Petya (and NotPetya/ExPetr/PetrWrap etc.)

[1st November 2017]

John Leyden for The Register: Bootkit ransomware baddy hops down BadRabbit hole in Japan – Spirited away…

Actually about ‘MBR-ONI, a new bootkit ransomware, relies on modified version of a legitimate open-source disk encryption utility called DiskCryptor for its encryption routines – the same tool abused by the Bad Rabbit ransomware last week.’

[26th October 2017]

The Register: Hop on, Average Rabbit: Latest extortionware menace flopped – The buck stops… somewhere in Ukraine, Turkey, Japan?

[25th October 2017]

The Register: Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs – Ransomware breeds through Windows networks via SMB, fake Flash

ESET: Bad Rabbit: Not-Petya is back with improved ransomware

ESET: Kiev metro hit with a new variant of the infamous Diskcoder ransomware

ZDnet: Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers – Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.

[19th October 2017]

Josh Fruhlinger for CSO Online: Petya and NotPetya: The basics

[7th August 2017]

The World’s First Ransomware Class-Action Lawsuit Is Taking Shape

[3rd August 2017]

Catalin Cimpanu for Bleeping Computer: Ukrainian Firm Facing Legal Action for Damages Caused by NotPetya Ransomware.

‘The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software, the point of origin of the NotPetya ransomware outbreak.’

[8th July 2017]

I’m not sure how much hope there really is for this approach, but Positive Technologies reckons that the people behind NotPetya/ExPetr etc made an implementation error in Salsa20 that reduces the keylength, but not enough to make decryption feasible at this point. However, the company is also exploring another route that may be of some use (counter-intuitively) when the malware was able to gain administrator privileges.

[7th July 2017]

Malwarebytes: The key to old Petya versions has been published by the malware author. Won’t help people/organizations affected by NotPetya/EternalPetya  or whatever your name of choice is, but may be good news for victims of Petya/Goldeneye if they’ve retained disk images.

V3: Ukrainian company compromised to spread NotPetya malware has servers seized by police

[6th July 2017]

ESET: Everything you need to know about the latest variant of Petya

[5th July 2017]

Kaspersky: Researchers Find Blackenergy Apt Links In Expetr Code and From BlackEnergy to ExPetr – A gut feeling of old acquaintances, new tools, and a common battleground

ESET: TeleBots are back: Supply-chain attacks against Ukraine and Analysis of TeleBots’ cunning backdoor

The Register: Cha-ching! NotPetya hackers cash out – but victims won’t ever see that data again – Plus, bonus ransomware strain found in bottom of source code. [John Leyden reported that ‘A new analysis by Kaspersky Lab reports that NotPetya was not the only ransomware pushed through the trojanised M.E.Doc update … Kaspersky Lab researchers … dub the malware “FakeCry”.’

[29th June 2017]

Not Petya, and not even ransomware, we’re now being told…

[27th/28th June 2017] Lots of media already responded re the new Petya version: this article from ESET points to a fair spread of them. Later information from The Register: Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide – This isn’t ransomware – it’s merry chaos. (I have to agree that there are many uncertainties at the time of writing.)

March 2017 – Anton Ivanov, Fedor Sinitsyn for Kaspersky: PetrWrap: the new Petya-based ransomware used in targeted attacks.

Added 8th February 2017: article by Raul Alvarez for Fortinet: Ransomware and the Boot Process

An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.

Added 24th October 2016:

MBRfiler is an open-source tool from Cisco Talos that may help against some ransomware that targets the Master Boot Record.

Here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.

Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on KernelMode.info forums.

David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.

G-Data: Ransomware Petya – a technical review

Nice, clear Sophos summary: New ransomware with an old trick: “Petya” parties like it’s 1989

Helpnet: Petya ransomware encrypts files, disks, locks users out of computers

11th April 2016: A flaw in Petya – the current version, at least – has allowed an unidentified researcher to create a key generator to crack the encryption without paying 0.9 bitcoin to the criminals. BBC story: Petya ransomware encryption system cracked. Commentary by David Bisson for Graham Cluley’s blog: Infected by Petya ransomware? Use this tool to unlock your files… for nowThank goodness ransomware sometimes contains bugs too… And the website set up to help people with the generation: unfortunately, the average victim will have problems getting the information necessary to kickstart the process. Confirmed by Lawrence Abrams of Bleeping Computer.

[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead.

July 18th 2016

Malwarebytes: Third time (un)lucky – improved Petya is out

July 31st 2016

David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal