"created_at": "2026-04-06T00:12:15.77773Z",
	"updated_at": "2026-04-10T03:20:48.218702Z",
	"deleted_at": null,
	"sha1_hash": "51dfbe1ea5817c10c273453a432e75d3fbf82b73",
	"title": "Third time (un)lucky – improved Petya is out",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 404691,
	"plain_text": "Third time (un)lucky – improved Petya is out\r\nBy Malwarebytes Labs\r\nPublished: 2016-07-17 · Archived: 2026-04-05 22:44:24 UTC\r\nSo far we dedicated several articles to the interesting, low-level ransomware called Petya, hijacking the boot\r\nsector. You can read about it here:\r\n/blog/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/ – Green Petya (version 2)\r\n/blog/threat-analysis/2016/04/petya-ransomware/ – Red Petya (version 1)\r\nEach of those versions was using Salsa20 algorithm to encrypt Master File Table and make disk inaccessible.\r\nHowever, due to the implementation bugs the intended algorithm was weakened – giving a chance to recover data.\r\nUnfortunately, as always in such cases, it is just a matter of time when cybercriminals get their cryptography\r\nfixed. Petya’s authors got it right at the third attempt. The currently launched wave of this ransomware finally\r\nseems to have the proper Salsa20.\r\nsample: c8623aaa00f82b941122edef3b1852e3\r\nBehavioral analysis\r\nBehavior of Petya didn’t changed – we can see exactly the same UI like in the previous green edition:\r\nInside\r\nLet’s take a look at differences in the code. Using BinDiff we can spot, that not many functions\r\nhave changed. However, those that were giving weak points to the previous edition are modified.\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/\r\nPage 1 of 4\n\nSalsa20\r\nFirst of all, let’s take a look the function s20_littleendian that was causing the major bug in the last\r\nrelease. Due to it’s invalid implementation, only 8 out of 16 characters of the key were meaningful\r\nand brutforcing the key was easier (working solution has been implemented by\r\nOn the left – you can see the implementation of the buggy function (from the previous edition). On the right –\r\ncurrent, fixed implementation:\r\nExplanation The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign\r\nbit expansion to the 16 bit value:\r\nstatic int16_t s20_littleendian(uint8_t *b) { return b[0\u003e + (b[1] \u003c\u003c 8); }\r\nNow, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making\r\nimplementation complete.\r\nKey\r\nIn the first (red) version of Petya  authors used 32 byte long Salsa key - that was, however, generated from the 16\r\nbyte long key, using a custom function to pre-process it and extend.\r\nIn the second - green edition, they gave up this idea and applied the original 16 byte long key, without any\r\nmodification.\r\nThis time, they changed mind and went back to the first solution of using 32 byte long key, yet with some\r\nimprovements. Again we can see expand32 in the code (instead of expand16 known from the previous edition):\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/\r\nPage 2 of 4\n\nWhen the victim insert the key for the verification, before using it as a Salsa20 key, it is preprocessed by a new\r\nalgorithm (more complex than  in case of Red Petya):\r\nConclusion\r\nNew edition shows that the project is reaching maturity - however, as we can read on the associated\r\nonion page - it is still a beta version and we can expect that it will keep evolving. Below - fragment\r\nof Petya's RaaS website:\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/\r\nPage 3 of 4\n\nWe are not yet sure about the distribution method, but probability is high, that also this time it is spam with a link\r\nleading to cloud storage. We strongly advise to be extra vigilant for the job applications coming this days - it\r\nproven to be a common cover for Petya/Mischa dropper. More information about it you can find in our previous\r\narticles about Petya.\r\nAppendix\r\n/blog/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/\r\nhttps://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-improved-petya-is-out/"
	],
	"report_names": [
		"third-time-unlucky-improved-petya-is-out"
	],
	"threat_actors": [],
	"ts_created_at": 1775434335,
	"ts_updated_at": 1775791248,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/51dfbe1ea5817c10c273453a432e75d3fbf82b73.pdf",
		"text": "https://archive.orkl.eu/51dfbe1ea5817c10c273453a432e75d3fbf82b73.txt",
		"img": "https://archive.orkl.eu/51dfbe1ea5817c10c273453a432e75d3fbf82b73.jpg"
	}
}