# SANS ISC: Checking out the new Petya variant - SANS Internet Storm Center SANS Site Network Current Site SANS Internet Storm Center Other SANS Sites Help Graduate Degree Programs Security Training Security Certification Security Awareness Training Penetration Testing Industrial Control Systems Cyber Defense Foundations DFIR Software Security Government OnSite Training SANS ISC InfoSec Forums **[isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/](https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/)** Checking out the new Petya variant [This is a follow-up from our previous diary about today's ransomware attacks](https://isc.sans.edu/forums/diary/Widescale+Petya+variant+ransomware+attack+noted/22560/) using the new Petya variant. So far, we've noted: Several hundred more tweets about today's attack can be found on Twitter using [#petya.](https://twitter.com/search?src=typd&q=%23petya) [The new Petya variant appears to be using the MS17-010 Eternal Blue](https://en.wikipedia.org/wiki/EternalBlue) exploit to propagate. [Others claim the new variant uses WMIC to propagate](https://twitter.com/0x09AL/status/879702450038599681) Still no official word on the initial infection vector in today's attacks. People everywhere are saying today's activity is similar to last month's WannaCry ransomware attacks. Samples of the new Petya variant are DLL files. So far, we've confirmed the following two SHA256 file hashes are the new variant: [027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745](https://www.hybrid-analysis.com/sample/027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745?environmentId=100) [64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1](https://www.hybrid-analysis.com/sample/64b0b58a2c030c77fdb2b537b2fcc4af432bc55ffb36599a31d418c7c69e94b1?environmentId=100) **_Examining the new Petya variant_** Petya is a ransomware family that works by modifying the infected Windows system's Master Boot Record (MBR). Using rundll32.exe with #1 as the DLL entry point, I was able to infect hosts in my lab with the above two DLL samples. The reboot didn't occur right away. However, when it did, my infected host did a CHKDSK after rebooting. Brad 433 Posts ISC Handler Jun 27th 2017 ----- _Shown above: An infected host immediately after rebooting._ After CHKDSK finished, the infected Windows host's modified MBR prevented Windows from loading. Instead, the infected host displayed a ransom message. _Shown above: The ransom note from a compromised system._ Samples of the new Petya variant appear to have WMI command-line (WMIC) functionality. Others have confirmed this variant [spreads over Windows SMB and](https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/) [is reportedly using the EternalBlue exploit tool, which exploits CVE-2017-0144](https://en.wikipedia.org/wiki/EternalBlue) and was originally released by the Shadow Brokers group in April 2017. My infected Windows hosts immediately generated TCP traffic on port 445 and did ARP requests for local network hosts. ----- _Shown above: Some of the traffic noted in my lab environment._ Keep in mind this is a new variant of Petya ransomware. I'm still seeing samples of the regular Petya ransomware submitted to places like VirusTotal and other locations. From what we can tell, those previous versions of Petya are not related to today's attacks. ----- _Shown above: Difference in ransomware notes between the old and new Petya_ _variants._ **_New Petya variant ransom message_** Ooops, your important files are encrypted. If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your files, but don't waste your time. Nobody can recover your files without our decryption service. ----- We guarantee that you can recover all your files safely and easily. All you need to do is submit the payment and purchase the decryption key. Please follow the instructions: 1. Send $300 worth of Bitcoin to the following address: [1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX](https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX) 2. Send your Bitcoin walled ID and personal installation key to e-mail wowsmith123456@posteo.net. Your personal installation key: 012345-6789ab-cdefgh-ijklmn-opqrst-uvwxyz-ABCDEF-GHIJKL-MNOPQRSTUVWX If you already purchased your key, please enter it below. Key: **_More reports about the new Petya variant_** Bleeping Computer: WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe The Hacker News: Petya Ransomware Spreading Rapidly Worldwide, Just Like WannaCry Reuters: [Petya ransomware virus is back amid cyber attack: Swiss agency](https://www.reuters.com/article/us-cyber-attack-swiss-idUSKBN19I1ZX) [Palo Alto Networks Blog: Threat Brief: Petya ransomware](https://researchcenter.paloaltonetworks.com/2017/06/unit42-threat-brief-petya-ransomware/) [Thread locked Subscribe](https://isc.sans.edu/forums/diary/subscribe/22562/) Jun 27th 2017 4 years ago Lots of good IOCs and updated info on Github: https://gist.github.com/vulnersCom/65fe44d27d29d7a5de4c176baba45759 Anonymous [Quote](https://isc.sans.edu/forums/diary/quote/39782) Jun 27th 2017 4 years ago There are reports that the CHKDSK screen is fake, put up to mask the encryption of files. Jim 4 Posts [Quote](https://isc.sans.edu/forums/diary/quote/39784) Jun 27th 2017 4 years ago Details from Check Point on possible initial attack vector. http://blog.checkpoint.com/2017/06/27/global-ransomware-attack-spreading-fast/ Anonymous ----- [Quote](https://isc.sans.edu/forums/diary/quote/39786) Jun 27th 2017 4 years ago Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-forpetya-notpetya-ransomware-outbreak/ Brett 19 Posts [Quote](https://isc.sans.edu/forums/diary/quote/39794) Jun 28th 2017 4 years ago NAKED SECURITY - Deconstructing Petya: how it spreads and how to fight back https://nakedsecurity.sophos.com/2017/06/28/deconstructing-petya-how-itspreads-and-how-to-fight-back/ Brett 19 Posts [Quote](https://isc.sans.edu/forums/diary/quote/39796) Jun 28th 2017 4 years ago Good write up by MSFT --> https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-oldtechniques-petya-adds-worm-capabilities/ Anonymous [Quote](https://isc.sans.edu/forums/diary/quote/39802) Jun 28th 2017 4 years ago -----