• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Petya/NotPetya: The Ransomware That Wasn't Actually Looking to Ransom Anything

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.35/day)
Location
Portugal
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
You've heard of the Petya ransomware by now. The surge, which hit around 64 countries by June 27th, infected an estimated 12,500 computers in Ukraine alone, hitting several critical infrastructures in the country (just goes to show how vulnerable our connected systems are, really.) The number one hit country was indeed Ukraine, but the wave expanded to the Russian Federation, Poland, and eventually hit the USA (the joys of globalization, uh?) But now, some interesting details on the purported ransomware attack have come to light, which shed some mystery over the entire endeavor. Could it be that Petya (which is actually being referred to as NotPetya/SortaPetya/Petna as well, for your reference, since it mostly masquerades as that well-known ransomware) wasn't really a ransomware attack?





Let's get this clear: there was a ransomware edge to this attack, of that there is no doubt. Petya worked as most ransomwares do: encrypting a given computer's files and NTFS libraries, forcing devices to reboot, and then displaying ransom demands, with instructions detailing how to pay for the liberation of the encrypted files. However, the way in which this was done is unusual, to say the least. There are a number of ways to go about demanding ransoms; wallet addresses for cryptocurrency are the most common. What is strange in this whole affair is that the would-be perpetrators of the attack used a public email address (provided by Posteo) for their ransom demands. Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes (whether or not this was the best course of action is debatable.) But this closed the sole means of communication between the perpetrators and their victims, which now had no way to contact them towards obtaining the wallet address where they were supposed to send funds, nor receiving eventual decryption keys. Now I don't know about you, but a group capable of forking a variant of a GoldenEye ransomware and leading it to infect thousands of computers and critical infrastructure didn't consider this might happen? I don't buy it.

An information security researcher that goes by the pseudonymous "the grugq" had this to say regarding Petya/NotPetya:

"Although the worm is camouflaged to look like the infamous Petya ransomware, it has an extremely poor payment pipeline. There is a single hardcoded BTC wallet and the instructions require sending an email with a large amount of complex strings (something that a novice computer victim is unlikely to get right.) If this well engineered and highly crafted worm was meant to generate revenue, this payment pipeline was possibly the worst of all options (short of "send a personal cheque to: Petya Payments, PO Box …"). The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of "ransomware."

So, basically coders competent enough for such a fork chose the worst possible payment channel available, despite numerous cases of actual ransomware "done right", if you'll allow me. Kaspersky labs went on with an update, where Anton Ivanov and Orkhan Mamedov confirmed that the attackers "cannot decrypt victims' disk, even if a payment was made." They go on saying that "This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware. (...)

Another analyst from Comae Technologies came to the same conclusion regarding the attack, saying that "Ransomware and hackers are becoming the scapegoats of nation state attackers. Petya is a wiper, not a ransomware."

The fact that this particular version of the Petya ransomware had its patient zero in the Me-doc software, which is one of only two approved accounting software in Ukraine and the most widely used in Ukrainian companies and government, means that "an attack launched from MeDoc would hit not only Ukraine's government but many foreign investors and companies." The Me-doc infection vector was later confirmed by the Ukrainian police's cyber-security department.



It seems this ransomware attack was nothing more than a wiper attack, disguised as ransomware, with the sole purpose of infecting as much of Ukraine's infrastructure and essential services as possible, while attempting infection of businesses connected with the country (which is likely why the infection spread through those at least 64 countries we mentioned at the beginning of this piece.)

It would appear a vaccine of sorts was in the meantime found towards thwarting this version of Petya, preventing it from running its installation algorithm on your computer (perhaps a fail-safe from the perpetrators so as to avoid their own machines from being infected with the malware?) Researchers from Serper advanced (and this was later confirmed by other independent security research agencies) that Petya looks for a particular file on systems, aborting its installation if it finds said file. To make yourself immune to the Petya installation, according to the researchers (and I have to put a little disclaimer here that other versions of the software could perfectly change the target lookup file), you should "create a file called perfc in the C:\Windows folder and make it read only. A batch file is available, created by Bleeping Computer's owner Lawrence Abrams.

View at TechPowerUp Main Site
 
Last edited:
Joined
Nov 5, 2014
Messages
714 (0.21/day)
"Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes"

Lol, Posteo can look forward to some lawsuits from companies who now have no way to decrypt their files, idiots >.>
 
Joined
Apr 19, 2012
Messages
12,062 (2.77/day)
Location
Gypsyland, UK
System Name HP Omen 17
Processor i7 7700HQ
Memory 16GB 2400Mhz DDR4
Video Card(s) GTX 1060
Storage Samsung SM961 256GB + HGST 1TB
Display(s) 1080p IPS G-SYNC 75Hz
Audio Device(s) Bang & Olufsen
Power Supply 230W
Mouse Roccat Kone XTD+
Software Win 10 Pro
Basically some "Patriotic" Russians decided to employ a cyberattack on Ukraine infrastructure and then hit a few other random targets to scatter the intention. The fact that they don't care whether an infected user can pay a ransom or not speaks volumes as to the intent.

Overall nothing will be done and no concesquences enforced.
 
Joined
Aug 20, 2007
Messages
20,710 (3.41/day)
System Name Pioneer
Processor Ryzen R9 7950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage 2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches
Software Windows 11 Enterprise (legit), Gentoo Linux x64
"Naturally, Posteo closed down the e-mail account as soon as it became clear their service was being used for nefarious purposes"

Lol, Posteo can look forward to some lawsuits from companies who now have no way to decrypt their files, idiots >.>

Those lawsuits would be dismissed almost immediately in any jurisdiction I can think of, as the only thing Posteo did was prevent the attacker from profiting from the crime. They did not encrypt OR wipe the files, or commit any crime by closing said email.
 

rtwjunkie

PC Gaming Enthusiast
Supporter
Joined
Jul 25, 2008
Messages
13,909 (2.43/day)
Location
Louisiana -Laissez les bons temps rouler!
System Name Bayou Phantom
Processor Core i7-8700k 4.4Ghz @ 1.18v
Motherboard ASRock Z390 Phantom Gaming 6
Cooling All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax T40F Black CPU cooler
Memory 2x 16GB Mushkin Redline DDR-4 3200
Video Card(s) EVGA RTX 2080 Ti Xc
Storage 1x 500 MX500 SSD; 2x 6TB WD Black; 1x 4TB WD Black; 1x400GB VelRptr; 1x 4TB WD Blue storage (eSATA)
Display(s) HP 27q 27" IPS @ 2560 x 1440
Case Fractal Design Define R4 Black w/Titanium front -windowed
Audio Device(s) Soundblaster Z
Power Supply Seasonic X-850
Mouse Coolermaster Sentinel III (large palm grip!)
Keyboard Logitech G610 Orion mechanical (Cherry Brown switches)
Software Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)
The fact that they don't care whether an infected user can pay a ransom or not speaks volumes as to the intent.

Exactly. Not Ransomware, but terrorism. This was a deliberate attack disguised as Ransomware in order to deny access to files and systems.
 
Joined
Nov 3, 2007
Messages
1,700 (0.28/day)
"An information security researches" should read "An information security researcher"
 

qubit

Overclocked quantum bit
Joined
Dec 6, 2007
Messages
17,866 (3.00/day)
Location
Quantum Well UK
System Name Quantumville™
Processor Intel Core i7-2700K @ 4GHz
Motherboard Asus P8Z68-V PRO/GEN3
Cooling Noctua NH-D14
Memory 16GB (2 x 8GB Corsair Vengeance Black DDR3 PC3-12800 C9 1600MHz)
Video Card(s) MSI RTX 2080 SUPER Gaming X Trio
Storage Samsung 850 Pro 256GB | WD Black 4TB | WD Blue 6TB
Display(s) ASUS ROG Strix XG27UQR (4K, 144Hz, G-SYNC compatible) | Asus MG28UQ (4K, 60Hz, FreeSync compatible)
Case Cooler Master HAF 922
Audio Device(s) Creative Sound Blaster X-Fi Fatal1ty PCIe
Power Supply Corsair AX1600i
Mouse Microsoft Intellimouse Pro - Black Shadow
Keyboard Yes
Software Windows 10 Pro 64-bit
Exactly. Not Ransomware, but terrorism. This was a deliberate attack disguised as Ransomware in order to deny access to files and systems.
Could it be isis maybe?
 

rtwjunkie

PC Gaming Enthusiast
Supporter
Joined
Jul 25, 2008
Messages
13,909 (2.43/day)
Location
Louisiana -Laissez les bons temps rouler!
System Name Bayou Phantom
Processor Core i7-8700k 4.4Ghz @ 1.18v
Motherboard ASRock Z390 Phantom Gaming 6
Cooling All air: 2x140mm Fractal exhaust; 3x 140mm Cougar Intake; Enermax T40F Black CPU cooler
Memory 2x 16GB Mushkin Redline DDR-4 3200
Video Card(s) EVGA RTX 2080 Ti Xc
Storage 1x 500 MX500 SSD; 2x 6TB WD Black; 1x 4TB WD Black; 1x400GB VelRptr; 1x 4TB WD Blue storage (eSATA)
Display(s) HP 27q 27" IPS @ 2560 x 1440
Case Fractal Design Define R4 Black w/Titanium front -windowed
Audio Device(s) Soundblaster Z
Power Supply Seasonic X-850
Mouse Coolermaster Sentinel III (large palm grip!)
Keyboard Logitech G610 Orion mechanical (Cherry Brown switches)
Software Windows 10 Pro 64-bit (Start10 & Fences 3.0 installed)
Could it be isis maybe?
My money is on Russians, since many there cannot wait to get their hands back on the entire Ukraine (not just the Crimea region).
 

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.35/day)
Location
Portugal
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
Joined
Mar 16, 2017
Messages
211 (0.08/day)
Location
behind you
Processor Threadripper 1950X (4.0 GHz OC)
Motherboard ASRock X399 Professional Gaming
Cooling Enermax Liqtech TR4
Memory 48GB DDR4 2934MHz
Video Card(s) Nvidia GTX 1080, GTX 660TI
Storage 2TB Western Digital HDD, 500GB Samsung 850 EVO SSD, 280GB Intel Optane 900P
Display(s) 2x 1920x1200
Power Supply Cooler Master Silent Pro M (1000W)
Mouse Logitech G602
Keyboard Corsair K70 MK.2
Software Windows 10
NextPowerUp had an article yesterday that said only the first 25 sectors of your disk are overwritten by this. If so, then that's a pretty easy thing to fix without losing any of your files in the process.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,776 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Last edited:

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.35/day)
Location
Portugal
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
This isn't Petya. Even all the sources which I'm sure you read stated this. Petya is an actual infection that has already happened. Please do not confuse the two. God sometimes security related news posts are cringy.

You can have some tech doc writeups here, deduce the differences etc.

https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

http://blog.checkpoint.com/2016/04/11/decrypting-the-petya-ransomware/

as they say security in education.

While it isn't Petya per se as the original, it's being called so (and some varieties) by Kaspersky (ExPetr/Petya/NotPetya). Also, the sources in the article (much more security focused than I am, admittedly) refer to it as such as well. So I decided to run the article with that name, which is much more recognizable, and which the sources do as well =)
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,776 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
While it isn't Petya per se as the original, it's being called so (and some varieties) by Kaspersky (ExPetr/Petya/NotPetya). Also, the sources in the article (much more security focused than I am, admittedly) refer to it as such as well. So I decided to run the article with that name, which is much more recognizable, and which the sources do as well =)

Jesus journalism has gone in the shitter.

Education fixes this not settling. The bleeping computer article IIRC even states Kaspersky renamed it after finding out it wasnt related, leaving Petya in the name because people like this site were referencing it as such, but atleast THEY explain what it isn't.

Atleast people infected with actual Petya that might be able to save there systems will probably not reference sites like this for help.

It would be a shame to tell someone they have chickenpox when they have the plague.


I'm being a dick. No excuse, it may be a good idea to atleast include the other namesakes so that users may more easily differentiate from the original infection in 2016, as this is not necessarily the same infection.
 
Last edited:

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.35/day)
Location
Portugal
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
Jesus journalism has gone in the shitter.

Education fixes this not settling. The bleeping computer article IIRC even states Kaspersky renamed it after finding out it wasnt related, leaving Petya in the name because people like this site were referencing it as such, but atleast THEY explain what it isn't.

Atleast people infected with actual Petya that might be able to save there systems will probably not reference sites like this for help.

It would be a shame to tell someone they have chickenpox when they have the plague.


I'm being a dick. No excuse, it may be a good idea to atleast include the other namesakes so that users may more easily differentiate from the original infection in 2016, as this is not necessarily the same infection.

Aye, I applaud the effort of crossing out all of those things yet still leaving them there (Sarcasm/NotSarcasm) ;)

The Bleeping Computer article also refers to it as Petya, though with the other different names referenced as well. Perhaps that was the cause of dissent between us.

I've updated the title's article and included a reference in the main body text that it is being called other names as well, so as to better inform the readers. I believe that was what you were trying to achieve?

Can't disagree with your metaphor though (I do love me some accurate metaphors).

Edit:
"Could it be that Petya (which is actually being referred to as NotPetya/SortaPetya/Petna as well, for your reference, since it mostly masquerades as that well-known ransomware) wasn't really a ransomware attack?"

Perhaps this helps readers. So thanks for pointing out the article's weakness :)
 
Last edited:

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,776 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Aye, I applaud the effort of crossing out all of those things yet still leaving them there (Sarcasm/NotSarcasm)

The Bleeping Computer article also refers to it as Petya, though with the other different names referenced as well. Perhaps that was the cause of dissent between us.

I've updated the title's article and included a reference in the main body text that it is being called other names as well, so as to better inform the readers. I believe that was what you were trying to achieve?

Can't disagree with your metaphor though (I do love me some accurate metaphors).

I left it because I said it and I won’t pretend I didn’t but I was being very rash I don’t have an excuse it was unwarranted this site doesn’t focus on this stuff and that’s fine you alerted the masses in the best method at your disposal.

That said I only raised concern because this is what I do to pay bills. Petya as it was originally referenced was done because initial infections looked like it. However after disassembly it was found that only the dropper method was taken from petya the actual damage done (petya 2016 can be saved) and exploit methods were completely different. At that point they classed it as something different altogether but left petya because less experienced firms were already calling it such.

however I don’t like false hope and I just think it’s important to make the differentiation because people that have petya vs people that have notpetya are in very different boats
 

Raevenlord

News Editor
Joined
Aug 12, 2016
Messages
3,755 (1.35/day)
Location
Portugal
System Name The Ryzening
Processor AMD Ryzen 9 5900X
Motherboard MSI X570 MAG TOMAHAWK
Cooling Lian Li Galahad 360mm AIO
Memory 32 GB G.Skill Trident Z F4-3733 (4x 8 GB)
Video Card(s) Gigabyte RTX 3070 Ti
Storage Boot: Transcend MTE220S 2TB, Kintson A2000 1TB, Seagate Firewolf Pro 14 TB
Display(s) Acer Nitro VG270UP (1440p 144 Hz IPS)
Case Lian Li O11DX Dynamic White
Audio Device(s) iFi Audio Zen DAC
Power Supply Seasonic Focus+ 750 W
Mouse Cooler Master Masterkeys Lite L
Keyboard Cooler Master Masterkeys Lite L
Software Windows 10 x64
I left it because I said it and I won’t pretend I didn’t but I was being very rash I don’t have an excuse it was unwarranted this site doesn’t focus on this stuff and that’s fine you alerted the masses in the best method at your disposal.

That said I only raised concern because this is what I do to pay bills. Petya as it was originally referenced was done because initial infections looked like it. However after disassembly it was found that only the dropper method was taken from petya the actual damage done (petya 2016 can be saved) and exploit methods were completely different. At that point they classed it as something different altogether but left petya because less experienced firms were already calling it such.

however I don’t like false hope and I just think it’s important to make the differentiation because people that have petya vs people that have notpetya are in very different boats

And I thank you, because this really isn't my area of expertise. But I could've been more explicit in how I conveyed the message, and that additional information only helps build the article.
 
Joined
Mar 16, 2017
Messages
211 (0.08/day)
Location
behind you
Processor Threadripper 1950X (4.0 GHz OC)
Motherboard ASRock X399 Professional Gaming
Cooling Enermax Liqtech TR4
Memory 48GB DDR4 2934MHz
Video Card(s) Nvidia GTX 1080, GTX 660TI
Storage 2TB Western Digital HDD, 500GB Samsung 850 EVO SSD, 280GB Intel Optane 900P
Display(s) 2x 1920x1200
Power Supply Cooler Master Silent Pro M (1000W)
Mouse Logitech G602
Keyboard Corsair K70 MK.2
Software Windows 10
The internet needs more people like you Raevenlord and Solaris17.

IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.
 

silentbogo

Moderator
Staff member
Joined
Nov 20, 2013
Messages
5,470 (1.45/day)
Location
Kyiv, Ukraine
System Name WS#1337
Processor Ryzen 7 3800X
Motherboard ASUS X570-PLUS TUF Gaming
Cooling Xigmatek Scylla 240mm AIO
Memory 4x8GB Samsung DDR4 ECC UDIMM
Video Card(s) Inno3D RTX 3070 Ti iChill
Storage ADATA Legend 2TB + ADATA SX8200 Pro 1TB
Display(s) Samsung U24E590D (4K/UHD)
Case ghetto CM Cosmos RC-1000
Audio Device(s) ALC1220
Power Supply SeaSonic SSR-550FX (80+ GOLD)
Mouse Logitech G603
Keyboard Modecom Volcano Blade (Kailh choc LP)
VR HMD Google dreamview headset(aka fancy cardboard)
Software Windows 11, Ubuntu 20.04 LTS
There are few more things you can add to the article, to extend the available info and clarify some things:
1) Kaspersky lab published their findings on June 26th, while others like ESET, Avast, and Symantec were still arguing that this is indeed Petya. I would've totally missed the whole "virus" thing, if not for my pretty neighbor who couldn't access her online banking at 11:30PM the night before her birthday.
2)
the Me-doc software, which is one of only two approved accounting software in Ukraine
One correction: it is effectively the only one since the nationwide ban on 1C accounting software complex, along with Kaspersky AV, Dr.Web and some other "evil russian software and web-services".
M.E.Doc is pretty much forced for all tax filings and non-cash transaction accounting in my country. There are few other alternatives, but they are just as bad, if not worse than M.E.Doc.
BTW, M.E.Doc website is down since yesterday.
3) Everyone still calls it Petya, because of ignorant news outlets and a simple habit. Even in official announcements and press-releases from the Security Service of Ukraine it is still called Petya.A (maybe they do it on purpose to piss of those russians from Kaspersky Lab).
4) Also in yesterday's recommendation/announcement Cybersecurity dpt. said, that the primary source of the attack were fishing e-mails with "loaded" MS Word/PDF documents.
Exploiting M.E.Doc vulnerability was only the second stage of the attack.

It screams lone amateur to me.
That was my impression since the start of the attack.
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,776 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
There are few more things you can add to the article, to extend the available info and clarify some things:
1) Kaspersky lab published their findings on June 26th, while others like ESET, Avast, and Symantec were still arguing that this is indeed Petya. I would've totally missed the whole "virus" thing, if not for my pretty neighbor who couldn't access her online banking at 11:30PM the night before her birthday.
2)
One correction: it is effectively the only one since the nationwide ban on 1C accounting software complex, along with Kaspersky AV, Dr.Web and some other "evil russian software and web-services".
M.E.Doc is pretty much forced for all tax filings and non-cash transaction accounting in my country. There are few other alternatives, but they are just as bad, if not worse than M.E.Doc.
BTW, M.E.Doc website is down since yesterday.
3) Everyone still calls it Petya, because of ignorant news outlets and a simple habit. Even in official announcements and press-releases from the Security Service of Ukraine it is still called Petya.A (maybe they do it on purpose to piss of those russians from Kaspersky Lab).
4) Also in yesterday's recommendation/announcement Cybersecurity dpt. said, that the primary source of the attack were fishing e-mails with "loaded" MS Word/PDF documents.
Exploiting M.E.Doc vulnerability was only the second stage of the attack.


That was my impression since the start of the attack.

It should also be noted that the hosting provider Posteo that hosts the email account linked to the attackers payment block chain has been blocked by the provider. Its now useless to try and pay to get anything decrypted because the emails cannot be received. Though it is said that unlike Petya NotPetya couldnt be "decrypted" anyway because the damage caused is permanent.


The internet needs more people like you Raevenlord and Solaris17.

IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.

Was just super grouchy this AM. I can get a bit overly passionate about security. I've nothing aginst TPU its staff or @Raevenlord specifically. I am certainly not above knowing I'm being unreasonable or a bit of a dick. I'll always try to make amends if I catch myself doing it.
 
Last edited:

cdawall

where the hell are my stars
Joined
Jul 23, 2006
Messages
27,680 (4.29/day)
Location
Houston
System Name All the cores
Processor 2990WX
Motherboard Asrock X399M
Cooling CPU-XSPC RayStorm Neo, 2x240mm+360mm, D5PWM+140mL, GPU-2x360mm, 2xbyski, D4+D5+100mL
Memory 4x16GB G.Skill 3600
Video Card(s) (2) EVGA SC BLACK 1080Ti's
Storage 2x Samsung SM951 512GB, Samsung PM961 512GB
Display(s) Dell UP2414Q 3840X2160@60hz
Case Caselabs Mercury S5+pedestal
Audio Device(s) Fischer HA-02->Fischer FA-002W High edition/FA-003/Jubilate/FA-011 depending on my mood
Power Supply Seasonic Prime 1200w
Mouse Thermaltake Theron, Steam controller
Keyboard Keychron K8
Software W10P
IMHO NotPetya isn't the work of a state actor or a hacker group. It screams lone amateur to me. Heck I could probably write a better payload than this.

Unless the intent was to look like an amateur to avoid blame.
 
Joined
Mar 16, 2017
Messages
211 (0.08/day)
Location
behind you
Processor Threadripper 1950X (4.0 GHz OC)
Motherboard ASRock X399 Professional Gaming
Cooling Enermax Liqtech TR4
Memory 48GB DDR4 2934MHz
Video Card(s) Nvidia GTX 1080, GTX 660TI
Storage 2TB Western Digital HDD, 500GB Samsung 850 EVO SSD, 280GB Intel Optane 900P
Display(s) 2x 1920x1200
Power Supply Cooler Master Silent Pro M (1000W)
Mouse Logitech G602
Keyboard Corsair K70 MK.2
Software Windows 10
Unless the intent was to look like an amateur to avoid blame.
Considering the amount of press this has gotten and being mistaken for a Petya variant, they failed spectacularly if that were true.
 

cdawall

where the hell are my stars
Joined
Jul 23, 2006
Messages
27,680 (4.29/day)
Location
Houston
System Name All the cores
Processor 2990WX
Motherboard Asrock X399M
Cooling CPU-XSPC RayStorm Neo, 2x240mm+360mm, D5PWM+140mL, GPU-2x360mm, 2xbyski, D4+D5+100mL
Memory 4x16GB G.Skill 3600
Video Card(s) (2) EVGA SC BLACK 1080Ti's
Storage 2x Samsung SM951 512GB, Samsung PM961 512GB
Display(s) Dell UP2414Q 3840X2160@60hz
Case Caselabs Mercury S5+pedestal
Audio Device(s) Fischer HA-02->Fischer FA-002W High edition/FA-003/Jubilate/FA-011 depending on my mood
Power Supply Seasonic Prime 1200w
Mouse Thermaltake Theron, Steam controller
Keyboard Keychron K8
Software W10P
Considering the amount of press this has gotten and being mistaken for a Petya variant, they failed spectacularly if that were true.

Very true...
 
Joined
Nov 4, 2005
Messages
11,655 (1.73/day)
System Name Compy 386
Processor 7800X3D
Motherboard Asus
Cooling Air for now.....
Memory 64 GB DDR5 6400Mhz
Video Card(s) 7900XTX 310 Merc
Storage Samsung 990 2TB, 2 SP 2TB SSDs and over 10TB spinning
Display(s) 56" Samsung 4K HDR
Audio Device(s) ATI HDMI
Mouse Logitech MX518
Keyboard Razer
Software A lot.
Benchmark Scores Its fast. Enough.
Any word from the email provider of an IP that registered the email address? Not that you couldn't hide behind a VPN but even a source routed IP of a known VPN could give some clues.
 
Joined
Feb 2, 2015
Messages
2,707 (0.81/day)
Location
On The Highway To Hell \m/
NATO says a 'state actor' was behind the massive ransomware attack and could trigger military response

Researchers have said that it's possible the attack came from Russia, and perhaps within the Russian state. Clues include the timing – the attack came the same day as the assassination of a senior Ukrainian military intelligence officer and a day before a national holiday celebrating the new Ukrainian constitution signed after the breakup of the Soviet Union.

"Everything being said so far does point to Russia being a leading candidate for a suspect in this attack," said Robert M. Lee, CEO of Dragos Inc. an expert who has studied the attacks on Ukraine's power grid.
http://www.independent.co.uk/life-s...ne-chernobyl-wpp-merck-wannacry-a7816036.html
 

Solaris17

Super Dainty Moderator
Staff member
Joined
Aug 16, 2005
Messages
25,776 (3.79/day)
Location
Alabama
System Name Rocinante
Processor I9 14900KS
Motherboard EVGA z690 Dark KINGPIN (modded BIOS)
Cooling EK-AIO Elite 360 D-RGB
Memory 64GB Gskill Trident Z5 DDR5 6000 @6400
Video Card(s) MSI SUPRIM Liquid X 4090
Storage 1x 500GB 980 Pro | 1x 1TB 980 Pro | 1x 8TB Corsair MP400
Display(s) Odyssey OLED G9 G95SC
Case Lian Li o11 Evo Dynamic White
Audio Device(s) Moondrop S8's on Schiit Hel 2e
Power Supply Bequiet! Power Pro 12 1500w
Mouse Lamzu Atlantis mini (White)
Keyboard Monsgeek M3 Lavender, Akko Crystal Blues
VR HMD Quest 3
Software Windows 11
Benchmark Scores I dont have time for that.
Any word from the email provider of an IP that registered the email address? Not that you couldn't hide behind a VPN but even a source routed IP of a known VPN could give some clues.

I am sure they are looking into it, but no ones reported on it yet :(
 
Top