{
	"id": "45745b4d-3988-4043-b926-1e8a60ccb159",
	"created_at": "2026-04-06T00:14:48.561919Z",
	"updated_at": "2026-04-10T03:26:53.349646Z",
	"deleted_at": null,
	"sha1_hash": "b5286d4ec8998dde05b326def468e60330b4d985",
	"title": "New ransomware, old techniques: Petya adds worm capabilities",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 101965,
	"plain_text": "New ransomware, old techniques: Petya adds worm capabilities\r\nBy Microsoft Defender Security Research Team\r\nPublished: 2017-06-28 · Archived: 2026-04-05 21:36:00 UTC\r\nOn June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in\r\nUkraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64\r\ncountries, including Belgium, Brazil, Germany, Russia, and the United States.\r\n(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our\r\ncontinued investigation, as well as platform mitigation and protection information: Windows 10 platform\r\nresilience against the Petya ransomware attack.)\r\nThe new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on\r\nour investigation, this new ransomware shares similar codes and is a new variant of Ransom:Win32/Petya. This\r\nnew strain of ransomware, however, is more sophisticated.\r\nTo protect our customers, we released cloud-delivered protection updates and made updates to our signature\r\ndefinition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware\r\nproducts, including Windows Defender Antivirus and Microsoft Security Essentials. You can download the latest\r\nversion of these files manually at the Malware Protection Center.\r\nWindows Defender Advanced Threat Protection (Windows Defender ATP) automatically detects behaviors used\r\nby this new ransomware variant without any updates. To test how Windows Defender ATP can help your\r\norganization detect, investigate, and respond to advanced attacks, sign up for a free trial.\r\nDelivery and installation\r\nInitial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc,\r\nwhich develops tax accounting software, MEDoc. Although this vector was speculated at length by news media\r\nand security researchers—including Ukraine’s own Cyber Police—there was only circumstantial evidence for this\r\nvector. Microsoft now has evidence that a few active infections of the ransomware initially started from the\r\nlegitimate MEDoc updater process. As we highlighted previously, software supply chain attacks are a recent\r\ndangerous trend with attackers, and it requires advanced defense.\r\nWe observed telemetry showing the MEDoc software updater process (EzVit.exe) executing a malicious\r\ncommand-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.\r\nThe execution chain leading to the ransomware installation is represented in the diagram below and essentially\r\nconfirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following\r\ncommand-line:\r\nC:\\\\Windows\\\\system32\\\\rundll32.exe\\” \\”C:\\\\ProgramData\\\\perfc.dat\\”,#1 30\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 1 of 7\n\nThe same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of\r\ncompromise (IOCs) , which includes the MEDoc updater.\r\nA single ransomware, multiple lateral movement techniques\r\nGiven this new ransomware’s added lateral movement capabilities it only takes a single infected machine to affect\r\na network. The ransomware spreading functionality is composed of multiple methods responsible for:\r\nstealing credentials or re-using existing active sessions\r\nusing file-shares to transfer the malicious file across machines on the same network\r\nusing existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for\r\nunpatched machines\r\nIn the next sections, we discuss the details of each technique.\r\nLateral movement using credential theft and impersonation\r\nThis ransomware drops a credential dumping tool (typically as a .tmp file in the %Temp% folder) that shares code\r\nsimilarities with Mimikatz and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts\r\nwith local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely\r\nto provide the same level of access the user has on other machines.\r\nOnce the ransomware has valid credentials, it scans the local network to establish valid connections on ports\r\ntcp/139 and tcp/445. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts\r\nto call DhcpEnumSubnets() to enumerate DHCP subnets; for each subnet, it gathers all hosts/clients (using\r\nDhcpEnumSubnetClients()) for scanning for tcp/139 and tcp/445 services. If it gets a response, the malware\r\nattempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen\r\ncredentials.\r\nIt then tries to execute remotely the malware using either PSEXEC or WMIC tools.\r\nThe ransomware attempts to drop the legitimate psexec.exe (typically renamed to dllhost.dat) from an embedded\r\nresource within the malware. It then scans the local network for admin$ shares, copies itself across the network,\r\nand executes the newly copied malware binary remotely using PSEXEC.\r\nIn addition to credential dumping, the malware also tries to steal credentials by using the CredEnumerateW\r\nfunction to get all the other user credentials potentially stored on the credential store. If a credential name starts\r\nwith “TERMSRV/” and the type is set as 1 (generic) it uses that credential to propagate through the network.\r\nThis ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote\r\nshares (using NetEnum/NetAdd) to spread to. It uses either a duplicate token of the current user (for existing\r\nconnections), or a username/password combination (spreading through legit tools).\r\nLateral movement using EternalBlue and EternalRomance\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 2 of 7\n\nThe new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability CVE-2017-0144 (also known as EternalBlue), which was fixed in security update MS17-010 and was also exploited by\r\nWannaCrypt to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for CVE-2017-0145 (also known as EternalRomance, and fixed by the same bulletin).\r\nWe’ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all XOR 0xCC\r\nencrypted) to trigger these vulnerabilities.\r\nThese two exploits were leaked by a group called Shadow Brokers. However, it is important to note that both of\r\nthese vulnerabilities have been fixed by Microsoft in security update MS17-010 on March 14, 2017.\r\nMachines that are patched against these exploits (with security update MS17-010) or have disabled SMBv1 are\r\nnot affected by this particular spreading mechanism. Please refer to our previous blog for details on these exploits\r\nand how modern Windows 10 mitigations can help to contain similar threats.\r\nEncryption\r\nThis ransomware’s encryption behavior depends on the malware process privilege level and the processes found to\r\nbe running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process\r\nnames, and checks against the following hash values to use as a behavior exclusion:\r\n0x6403527E or 0x651B3005 – if these hashes of process names are found running on the machine, then the\r\nransomware does not do SMB exploitation.\r\n0x2E214B44 – if a process with this hashed name is found, the ransomware trashes the first 10 sectors of\r\n\\\\\\\\.\\\\PhysicalDrive0, including the MBR.\r\nThis ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up\r\nscheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random\r\n(GetTickCount()). For example:\r\nschtasks /Create /SC once /TN “” /TR “\u003csystem folder\u003e\\shutdown.exe /r /f” /ST 14:23\r\nAfter successfully modifying the MBR, it displays the following fake system message, which notes a supposed\r\nerror in the drive and shows the fake integrity checking.\r\nOnly if the malware is running with highest privilege (i.e., with SeDebugPrivilege enabled), it tries to overwrite\r\nthe MBR code.\r\nThis ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed\r\ndrives, except for C:\\Windows:\r\n.3ds .7z .accdb .ai\r\n.asp .aspx .avhd .back\r\n.bak .c .cfg .conf\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 3 of 7\n\n.cpp .cs .ctl .dbf\r\n.disk .djvu .doc .docx\r\n.dwg .eml .fdb .gz\r\n.h .hdd .kdbx .mail\r\n.mdb .msg .nrg .ora\r\n.ost .ova .ovf .pdf\r\n.php .pmf .ppt .pptx\r\n.pst .pvi .py .pyc\r\n.rar .rtf .sln .sql\r\n.tar .vbox .vbs .vcb\r\n.vdi .vfd .vmc .vmdk\r\n.vmsd .vmx .vsdx .vsv\r\n.work .xls .xlsx .xvd\r\n.zip      \r\nIt uses file mapping APIs instead of a usual ReadFile()/WriteFile() APIs.\r\nUnlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it\r\noverwrites the said files.\r\nThe AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the\r\nembedded 2048-bit RSA public key of the attacker.\r\nThe unique key used for files encryption (AES) is added, in encrypted form, to the README.TXT file the threat\r\nwrites under section “Your personal installation key:”.\r\nBeyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and\r\nMBR.\r\nAfter completing its encryption routine, this ransomware drops a text file called README.TXT in each fixed\r\ndrive.\r\nThis ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.\r\nDetection and investigation with Windows Defender Advanced Threat Protection\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 4 of 7\n\nWindows Defender Advanced Threat Protection (Windows Defender ATP) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly\r\nmonitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral\r\nmovement techniques and tools used by this ransomware, including, for example, the execution of PsExec.exe\r\nwith different filename, and the creation of the perfc.dat file in remote shares (UNC) paths.\r\nThe second alert targets the distribution of the ransomware’s .dll file over the network. This event provides helpful\r\ninformation during investigation as it includes the User context that was used to move the file remotely. This user\r\nhas been compromised and could represent the user associated with patient-zero.\r\nWith Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks,\r\ninvestigate the scope of the attack, and respond early to malware delivery campaigns.\r\nProtection against this new ransomware attack\r\nKeeping your Windows 10 up-to-date gives you the benefits of the latest features and proactive mitigations built\r\ninto the latest versions of Windows. In Creators Update, we further hardened Windows 10 against ransomware\r\nattacks by introducing new next-gen technologies and enhancing existing ones.\r\nAs another layer of protection, Windows 10 S only allows apps that come from the Windows Store to run.\r\nWindows 10 S users are further protected from this threat.\r\nWe recommend customers that have not yet installed security update MS17-010 to do so as soon as possible. Until\r\nyou can apply the patch, we also recommend two possible workarounds to reduce the attack surface:\r\nDisable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 and as\r\nrecommended previously\r\nConsider adding a rule on your router or firewall to block incoming SMB traffic on port 445\r\nAs the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation\r\neither into or out of machines in the network. You can also disable remote WMI and file sharing. These may have\r\nlarge impacts on the capability of your network, but may be suggested for a very short time period while you\r\nassess the impact and apply definition updates.\r\nAside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it\r\nthen uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring\r\ncredential hygiene across the organization. Secure privileged access to prevent the spread of threats like Petya and\r\nto protect your organization’s assets. Use Credential Guard to protect domain credentials stored in the Windows\r\nCredential Store.\r\nWindows Defender Antivirus detects this threat as Ransom:Win32/Petya as of the 1.247.197.0 update. Windows\r\nDefender Antivirus uses cloud-based protection, helping to protect you from the latest threats.\r\nFor enterprises, use Device Guard to lock down devices and provide kernel-level virtualization-based security,\r\nallowing only trusted applications to run, effectively preventing malware from running.\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 5 of 7\n\nMonitor networks with Windows Defender Advanced Threat Protection, which alerts security operations teams\r\nabout suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to\r\ndetect, investigate, and mitigate ransomware in networks: Windows Defender Advanced Threat Protection –\r\nRansomware response playbook.\r\nTo test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced\r\nattacks, sign up for a free trial.\r\nResources\r\nMSRC blog: https://blogs.technet.microsoft.com/msrc/2017/06/28/update-on-petya-malware-attacks/\r\nNext-generation ransomware protection with Windows 10 Creators Update:\r\nhttps://blogs.technet.microsoft.com/mmpc/2017/06/08/windows-10-creators-update-hardens-security-with-next-gen-defense/\r\nDownload English language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,\r\nWindows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64\r\nDownload localized language security updates: Windows Server 2003 SP2 x64, Windows Server 2003 SP2 x86,\r\nWindows XP SP2 x64, Windows XP SP3 x86, Windows XP Embedded SP3 x86, Windows 8 x86, Windows 8 x64\r\nMS17-010 Security Update: https://technet.microsoft.com/en-us/library/security/ms17-010.aspx\r\nGeneral information on ransomware: https://www.microsoft.com/en-us/security/portal/mmpc/shared/ransomware.aspx\r\nSecurity for IT Pros: https://technet.microsoft.com/en-us/security/default\r\nIndicators of Compromise\r\nNetwork defenders may search for the following indicators:\r\nFile indicators\r\n34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d\r\n9717cfdc2d023812dbc84a941674eb23a2a8ef06\r\n38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf\r\n56c03d8e43f50568741704aee482704a4f5005ad\r\nCommand lines\r\nIn environments where command-line logging is available, the following command lines may be searched:\r\nScheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the\r\ncurrent time\r\nschtasks /Create /SC once /TN “” /TR “\u003csystem folder\u003e\\shutdown.exe /r /f” /ST \u003ctime\u003e\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 6 of 7\n\ncmd.exe /c schtasks /RU “SYSTEM” /Create /SC once /TN “” /TR\r\n“C:\\Windows\\system32\\shutdown.exe /r /f” /ST \u003ctime\u003e\r\nThis may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered\r\nwith the Task Scheduler service.\r\nLateral Movement (Remote WMI)\r\n“process call create \\”C:\\\\Windows\\\\System32\\\\rundll32.exe \\\\\\”C:\\\\Windows\\\\perfc.dat\\\\\\” #1″\r\nNetwork indicators\r\nIn environments where NetFlow data are available, this ransomware’s subnet-scanning behavior may be observed\r\nby looking for the following:\r\nWorkstations scanning ports tcp/139 and tcp/445 on their own local (/24) network scope\r\nServers (in particular, domain controllers) scanning ports tcp/139 and tcp/445 across multiple /24 scopes\r\nTalk to us\r\nQuestions, concerns, or insights on this story? Join discussions at the Microsoft community and Windows\r\nDefender Security Intelligence.\r\nFollow us on Twitter @WDSecurity and Facebook Windows Defender Security Intelligence.\r\nSource: https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nhttps://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.microsoft.com/security/blog/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/"
	],
	"report_names": [
		"new-ransomware-old-techniques-petya-adds-worm-capabilities"
	],
	"threat_actors": [
		{
			"id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5",
			"created_at": "2022-10-25T16:07:24.561104Z",
			"updated_at": "2026-04-10T02:00:05.03343Z",
			"deleted_at": null,
			"main_name": "Shadow Brokers",
			"aliases": [],
			"source_name": "ETDA:Shadow Brokers",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434488,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b5286d4ec8998dde05b326def468e60330b4d985.pdf",
		"text": "https://archive.orkl.eu/b5286d4ec8998dde05b326def468e60330b4d985.txt",
		"img": "https://archive.orkl.eu/b5286d4ec8998dde05b326def468e60330b4d985.jpg"
	}
}