{ "id": "5fa020e3-7d67-4882-9f79-bfe0237defa6", "created_at": "2026-04-06T00:10:17.212212Z", "updated_at": "2026-04-10T13:12:27.009406Z", "deleted_at": null, "sha1_hash": "c24d3868d17b811ae50736682edba9852b4b4b43", "title": "Checking out the new Petya variant - SANS Internet Storm Center", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 2580851, "plain_text": "Checking out the new Petya variant - SANS Internet Storm Center\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-02 11:46:45 UTC\r\nThis is a follow-up from our previous diary about today's ransomware attacks using the new Petya variant.  So far,\r\nwe've noted:\r\nSeveral hundred more tweets about today's attack can be found on Twitter using #petya.\r\nThe new Petya variant appears to be using the MS17-010 Eternal Blue exploit to propagate.\r\nOthers claim the new variant uses WMIC to propagate\r\nStill no official word on the initial infection vector in today's attacks.\r\nPeople everywhere are saying today's activity is similar to last month's WannaCry ransomware attacks.\r\nSamples of the new Petya variant are DLL files.  So far, we've confirmed the following two SHA256 file hashes\r\nare the new variant:\r\n027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\r\n64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1\r\nExamining the new Petya variant\r\nPetya is a ransomware family that works by modifying the infected Windows system's Master Boot Record\r\n(MBR).  Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above\r\ntwo DLL samples.  The reboot didn't occur right away.  However, when it did, my infected host did a CHKDSK\r\nafter rebooting. \r\nhttps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nPage 1 of 5\n\nShown above:  An infected host immediately after rebooting.\r\nAfter CHKDSK finished, the infected Windows host's modified MBR prevented Windows from loading.  Instead,\r\nthe infected host displayed a ransom message.\r\nShown above:  The ransom note from a compromised system.\r\nSamples of the new Petya variant appear to have WMI command-line (WMIC) functionality.  Others have\r\nconfirmed this variant spreads over Windows SMB and is reportedly using the EternalBlue exploit tool, which\r\nexploits CVE-2017-0144 and was originally released by the Shadow Brokers group in April 2017.  My infected\r\nWindows hosts immediately generated TCP traffic on port 445 and did ARP requests for local network hosts.\r\nhttps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nPage 2 of 5\n\nShown above:  Some of the traffic noted in my lab environment.\r\nKeep in mind this is a new variant of Petya ransomware.  I'm still seeing samples of the regular Petya ransomware\r\nsubmitted to places like VirusTotal and other locations.  From what we can tell, those previous versions of Petya\r\nare not related to today's attacks.\r\nhttps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nPage 3 of 5\n\nShown above:  Difference in ransomware notes between the old and new Petya variants.\r\nNew Petya variant ransom message\r\nOoops, your important files are encrypted.\r\nhttps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nPage 4 of 5\n\nIf you see this text, then your files are no longer accessible, because they have been encrypted.  Perhaps you are\r\nbusy looking for a way to recover your files, but don't waste your time.  Nobody can recover your files without\r\nour decryption service.\r\nWe guarantee that you can recover all your files safely and easily.  All you need to do is submit the payment and\r\npurchase the decryption key.\r\nPlease follow the instructions:\r\n1. Send $300 worth of Bitcoin to the following address:\r\n   1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\r\n2. Send your Bitcoin walled ID and personal installation key to e-mail wowsmith123456@posteo.net. Your\r\npersonal installation key:\r\n012345-6789ab-cdefgh-ijklmn-opqrst-uvwxyz-ABCDEF-GHIJKL-MNOPQR-STUVWX\r\nIf you already purchased your key, please enter it below.\r\nKey:\r\nMore reports about the new Petya variant\r\nBleeping Computer: WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe\r\nThe Hacker News: Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry\r\nReuters: Petya ransomware virus is back amid cyber attack: Swiss agency\r\nPalo Alto Networks Blog: Threat Brief: Petya ransomware\r\nSource: https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nhttps://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "origins": [ "web" ], "references": [ "https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/" ], "report_names": [ "22562" ], "threat_actors": [ { "id": "d4f7cf97-9c98-409c-8b95-b80d14c576a5", "created_at": "2022-10-25T16:07:24.561104Z", "updated_at": "2026-04-10T02:00:05.03343Z", "deleted_at": null, "main_name": "Shadow Brokers", "aliases": [], "source_name": "ETDA:Shadow Brokers", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "171b85f2-8f6f-46c0-92e0-c591f61ea167", "created_at": "2023-01-06T13:46:38.830188Z", "updated_at": "2026-04-10T02:00:03.114926Z", "deleted_at": null, "main_name": "The Shadow Brokers", "aliases": [ "Shadow Brokers", "ShadowBrokers", "The ShadowBrokers", "TSB" ], "source_name": "MISPGALAXY:The Shadow Brokers", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434217, "ts_updated_at": 1775826747, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c24d3868d17b811ae50736682edba9852b4b4b43.pdf", "text": "https://archive.orkl.eu/c24d3868d17b811ae50736682edba9852b4b4b43.txt", "img": "https://archive.orkl.eu/c24d3868d17b811ae50736682edba9852b4b4b43.jpg" } }