{
	"id": "0a2e8a87-f903-4d25-9c6a-ab90add493ab",
	"created_at": "2026-04-06T00:11:39.229965Z",
	"updated_at": "2026-04-10T13:12:05.91332Z",
	"deleted_at": null,
	"sha1_hash": "90d76df878d9297e5133212d20c72361ea63efeb",
	"title": "CrowdStrike Protects Against NotPetya Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 647347,
	"plain_text": "CrowdStrike Protects Against NotPetya Attack\r\nBy Falcon Intelligence Team\r\nArchived: 2026-04-05 15:07:30 UTC\r\nUpdate:\r\nDue to naming convention consistency in the industry, CrowdStrike is now calling this variant of Petya -\r\nNotPetya.\r\nOn June 27 at approximately 10:30 UTC, a new ransomware family began propagating across multiple countries.\r\nThe family, referred to as NotPetya, is noteworthy because it combines traditional ransomware behavior with\r\nstealthy propagation techniques and a destructive attack element. CrowdStrike Falcon® Endpoint Protection\r\ncustomers are protected against all currently identified variants of the threat. For more details, read: NotPetya\r\nTechnical Analysis —A Triple Threat: File Encryption, MFT Encryption, Credential Theft. In addition to\r\nencrypting files on infected systems, NotPetya moves laterally to encrypt other systems in the organization by\r\nleveraging the same EternalBlue vulnerability that was popularized by WannaCry last month. It then uses another\r\npropagation technique that starts by stealing credentials, then uses those legitimate credentials to infect other\r\nsystems on the network via built-in Microsoft tools (WMI and PSEXEC). Finally, NotPetya employs a destructive\r\ntechnique that prevents infected systems from booting by encrypting the master boot record (MBR). Attacks have\r\nbeen reported in countries including Ukraine, Russia, Poland, France, Germany, Spain, the United Kingdom, the\r\nNetherlands, India, Israel, Australia and the United States. Sectors impacted by this attack include government,\r\nenergy, finance, defense, telecom, media, maritime, aviation, and transportation.\r\nNotPetya Summary\r\nInitial infection in Ukraine accomplished by exploiting vulnerability in M.E.Doc software\r\nInfected systems then attempt to propagate the infection to other systems\r\nTo infect other systems inside the organization, the malware steals credentials and propagates with\r\nbuilt-in Windows tools WMI and PSEXEC: PSEXEC code snippet: C:\\Windows\\dllhost.dat \\\\IP\r\nADDRESS -accepteula -s -d C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\perfc.dat\",#1 10\r\n\"USERNAME:PASSWORD\" WMI code snippet: C:\\Windows\\system32\\wbem\\wmic.exe /node:\"IP\r\nADDRESS\" /user:\"USERNAME\" /password:\"PASSWORD\" process call create\r\n\"C:\\Windows\\System32\\rundll32.exe \\\"C:\\Windows\\perfc.dat\\\" #1 XX\r\n\\\"USERNAME:PASSWORD\\\"\r\nTo infect additional systems outside the organization, the malware attempts to exploit the\r\nEternalBlue vulnerability\r\nThe malicious payload then begins encrypting data, which includes the Master File Table and MBR\r\nThe attack creates a scheduled task to reboot the system after a certain amount of time has passed\r\n(up to 60 minutes):\r\nhttps://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nPage 1 of 5\n\nCode snippet: schtasks /RU \"SYSTEM\" /Create /SC once /TN \"\" /TR\r\n\"C:\\Windows\\system32\\shutdown.exe /r /f\" /ST XX:XX (where XX:XX is the time)\r\nIt also attempts to cover its tracks by running commands to delete event logs and the disk change journal:\r\nCode snippet 1: wevtutil cl Setup \u0026 wevtutil cl System \u0026 wevtutil cl Security \u0026 wevtutil cl\r\nApplication\r\nCode snippet 2: fsutil usn deletejournal /D C:\r\nUpon reboot the end user cannot get back into Windows, and instead they see a ransom note (screenshot\r\nbelow). This happens because NotPetya encrypted the MBR, thereby breaking the normal Windows boot\r\nprocess.\r\nInitial Vector\r\nAccording to multiple sources, infections of NotPetya were first identified on systems running a legitimate\r\nupdater for the document management software M.E.Doc. This software is heavily used by Ukrainian companies,\r\nand companies operating in Ukraine, for maintaining information on tax and payroll accounting. From these\r\ninfected systems, the ransomware can propagate to other systems using the techniques described above. Based on\r\nanalysis of the M.E.Doc software, and forensic analysis of initially infected hosts, it is believed that the malware\r\nwas first deployed as a software update. Further third-party reporting suggests that the M.E.Doc update process\r\nstarted distributing a new binary containing a malicious payload at approximately 10:30 UTC. The deployment of\r\nNotPetya has also been reported by M.E.Doc users on the software company’s forum in environments in which\r\nonly this software was present.\r\nPayment Mechanism\r\nThe ransomware operators demanded a ransom of $300 USD for each infected machine, and established Bitcoin\r\npayment workflow through an email address (wowsmith123456@posteo\u003c.\u003enet) provided by the third-party email\r\nservice Posteo. Upon notification of this incident by the security community, the email provider announced that\r\nservice to this address had been suspended as of 16:15 UTC (https://posteo.de/blog/info-zur-ransomware-https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nPage 2 of 5\n\npetrwrappetya-betroffenes-postfach-bereits-seit-mittag-gesperrt). As a result, recovery of files upon payment of\r\nthe ransom is no longer possible for impacted victims, as no mechanism currently exists for the ransomware\r\noperators to provide victims with decryption keys. Once the malware is deployed on a victim machine, it creates a\r\nscheduled task to reboot the host an hour after the infection, likely in order to allow it to spread further before\r\nlaunching its destructive payload. To achieve this, the malware drops and runs either an x86 or an x64 version of a\r\ncredential stealer executable from a resource that contains code similar to the well-known Mimikatz tool. The\r\nransomware payload uses a combination of 2048-bit RSA and 128-bit AES in Cipher Block Chaining (CBC)\r\nmode to encrypt files with extensions matching entries from a hard-coded list. Public reporting mentions\r\nsimilarities with the Petya ransomware; however, CrowdStrike was not able to confirm any links, and assesses that\r\nthe code structure of this new family is different from Petya’s.\r\nProtection Against NotPetya\r\nCrowdStrike Falcon Endpoint Protection can prevent both the initial NotPetya infection and subsequent\r\npropagation attempts. In the first example, Falcon is shown blocking the NotPetya malware from executing.\r\nThe second example shows a system on the same network as a system that is already infected. Because that\r\nsecond system is protected by Falcon, the propagation attempt fails and the second system is protected.\r\nFalcon can also detect the threat based on its behavior. In the example below, RUNDLL32.EXE is exhibiting\r\nmalicious behavior. It is attempting to execute a malicious DLL while simultaneously trying to steal credentials\r\nand write them to a temp file, as well as invoking a command to set the task scheduler to reboot the system in the\r\nnear future.\r\nhttps://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nPage 3 of 5\n\nThe critical part of the attack is the RUNDLL32.EXE step (in orange). Because Falcon recognizes this collection\r\nof related behaviors as malicious, it prevents the execution of the process (as depicted below).\r\nFalcon Endpoint Protection protects against NotPetya with both machine learning and behavioral protection.\r\nFalcon Prevent and Falcon Endpoint Protection customers can enable this protection by enabling “Moderate\r\nPrevention” settings on the machine learning engine sliders, including File Attribute, File Analysis, and On-Sensor\r\nMachine Learning under Process Blocking, please ensure Prevent Suspicious Processes is enabled.\r\nhttps://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nPage 4 of 5\n\nFalcon Endpoint Protection policy recommendation for blocking NotPetya CrowdStrike Intelligence is actively\r\nmonitoring the development of this ransomware and has published an in-depthtechnical analysis of NotPetya.\r\nClick for more information on subscribing to Falcon Intelligence or to learn more about how Falcon prevents\r\nransomware attacks.\r\nSource: https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nhttps://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia",
		"ETDA"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/"
	],
	"report_names": [
		"fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing"
	],
	"threat_actors": [],
	"ts_created_at": 1775434299,
	"ts_updated_at": 1775826725,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/90d76df878d9297e5133212d20c72361ea63efeb.pdf",
		"text": "https://archive.orkl.eu/90d76df878d9297e5133212d20c72361ea63efeb.txt",
		"img": "https://archive.orkl.eu/90d76df878d9297e5133212d20c72361ea63efeb.jpg"
	}
}