Performanta Advisory: Petya Ransomware

Performanta Advisory: Petya Ransomware

Published by Elad Sharf and Nick Griffin, Cyber Defence Team, Performanta (27 June, 2017: 22:00)

Performanta has closely monitored the outbreak of a new variant of the Petya ransomware, known as ‘Petrwrap’. Many large organisations have been affected, mainly in Ukraine, although the malware has rapidly spread across the UK, Europe and the US.

‘Petya’ is a ransomware variant known for over a year, but the new Petrwrap variant adds the ability to spread itself to other machines using the ‘EternalBlue’ exploit, WMI and PsExec utilities using stolen credentials. This wave of attack appears to have initially targeted high profile organisations through a compromised accounting software update called MeDoc.

Infection background – targeted software: per analysis and some intelligence shared on the incident, it appears the initial infection vector was a trojanised update of a legitimate accounting software known as MeDoc. This software is used by many organisations, mainly in the Ukraine.

Please note:  Rumours regarding this being spread by e-mail or Excel files appear to be false.

The trojanised MeDoc software drops and executes the Petrwrap ransomware and has been observed to have the following indicators of attack:

  • The trojanised MeDoc drops and executes the Petrwrap ransomware
  • Utilisation of the ETERNALBLUE exploit to spread laterally over SMB (this was used by WannaCry). Microsoft advisory and patch: https://technet.microsoft.com/en-us/library/security/ms17-010
  • Utilisation of the WMI and PSEXEC utilities to spread laterally using credentials stolen from LSASS. This is what makes this variant particularly interesting as another vector of lateral movement, not the reliance of a preexisting vulnerability. Customers are encouraged to limit the use of local administrators having active sessions to workstations when not in use, to aid in preventing the harvesting of these credentials in future attacks. Information on setting session times and auto logoff, as well as the use of LAPS can be found at https://adsecurity.org
  • Overwrite of the Master Boot Record (MBR) and Master File Tables (MFT), forcing a shutdown of the machine

The variants analysed do not have associated command and control network traffic.


Malware IOCs (SHA256):

027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745 VT Link

3419e0d470f83569be0927128b3e5f992800ceb8f9019fc44763876ed6d8000c VT Link

02ef73bd2458627ed7b397ec26ee2de2e92c71a0e7588f78734761d8edbdcd9f VT Link


If you think you have been affected, please get in touch with your Performanta Account Manager or email

CSOC@performanta.com