Petya Ransomware Attack: What We Know So Far

Marina Kidron Jun27, 2017

The story around today’s Petya (aka NotPetya) ransomware attack continues to evolve. Here’s what we know thus far.

  • Exploit

While some security firms have reported that Petya uses the EternalBlue exploit — the same as was used in the recent WannaCry ransomware attack — not all researchers are ready to confirm this. For now, it seems Petya is exploiting the same vulnerabilities of MS17-10, propagating quickly via SMBv1. The kernel exploit has also been rewritten, showing the attackers behind Petya don’t intend to make the same mistakes as WannaCry.  Some researchers indicate that additional propagation mechanisms have been built in that search for credentials and use admin tools to spread exploit code.

There are also questions around the use of an exploit for another Microsoft vulnerability (CVE-2017-0199). A patch was released back in April. For this and the MS17-10 vulnerabilities, if there’s even a chance Petya will exploit these vulnerabilities, patch or mitigate now.

Remember, WannaCry is also still active, having recently hit Honda causing production lines to shut down. Killswitch or not, seriously, patch those vulns. All it takes is one unpatched machine.

  • Payload

The first payload is the Petya ransomware followed by a variant of LokiBot, a banking Trojan that extracts usernames and passwords from compromised computers. The attack also uses the stolen credentials to spread to computers on the same network.

The use of the Trojan on top of ransomware could not only render machines unusable, it could also steal information.

Stay tuned to Skybox Security for more developments.


Register for the webinar on June 29 on how Petya and attacks like it are changing the game in cybersecurity and how you can pivot your approach to overcome its challenge.

Protecting Against the Next WannaCry (surprise — it’s Petya!): WannaCry was a wake–up call to the new era of distributed cybercrime attacks. See how Skybox can help you prepare for the next attack.

Take the threat–centric approach to vulnerability management. Download the whitepaper to start protecting your network with real–time threat intelligence and complete network context.

Marina Kidron is Skybox Security's director of threat intelligence and leader of the Skybox Research Lab, a dedicated team of analysts who daily scour dozens of security feeds and sources and investigate sites in the dark web. Kidron has more than 10 years of experience in business and statistical data analysis, data modeling and algorithms development for information technology, mobile and internet companies and financial services companies. She earned a Master's degree in Political Marketing, and a Bachelor degree in Computer Science and Mathematics.

Recent Posts

Skybox 2021 Vulnerability and Threat Trends Report reveals emerging security challenges and growing need for exposure analysis
Read More
Biden Cybersecurity Executive Order
Read More
CISA Alert – Top routinely exploited vulnerabilities
Read More
3 trends shaping security posture management for 2021
Read More
Skybox Q&A: CRO Rob Rosiello identifies today’s and tomorrow’s top cybersecurity issues as the world reopens
Read More
Post-pandemic cyber threats
Read More