{ "id": "ed2bca4c-efac-4983-8cfe-668435c41f49", "created_at": "2026-04-06T00:08:39.053814Z", "updated_at": "2026-04-10T03:36:34.027188Z", "deleted_at": null, "sha1_hash": "6ccf943832cef10266a103d64b667db591a8479e", "title": "In ExPetr/Petya’s shadow, FakeCry ransomware wave hits Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2836754, "plain_text": "In ExPetr/Petya’s shadow, FakeCry ransomware wave hits\r\nUkraine\r\nBy Anton Ivanov\r\nPublished: 2017-07-04 · Archived: 2026-04-05 21:10:20 UTC\r\nAPT reports\r\nAPT reports\r\n04 Jul 2017\r\n 4 minute read\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 1 of 12\n\nWhile the (cyber-)world was still shaking under the destructive ExPetr/Petya attack that hit on June 27, another\r\nransomware attack targeting Ukraine at the same time went almost unnoticed.\r\nSo far, all theories regarding the spread of ExPetr/Petya point into two directions:\r\nDistribution via trojanized updates to MeDoc users\r\nDistribution via waterhole attacks in Ukrainian news websites (one case known)\r\nWhile there is little doubt that MeDoc users were infected via malicious updates with ExPetr, it appears that\r\nExPetr was not the only malware they received. Our telemetry confirms that MeDoc users received at least one\r\nother malicious program at the same time. This additional malware, which was run as “ed.exe” in the “MeDoc”\r\nprogram folder (eg. c:\\programdata\\medoc\\medoc\\ed.exe) was run on victim machines by the parent process\r\nezvit.exe, a component of the MeDoc software. This suggests the delivery mechanism abused the same MeDoc\r\nupdates vector as ExPetr.\r\nThe malware, which unsurprisingly, is also ransomware, is written in .NET and includes a “WNCRY” string,\r\nwhich obviously refers to the massive WannaCry epidemic that hit global businesses back in May 2017.\r\nA “forgotten” PDB path inside also points to the project’s name being “WannaCry”:\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 2 of 12\n\nAmusingly, in what we believe to be a false flag, it pretends to be “made in China”:\r\nBased on the strings and the pretense that it’s WannaCry, we’ve decided to call this “FakeCry”.\r\nFakeCry technical details\r\nSample:MD5: 0BDE638B274C7F9C6C356D3987ED1A2D\r\nSize: 3,880,448 bytes\r\nCompilation timestamp: Fri Jan 01 01:25:26 2016\r\nFirst seen in the wild: 2017.06.27 12:34:00 (GMT)\r\nFilename on disk: wc.exe\r\nThis program acts as a dropper for a ransomware module.\r\nThe dropper supports the following commands:\r\nextract – drops the ransomware component\r\ned – begin encryption\r\ndd – begin decryption\r\n\u003cKey\u003e:\r\nIf ed is passed then it is a public key\r\nIf dd is passed then it is a private key\r\ndemo (encryption or decryption with hardcoded RSA keys)\r\nThe ransomware component has the following identification data:\r\nMD5: 5C7C894A1CCFD8C8E0F174B0149A6601\r\nSize: 442,880 bytes\r\nCompilation timestamp: Fri Jan 01 01:20:53 2016\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 3 of 12\n\nFirst seen in the wild:  2017.06.27 12:34:00 (GMT)\r\nFilename on disk: ed.exe\r\nThe ransomware component supports the following command\r\ngenrsa – generate RSA-2048 key pair\r\nDf – decrypt file\r\nDd – decrypt disk\r\nef- encrypt file\r\nEd – encrypt disk\r\ndelshadowcopies – delete shadow copies on machine\r\nExample command line for the execution of the ransomware component:\r\nexe -ed C:\\ 3ds,uot,stw,sxw,ott,odt,pem,p12,csr,crt,key,pfx,der windows BgIAAACkAABSU0ExAAgA….\r\nWhen run, the ransomware executes the following steps:\r\n1. 1 deletes shadow copies\r\n2. 2 initializes keys\r\n3. 3 creates file list for encryption\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 4 of 12\n\n4. 4 encrypts files\r\n5. 5 shows window with the ransom demand\r\nKeys initialization process\r\nThe malware creates a RSA key pair for encryption. The private RSA key is encrypted with the attacker’s public\r\nRSA key, which is passed via arguments.\r\nThe generated, the public RSA key and encrypted private RSA key are stored in this registry key:\r\nHKCU\\Software\\WC\r\nFile encryption process\r\n List of extensions targeted for encryption:\r\ndoc,docx,xls,xlsx,ppt,pptx,pst,ost,msg,eml\r\nvsd,vsdx,txt,csv,rtf,123,wks,wk1,pdf,dwg\r\nonetoc2,snt,docb,docm,dot,dotm,dotx,xlsm,xlsb,xlw\r\nxlt,xlm,xlc,xltx,xltm,pptm,pot,pps,ppsm,ppsx\r\nppam,potx,potm,edb,hwp,602,sxi,sti,sldx,sldm\r\nsldm,vdi,vmdk,vmx,gpg,aes,ARC,PAQ,bz2,tbk\r\nbak,tar,tgz,gz,7z,rar,zip,backup,iso,vcd\r\nraw,cgm,tiff,nef,psd,ai,svg,djvu,m4u,m3u\r\nmid,wma,flv,3g2,mkv,3gp,mp4,mov,avi,asf\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 5 of 12\n\nmpeg,vob,mpg,wmv,fla,swf,wav,mp3,sh,class\r\njar,java,rb,asp,php,jsp,brd,sch,dch,dip\r\npl,vb,vbs,ps1,bat,cmd,js,asm,h,pas\r\ncpp,c,cs,suo,sln,ldf,mdf,ibd,myi,myd\r\nfrm,odb,dbf,db,mdb,accdb,sql,sqlitedb,sqlite3,asc\r\nlay6,lay,mml,sxm,otg,odg,uop,std,sxd,otp\r\nodp,wb2,slk,dif,stc,sxc,ots,ods,3dm,max\r\n3ds,uot,stw,sxw,ott,odt,pem,p12,csr,crt,key,pfx,der\r\n If a file to be encrypted is locked by other processes, the ransomware can kill this process, using a Sysinternals\r\ntool (Handler Viewer) to accomplish the task.\r\nThe file encryption algorithm in a nutshell:\r\nAttacker’s RSA public key is received by the ransomware via command line\r\n“Session” RSA-2048 key-pair is generated\r\n“Session” RSA private key is encrypted with public RSA key (which was received in point №1)\r\nFor each file, an AES-256 key and IV are generated\r\nKey and IV are encrypted with generated “Session” RSA key and saved in the encrypted file\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 6 of 12\n\nInterestingly, the ransomware contains a list of extensions called “DEMO_EXTENSIONS”. The attackers provide\r\nthe claim that that the files from this  DEMO_EXTENSION list (which contains only image file extensions – “jpg,\r\njpeg, png, tif, gif, bmp”) will be decrypted for free, something that appears to be working as advertised.\r\nHere’s a screenshot of the ransomware component running on a victim machine:\r\nTo decrypt the files, the attackers are asking for 0.1BTC, which is approximately 260$ at today’s exchange price.\r\nThe wallet number is fixed, 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf for all infections. Interestingly, the wallet\r\nhas received seven payments so far, totalling 0.51 BTC. Most of the 0.1 payments took place on June 26,\r\nsuggesting that was the day when the attack peaked.  Interestingly, the attackers have withdrawn 0.41 BTC from\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 7 of 12\n\nthe ransom account.\r\nTransaction for wallet FakeCry\r\nSo far, there is no further activity on the receiving wallet 1FW1xW8kqNg4joJFyTnw6v5bXUNyzKXtTh.\r\nTo check the payment and receive the decryption key, the malware uses an Onion server as C2, which is\r\n“4gxdnocmhl2tzx3z[.]onion”.\r\nConclusions\r\nAlthough the software company developing the MeDoc software has been so far denying all evidence that its\r\nusers have been infected through malicious updates, our telemetry suggests that the vast majority of the\r\nExPetr/Petya victims on June 27, 2017 were attacked this way.\r\nUnfortunately ExPetr/Petya was not the only ransomware that was distributed via MeDoc updates on June 27. In\r\nparallel, another ransomware, FakeCry, was also distributed to MeDoc users at exactly the same time as\r\nExPetr/Petya. Our telemetry shows about 90 attacked organizations received the FakeCry ransomware, almost all\r\nin Ukraine.\r\nWhat makes FakeCry interesting is the fact that it appears to have been designed with false flags in mind. Its\r\ninterface and messages closely emulate those of WannaCry, yet this is an entirely different malware. In what we\r\nbelieve to be a false flag, samples also include a “made in china” string.\r\nOf course, one of the biggest questions here is if FakeCry and ExPetr are related. So far, the most important\r\nevidence that would suggest it, is the fact they were both distributed through MeDoc updates, at the same time.\r\nAs usual, our recommendations to protect against ransomware include:\r\nHere’s our shortlist of recommendations on how to survive ransomware attacks:\r\nRun a robust anti-malware suite with embedded anti-ransomware protection such as System Watcher from\r\nKaspersky Internet Security.\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 8 of 12\n\nMake sure you update Microsoft Windows and all third party software. It’s crucial to apply the MS17-010\r\nbulletin immediately.\r\nDo not run open attachments from untrusted sources.\r\nBackup sensitive data to external storage and keep it offline.\r\nLast but not least, never pay the ransom. Paying the ransom funds the next wave of attacks.\r\nFor sysadmins, our products detect the samples used in the attack by these verdicts:\r\nUDS:DangerousObject.Multi.Generic\r\nPDM:Trojan.Win32.Generic\r\nOur behavior detection engine SystemWatcher detects the threat as:\r\nPDM:Trojan.Win32.Generic\r\nPDM:Exploit.Win32.Generic\r\nLatest Webinars\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 9 of 12\n\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 10 of 12\n\nReports\r\nKaspersky researchers analyze updated CoolClient backdoor and new tools and scripts used in HoneyMyte (aka\r\nMustang Panda or Bronze President) APT campaigns, including three variants of a browser data stealer.\r\nKaspersky discloses a 2025 HoneyMyte (aka Mustang Panda or Bronze President) APT campaign, which uses a\r\nkernel-mode rootkit to deliver and protect a ToneShell backdoor.\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 11 of 12\n\nKaspersky GReAT experts analyze the Evasive Panda APT’s infection chain, including shellcode encrypted with\r\nDPAPI and RC5, as well as the MgBot implant.\r\nKaspersky expert describes new malicious tools employed by the Cloud Atlas APT, including implants of their\r\nsignature backdoors VBShower, VBCloud, PowerShower, and CloudAtlas.\r\nSource: https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nhttps://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/\r\nPage 12 of 12\n\nTo decrypt the The wallet number files, the attackers is fixed, are asking 13KBb1G7pkqcJcxpRHg387roBj2NX7Ufyf for 0.1BTC, which is approximately 260$ for all infections. at today’s exchange Interestingly, price. the wallet\nhas received seven payments so far, totalling 0.51 BTC. Most of the 0.1 payments took place on June 26,\nsuggesting that was the day when the attack peaked. Interestingly, the attackers have withdrawn 0.41 BTC from\n Page 7 of 12", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://securelist.com/in-expetrpetyas-shadow-fakecry-ransomware-wave-hits-ukraine/78973/" ], "report_names": [ "78973" ], "threat_actors": [ { "id": "77b28afd-8187-4917-a453-1d5a279cb5e4", "created_at": "2022-10-25T15:50:23.768278Z", "updated_at": "2026-04-10T02:00:05.266635Z", "deleted_at": null, "main_name": "Inception", "aliases": [ "Inception Framework", "Cloud Atlas" ], "source_name": "MITRE:Inception", "tools": [ "PowerShower", "VBShower", "LaZagne" ], "source_id": "MITRE", "reports": null }, { "id": "04a7ebaa-ebb1-4971-b513-a0c86886d932", "created_at": "2023-01-06T13:46:38.784965Z", "updated_at": "2026-04-10T02:00:03.099088Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "Clean Ursa", "Cloud Atlas", "G0100", "ATK116", "Blue Odin" ], "source_name": "MISPGALAXY:Inception Framework", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f35997d9-ca1e-453f-b968-0e675cc16d97", "created_at": "2023-01-06T13:46:39.490819Z", "updated_at": "2026-04-10T02:00:03.345364Z", "deleted_at": null, "main_name": "Evasive Panda", "aliases": [ "BRONZE HIGHLAND" ], "source_name": "MISPGALAXY:Evasive Panda", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b69037ec-2605-4de4-bb32-a20d780a8406", "created_at": "2023-01-06T13:46:38.790766Z", "updated_at": "2026-04-10T02:00:03.101635Z", "deleted_at": null, "main_name": "MUSTANG PANDA", "aliases": [ "Stately Taurus", "LuminousMoth", "TANTALUM", "Twill Typhoon", "TEMP.HEX", "Earth Preta", "Polaris", "BRONZE PRESIDENT", "HoneyMyte", "Red Lich", "TA416" ], "source_name": "MISPGALAXY:MUSTANG PANDA", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "05cb998c-6e81-47f0-9806-ee4fda72fe0a", "created_at": "2024-11-01T02:00:52.763555Z", "updated_at": "2026-04-10T02:00:05.263997Z", "deleted_at": null, "main_name": "Daggerfly", "aliases": [ "Daggerfly", "Evasive Panda", "BRONZE HIGHLAND" ], "source_name": "MITRE:Daggerfly", "tools": [ "PlugX", "MgBot", "BITSAdmin", "MacMa", "Nightdoor" ], "source_id": "MITRE", "reports": null }, { "id": "812f36f8-e82b-41b6-b9ec-0d23ab0ad6b7", "created_at": "2023-01-06T13:46:39.413725Z", "updated_at": "2026-04-10T02:00:03.31882Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Evasive Panda", "Daggerfly" ], "source_name": "MISPGALAXY:BRONZE HIGHLAND", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6daadf00-952c-408a-89be-aa490d891743", "created_at": "2025-08-07T02:03:24.654882Z", "updated_at": "2026-04-10T02:00:03.645565Z", "deleted_at": null, "main_name": "BRONZE PRESIDENT", "aliases": [ "Earth Preta ", "HoneyMyte ", "Mustang Panda ", "Red Delta ", "Red Lich ", "Stately Taurus ", "TA416 ", "Temp.Hex ", "Twill Typhoon " ], "source_name": "Secureworks:BRONZE PRESIDENT", "tools": [ "BlueShell", "China Chopper", "Claimloader", "Cobalt Strike", "HIUPAN", "ORat", "PTSOCKET", "PUBLOAD", "PlugX", "RCSession", "TONESHELL", "TinyNote" ], "source_id": "Secureworks", "reports": null }, { "id": "19ac84cc-bb2d-4e0c-ace0-5a7659d89ac7", "created_at": "2022-10-25T16:07:23.422755Z", "updated_at": "2026-04-10T02:00:04.592069Z", "deleted_at": null, "main_name": "Bronze Highland", "aliases": [ "Daggerfly", "Digging Taurus", "Evasive Panda", "Storm Cloud", "StormBamboo", "TAG-102", "TAG-112" ], "source_name": "ETDA:Bronze Highland", "tools": [ "Agentemis", "CDDS", "CloudScout", "Cobalt Strike", "CobaltStrike", "DazzleSpy", "KsRemote", "LOLBAS", "LOLBins", "Living off the Land", "MacMa", "Macma", "MgBot", "Mgmbot", "NetMM", "Nightdoor", "OSX.CDDS", "POCOSTICK", "RELOADEXT", "Suzafk", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "9baa7519-772a-4862-b412-6f0463691b89", "created_at": "2022-10-25T15:50:23.354429Z", "updated_at": "2026-04-10T02:00:05.310361Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Mustang Panda", "TA416", "RedDelta", "BRONZE PRESIDENT", "STATELY TAURUS", "FIREANT", "CAMARO DRAGON", "EARTH PRETA", "HIVE0154", "TWILL TYPHOON", "TANTALUM", "LUMINOUS MOTH", "UNC6384", "TEMP.Hex", "Red Lich" ], "source_name": "MITRE:Mustang Panda", "tools": [ "CANONSTAGER", "STATICPLUGIN", "ShadowPad", "TONESHELL", "Cobalt Strike", "HIUPAN", "Impacket", "SplatCloak", "PAKLOG", "Wevtutil", "AdFind", "CLAIMLOADER", "Mimikatz", "PUBLOAD", "StarProxy", "CorKLOG", "RCSession", "NBTscan", "PoisonIvy", "SplatDropper", "China Chopper", "PlugX" ], "source_id": "MITRE", "reports": null }, { "id": "4f7d2815-7504-4818-bf8d-bba18161b111", "created_at": "2025-08-07T02:03:24.613342Z", "updated_at": "2026-04-10T02:00:03.732192Z", "deleted_at": null, "main_name": "BRONZE HIGHLAND", "aliases": [ "Daggerfly", "Daggerfly ", "Evasive Panda ", "Evasive Panda ", "Storm Bamboo " ], "source_name": "Secureworks:BRONZE HIGHLAND", "tools": [ "Cobalt Strike", "KsRemote", "Macma", "MgBot", "Nightdoor", "PlugX" ], "source_id": "Secureworks", "reports": null }, { "id": "02c9f3f6-5d10-456b-9e63-750286048149", "created_at": "2022-10-25T16:07:23.722884Z", "updated_at": "2026-04-10T02:00:04.72726Z", "deleted_at": null, "main_name": "Inception Framework", "aliases": [ "ATK 116", "Blue Odin", "Clean Ursa", "Cloud Atlas", "G0100", "Inception Framework", "Operation Cloud Atlas", "Operation RedOctober", "The Rocra" ], "source_name": "ETDA:Inception Framework", "tools": [ "Lastacloud", "PowerShower", "VBShower" ], "source_id": "ETDA", "reports": null }, { "id": "2ee03999-5432-4a65-a850-c543b4fefc3d", "created_at": "2022-10-25T16:07:23.882813Z", "updated_at": "2026-04-10T02:00:04.776949Z", "deleted_at": null, "main_name": "Mustang Panda", "aliases": [ "Bronze President", "Camaro Dragon", "Earth Preta", "G0129", "Hive0154", "HoneyMyte", "Mustang Panda", "Operation SMUGX", "Operation SmugX", "PKPLUG", "Red Lich", "Stately Taurus", "TEMP.Hex", "Twill Typhoon" ], "source_name": "ETDA:Mustang Panda", "tools": [ "9002 RAT", "AdFind", "Agent.dhwf", "Agentemis", "CHINACHOPPER", "China Chopper", "Chymine", "ClaimLoader", "Cobalt Strike", "CobaltStrike", "DCSync", "DOPLUGS", "Darkmoon", "Destroy RAT", "DestroyRAT", "Farseer", "Gen:Trojan.Heur.PT", "HOMEUNIX", "Hdump", "HenBox", "HidraQ", "Hodur", "Homux", "HopperTick", "Hydraq", "Impacket", "Kaba", "Korplug", "LadonGo", "MQsTTang", "McRAT", "MdmBot", "Mimikatz", "NBTscan", "NetSess", "Netview", "Orat", "POISONPLUG.SHADOW", "PUBLOAD", "PVE Find AD Users", "PlugX", "Poison Ivy", "PowerView", "QMAGENT", "RCSession", "RedDelta", "Roarur", "SPIVY", "ShadowPad Winnti", "SinoChopper", "Sogu", "TIGERPLUG", "TONEINS", "TONESHELL", "TVT", "TeamViewer", "Thoper", "TinyNote", "WispRider", "WmiExec", "XShellGhost", "Xamtrav", "Zupdax", "cobeacon", "nbtscan", "nmap", "pivy", "poisonivy" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434119, "ts_updated_at": 1775792194, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/6ccf943832cef10266a103d64b667db591a8479e.pdf", "text": "https://archive.orkl.eu/6ccf943832cef10266a103d64b667db591a8479e.txt", "img": "https://archive.orkl.eu/6ccf943832cef10266a103d64b667db591a8479e.jpg" } }