{
	"id": "310203ea-e26b-4aa0-a3f7-a83c6aa6637f",
	"created_at": "2026-04-06T00:19:59.6094Z",
	"updated_at": "2026-04-10T03:20:40.73452Z",
	"deleted_at": null,
	"sha1_hash": "8d09785cf770349d6d6eb0eec0ccce44f4c0f9b7",
	"title": "Keeping up with the Petyas: Demystifying the malware family | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 293470,
	"plain_text": "Keeping up with the Petyas: Demystifying the malware family |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-07-13 · Archived: 2026-04-05 15:34:06 UTC\r\nLast June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine.\r\nSince there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this\r\nsmall guide on the background of the Petya family.\r\nThe origin of Petya\r\nThe first Petya ransomware was released around March 2016  by a person/group calling themselves Janus\r\nCybercrime Solutions. This group was advertising their affiliate program, giving other criminals a chance to\r\ndistribute their malware. Janus Cybercrime Solutions was represented also on Twitter by appropriate accounts,\r\nfirst by @janussec, and then by @JanusSecretary.\r\nThe names “Janus” and “Petya” were inspired by the James Bond movie, GoldenEye. The threat actor was\r\nconsistent with the chosen theme, too—the profile picture of the linked Twitter account was from one of the\r\ncharacters of the movie, a computer programmer/hacker named Boris Grishenko.\r\nUnique features\r\nFrom the very beginning, Petya has been a unique ransomware because it has features that are not\r\ncommon for this type of malware. While most of the ransomware can only encrypt files one by one,\r\nPetya denies users access to the full system by attacking low-level structures on the disk.\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 1 of 7\n\nPetya is always installed by some dropper, which is a Windows executable (on each version of Petya the dropper\r\nis replaced with a new one).\r\nDuring installation, the Petya installer overwrites the disk with Petya’s kernel and boot loader. Because of this, the\r\naffected machine boots the malicious kernel instead of the legitimate OS. On the first run, it displays a fake\r\nCHKDSK screen:\r\nInstead of checking the disk, in reality, it encrypts the Master File Table (MFT) with Salsa20. This way, the\r\nransomware makes the disk inaccessible. When encryption is finished, two screens are displayed: a blinking skull\r\nfollowed by the ransom demand. This is how affected system screens look like in the first version of Petya:\r\nOfficial releases\r\nSo far, there are 4 releases of Petya ransomware by its original author, Janus:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 2 of 7\n\n1.0 (\r\n2.0 (Green Petya + Mischa) – Attacks either the MFT or files (a variant of the attack depends on the privileges\r\nwith which the sample was deployed)\r\n2.5 (Green Petya + Mischa) – Same as 2.0 but with improvements\r\n3.0 (Goldeneye) – Attacks both the MFT and files, using UAC bypass to auto-elevate its privileges\r\nRecently, Janus released the master key that can unlock all official versions described above. You can read more\r\nabout it in this blog post.”\u003e\r\nThese Petya releases can be identified by the theme colors. We’ve put together a small gallery below:\r\nRed Petya\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 3 of 7\n\nGreen Petya\r\nGoldenEye\r\n“\u003e\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 4 of 7\n\nGoldenEye was the latest official release of Petya and was last seen around December 2016.\r\nUnofficial releases (pirated versions)\r\nSince Petya is powerful, other cybercriminals have been attracted to use it. However, not all of them want to join\r\nthe affiliate program and pay its creator. Similar to legitimate software, Petya has pirated versions. So far, we\r\nobserved two unofficial releases:\r\nPetrWrap  – uses Petya’s low-level component as well as patched Petya’s DLL, wrapped by a new loader.\r\nIt’s based on Green Petya.\r\nEternalPetya – also called NotPetya, ExPetr, etc. The malware based on GoldenEye, used in the attack on\r\nUkraine. The high-level layer (PE file) has been rewritten.\r\nThe pirated versions can be identified by the modified look. In both cases, the original Petya’s skull has been\r\nremoved.\r\nPetrWrap\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 5 of 7\n\nEternalPetya\r\nWhile PetrWrap was a fully-functional ransomware, EternalPetya seems unfinished or broken on purpose because\r\nthe Salsa key that used to encrypt the MFT cannot be recovered. Once encrypted, data cannot be decrypted, even\r\nby the malware authors.\r\nSame as the original GoldenEye, EternalPetya encrypts also files with the selected extensions before attacking the\r\nMFT. Files are encrypted using different algorithms and keys than the MFT (RSA + AES, while the MFT is\r\nencrypted using Salsa20). On July 4, the distributors of EternalPetya raised the ransom demand and offered to sell\r\nthe private RSA key that can potentially help in unlocking encrypted files but not the MFT. Below is the message\r\nfrom the attackers [source]:\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 6 of 7\n\nCopycats\r\nIn addition to malware based on the original Petya, copycats also have started to appear. They have\r\nnothing in common with Petya’s code, they only try to imitate its look or some of its features. Some\r\nexamples are\r\nConclusion Ransomware piracy is becoming common and this triggers more problems to the victims. Often, the\r\nauthors of such pirated malware don’t care to give the data back. They just use the reputation of known\r\nransomware to scam victims into paying. In addition to the described cases, we have also encountered several\r\nversions of pirated DMALocker, wherein some of the variants corrupt the data that make recovery hard or even\r\nimpossible.”\u003e\r\nPetya is a powerful malware. And to make things worse, it is also very easy to modify and repurpose. Even if the\r\nofficial line of Petya has been discontinued, we can expect the pirated versions to still be around.\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nhttps://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/"
	],
	"report_names": [
		"keeping-up-with-the-petyas-demystifying-the-malware-family"
	],
	"threat_actors": [],
	"ts_created_at": 1775434799,
	"ts_updated_at": 1775791240,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/8d09785cf770349d6d6eb0eec0ccce44f4c0f9b7.pdf",
		"text": "https://archive.orkl.eu/8d09785cf770349d6d6eb0eec0ccce44f4c0f9b7.txt",
		"img": "https://archive.orkl.eu/8d09785cf770349d6d6eb0eec0ccce44f4c0f9b7.jpg"
	}
}