{
	"id": "9de646a6-20b3-49c7-b76f-195951bdaf2c",
	"created_at": "2026-04-06T00:20:19.647872Z",
	"updated_at": "2026-04-10T13:12:59.282184Z",
	"deleted_at": null,
	"sha1_hash": "e59255ba33c1e588944881da5a8926f4ee694af4",
	"title": "Petya Ransomware | CISA",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 91232,
	"plain_text": "Petya Ransomware | CISA\r\nPublished: 2018-02-15 · Archived: 2026-04-02 11:26:38 UTC\r\nSystems Affected\r\nMicrosoft Windows operating systems\r\nOverview\r\nThis Alert has been updated to reflect the U.S. Government's public attribution of the \"NotPetya\" malware variant\r\nto the Russian military. Additional information may be found in a Statement from the White House Press\r\nSecretary. For more information related to NotPetya activity, go to https://www.us-cert.gov/grizzlysteppe.\r\nThe scope of this Alert’s analysis is limited to the newest Petya malware variant that surfaced on June 27, 2017.\r\nThis malware is referred to as “NotPetya” throughout this Alert.\r\nOn June 27, 2017, NCCIC [13] was notified of Petya malware events occurring in multiple countries and affecting\r\nmultiple sectors. This variant of the Petya malware—referred to as NotPetya—encrypts files with extensions from\r\na hard-coded list. Additionally, if the malware gains administrator rights, it encrypts the master boot record\r\n(MBR), making the infected Windows computers unusable. NotPetya differs from previous Petya malware\r\nprimarily in its propagation methods. \r\nThe NCCIC Code Analysis Team produced a Malware Initial Findings Report (MIFR) to provide in-depth\r\ntechnical analysis of the malware. In coordination with public and private sector partners, NCCIC is also\r\nproviding additional indicators of compromise (IOCs) in comma-separated-value (CSV) form for information\r\nsharing purposes.\r\nAvailable Files:\r\nMIFR-10130295.pdf\r\nMIFR-10130295_stix.xml\r\nTA-17-181B_IOCs.csv\r\nNotPetya leverages multiple propagation methods to spread within an infected network. According to malware\r\nanalysis, NotPetya attempts the lateral movement techniques below:\r\nPsExec - a legitimate Windows administration tool\r\nWMI - Windows Management Instrumentation, a legitimate Windows component\r\nEternalBlue - the same Windows SMBv1 exploit used by WannaCry\r\nEternalRomance - another Windows SMBv1 exploit\r\nMicrosoft released a security update for the MS17-010 SMB vulnerability on March 14, 2017, which addressed\r\nthe EternalBlue and EternalRomance lateral movement techniques.\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-181A\r\nPage 1 of 5\n\nTechnical Details\r\nNCCIC received a sample of the NotPetya malware variant and performed a detailed analysis. Based on the\r\nanalysis, NotPetya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of\r\nthe victim. However, there is no evidence of a relationship between the encryption key and the victim’s ID, which\r\nmeans it may not be possible for the attacker to decrypt the victim’s files even if the ransom is paid. It behaves\r\nmore like destructive malware rather than ransomware.\r\nNCCIC observed multiple methods used by NotPetya to propagate across a network. The first and—in most cases\r\n—most effective method, uses a modified version of the Mimikatz tool to steal the user’s Windows credentials.\r\nThe cyber threat actor can then use the stolen credentials, along with the native Windows Management\r\nInstrumentation Command Line (WMIC) tool or the Microsoft SysInternals utility, psexec.exe, to access other\r\nsystems on the network. Another method for propagation uses the EternalBlue exploit tool to target unpatched\r\nsystems running a vulnerable version of SMBv1. In this case, the malware attempts to identify other hosts on the\r\nnetwork by checking the compromised system’s IP physical address mapping table. Next, it scans for other\r\nsystems that are vulnerable to the SMB exploit and installs the malicious payload. Refer to the malware report,\r\nMIFR-10130295, for more details on these methods.\r\nThe analyzed sample of NotPetya encrypts the compromised system’s files with a 128-bit Advanced Encryption\r\nStandard (AES) algorithm during runtime. The malware then writes a text file on the “C:\\” drive that includes a\r\nstatic Bitcoin wallet location as well as unique personal installation key intended for the victim to use when\r\nmaking the ransom payment and the user’s Bitcoin wallet ID. NotPetya modifies the master boot record (MBR) to\r\nenable encryption of the master file table (MFT) and the original MBR, and then reboots the system. Based on the\r\nencryption methods used, it appears unlikely that the files could be restored, even if the attacker received the\r\nvictim’s unique key and Bitcoin wallet ID.\r\nThe delivery mechanism of NotPetya during the June 27, 2017, event was determined to be the Ukrainian tax\r\naccounting software, M.E.Doc. The cyber threat actors used a backdoor to compromise M.E. Doc’s development\r\nenvironment as far back as April 14, 2017. This backdoor allowed the threat actor to run arbitrary commands,\r\nexfiltrate files, and download and execute arbitrary exploits on the affected system. Organizations should treat\r\nsystems with M.E.Doc installed as suspicious, and should examine these systems for additional malicious activity.\r\n[12]\r\nImpact\r\nAccording to multiple reports, this NotPetya malware campaign has infected organizations in several sectors,\r\nincluding finance, transportation, energy, commercial facilities, and healthcare. While these victims are business\r\nentities, other Windows systems are also at risk, such as:\r\nthose that do not have patches installed for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145, and\r\nthose who operate on the  shared network of affected organizations.\r\nNegative consequences of malware infection include:\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-181A\r\nPage 2 of 5\n\ntemporary or permanent loss of sensitive or proprietary information,\r\ndisruption to regular operations,\r\nfinancial losses incurred to restore systems and files, and\r\npotential harm to an organization’s reputation.\r\nSolution\r\nNCCIC recommends against paying ransoms; doing so enriches malicious actors while offering no guarantee that\r\nthe encrypted files will be released. In this NotPetya incident, the email address for payment validation was shut\r\ndown by the email provider, so payment is especially unlikely to lead to data recovery.[1] According to one\r\nNCCIC stakeholder, the sites listed below sites are used for payment in this activity. These sites are not included\r\nin the CSV package as IOCs.\r\nhxxp://mischapuk6hyrn72[.]onion/\r\nhxxp://petya3jxfp2f7g3i[.]onion/\r\nhxxp://petya3sen7dyko2n[.]onion/\r\nhxxp://mischa5xyix2mrhd[.]onion/MZ2MMJ\r\nhxxp://mischapuk6hyrn72[.]onion/MZ2MMJ\r\nhxxp://petya3jxfp2f7g3i[.]onion/MZ2MMJ\r\nhxxp://petya3sen7dyko2n[.]onion/MZ2MMJ\r\nNetwork Signatures\r\nNCCIC recommends that organizations coordinate with their security vendors to ensure appropriate coverage for\r\nthis threat. Given the overlap of functionality and the similarity of behaviors between WannaCry and NotPetya,\r\nmany of the available rulesets can protect against both malware types when appropriately implemented. The\r\nfollowing rulesets provided in publically available sources may help detect activity associated with these malware\r\ntypes:\r\nsid:2001569, “ET SCAN Behavioral Unusual Port 445 traffic Potential Scan or Infection”[2]\r\nsid:2012063, “ET NETBIOS Microsoft SRV2.SYS SMB Negotiate ProcessID? Function Table\r\nDereference (CVE-2009-3103)”[3]\r\nsid:2024297, “ET CURRENT_EVENTS ETERNALBLUE Exploit M2 MS17-010”[4]\r\nsid:42944,\"OS-WINDOWS Microsoft Windows SMB remote code execution attempt\"[11]\r\nsid:42340,\"OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt\"[11]\r\nsid:41984,\"OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt\"\r\n[11]\r\nRecommended Steps for Prevention\r\nReview US-CERT’s Alert on The Increasing Threat to Network Infrastructure Devices and Recommended\r\nMitigations [6], and consider implementing the following best practices:\r\nEnsure you have fully patched your systems, and confirm that you have applied Microsoft’s patch for the\r\nMS17-010 SMB vulnerability dated March 14, 2017.[5]\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-181A\r\nPage 3 of 5\n\nConduct regular backups of data and test your backups regularly as part of a comprehensive disaster\r\nrecovery plan.\r\nEnsure anti-virus and anti-malware solutions are set to automatically conduct regular scans.\r\nManage the use of privileged accounts. Implement the principle of least privilege. Do not assign\r\nadministrative access to users unless absolutely needed. Those with a need for administrator accounts\r\nshould only use them when necessary. \r\nConfigure access controls, including file, directory, and network share permissions with the principle of\r\nleast privilege in mind. If a user only needs to read specific files, they should not have write access to those\r\nfiles, directories, or shares. \r\nSecure use of WMI by authorizing WMI users and setting permissions.\r\nUtilize host-based firewalls and block workstation-to-workstation communications to limit unnecessary\r\nlateral communications.\r\nDisable or limit remote WMI and file sharing.\r\nBlock remote execution through PSEXEC.\r\nSegregate networks and functions.\r\nHarden network devices and secure access to infrastructure devices.\r\nPerform out-of-band network management.\r\nValidate integrity of hardware and software.\r\nDisable SMBv1 and block all versions of SMB at the network boundary by blocking TCP port 445 with\r\nrelated protocols on UDP ports 137-138 and TCP port 139; this applies to all boundary devices.\r\nNote: Disabling or blocking SMB may create problems by obstructing access to shared files, data, or devices.\r\nWeigh the benefits of mitigation against potential disruptions to users.\r\nRecommended Steps for Remediation\r\nNCCIC strongly encourages organizations contact a local Federal Bureau of Investigation (FBI) field office\r\nupon discovery to report an intrusion and request assistance. Maintain and provide relevant logs.\r\nImplement a security incident response and business continuity plan. Ideally, organizations should ensure\r\nthey have appropriate backups so their response is simply to restore the data from a known clean backup. \r\nReport Notice\r\nDHS encourages recipients who identify the use of tools or techniques discussed in this document to report\r\ninformation to DHS or law enforcement immediately. To request incident response resources or technical\r\nassistance, contact NCCIC at NCCICcustomerservice@hq.dhs.gov or 888-282-0870. You can also report cyber\r\ncrime incidents to the Internet Crime Complaint Center (IC3) at https://www.ic3.gov/default.aspx.\r\nReferences\r\n[1] Bleeping Computer: Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files\r\n[2] Emerging Threats 2001569\r\n[3] Emerging Threats 2012063\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-181A\r\nPage 4 of 5\n\n[4] Emerging Threats 2024297\r\n[5] Microsoft: Security Bulletin MS17-010\r\n[7] F-Secure: (Eternal) Petya from a Developer’s Perspective\r\n[8] Microsoft |TechNet: New ransomware, old techniques: Petya adds worm capabilities\r\n[10] Microsoft: Windows 10 platform resilience against the Petya ransomware attack\r\n[11] Talos: New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide\r\n[12] Talos: The MeDoc Connection\r\n[14] New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide\r\nMicrosoft: Update on Petya Malware attacks\r\nMicrosoft: Authorize WMI users and set permissions\r\nMicrosoft: Managing WMI Security\r\nRevisions\r\nJuly 1, 2017: Initial version|July 3, 2017: Updated to include MIFR-10130295_stix.xml file. Substituted TA-17-\r\n181B_IOCs.csv for TA-17-181A_IOCs.csv.|July 7, 2017: Included further guidance from Microsoft in the\r\nReference Section|July 28, 2017: Revised multiple sections based on additional analysis provided|February 15,\r\n2018: Added attribution of the NotPetya malware variant to the Russian military and link to White House press\r\nstatement.\r\nSource: https://www.us-cert.gov/ncas/alerts/TA17-181A\r\nhttps://www.us-cert.gov/ncas/alerts/TA17-181A\r\nPage 5 of 5",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"MITRE"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.us-cert.gov/ncas/alerts/TA17-181A"
	],
	"report_names": [
		"TA17-181A"
	],
	"threat_actors": [],
	"ts_created_at": 1775434819,
	"ts_updated_at": 1775826779,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e59255ba33c1e588944881da5a8926f4ee694af4.pdf",
		"text": "https://archive.orkl.eu/e59255ba33c1e588944881da5a8926f4ee694af4.txt",
		"img": "https://archive.orkl.eu/e59255ba33c1e588944881da5a8926f4ee694af4.jpg"
	}
}