{
	"id": "f2a65cab-3f38-4e2d-9f5f-8e5f8cb7de06",
	"created_at": "2026-04-06T01:29:10.541557Z",
	"updated_at": "2026-04-10T13:12:01.87688Z",
	"deleted_at": null,
	"sha1_hash": "6369cfcdf6cb4949a56d2b4b6701a677f49628ee",
	"title": "Kiev metro hit with a new variant of the infamous Diskcoder ransomware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 49417,
	"plain_text": "Kiev metro hit with a new variant of the infamous Diskcoder\r\nransomware\r\nBy Editor\r\nArchived: 2026-04-06 00:14:39 UTC\r\nCritical Infrastructure\r\nRansomware\r\nUkraine Crisis – Digital Security Resource Center\r\nPublic sources have confirmed that computer systems in the Kiev Metro, Odessa naval port, Odessa airport,\r\nUkrainian ministries of infrastructure and finance, and also a number of organizations in Russia are among the\r\naffected organizations.\r\n24 Oct 2017  •  , 1 min. read\r\nSeveral transportation organizations in Ukraine and as well as some governmental organizations have suffered a\r\ncyberattack, resulting in some computers becoming encrypted, according to media reports.\r\nPublic sources have confirmed that computer systems in the Kiev Metro, Odessa airport and also a number of\r\norganizations in Russia are affected.\r\nESET discovered that in the case of the Kiev Metro, the malware used for the cyberattack was Diskcoder.D, — a\r\nnew variant of ransomware known also as Petya. The previous variant of Diskcoder was used in a damaging\r\ncyberattack on a global scale in June, 2017.\r\nhttps://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/\r\nPage 1 of 3\n\nThe Diskcoder.D ransom note\r\nESET’s telemetry has detected hundreds of occurrences of Diskcoder.D. Most of the detections are in Russia and\r\nUkraine, however, also there are reports of computers in Turkey, Bulgaria and other countries are affected.\r\nESET security researchers are working on a comprehensive analysis of the Diskcoder.D malware. According to\r\ntheir preliminary findings, Diskcoder.D uses the Mimikatz tool to extract credentials from the affected systems.\r\nApart from this, it has also a hardcoded list of credentials.\r\nFor more information about this threat read our detailed analysis.\r\nESET customers are protected against this threat.\r\nIoCs\r\nafeee8b4acff87bc469a6f0364a81ae5d60a2add\r\nde5c8d858e6e41da715dca1c019df0bfb92d32c0 (install_flash_player.exe)\r\nhxxp://1dnscontrol.com/flash_install.php\r\nLet us keep you\r\nup to date\r\nSign up for our newsletters\r\nhttps://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/\r\nPage 2 of 3\n\nSource: https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/\r\nhttps://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/"
	],
	"report_names": [
		"kiev-metro-hit-new-variant-infamous-diskcoder-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775438950,
	"ts_updated_at": 1775826721,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/6369cfcdf6cb4949a56d2b4b6701a677f49628ee.pdf",
		"text": "https://archive.orkl.eu/6369cfcdf6cb4949a56d2b4b6701a677f49628ee.txt",
		"img": "https://archive.orkl.eu/6369cfcdf6cb4949a56d2b4b6701a677f49628ee.jpg"
	}
}