Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Connect with our team of offensive security, AI security and pen testing experts at Black Hat Europe 2023. Learn More

Managed Detection & Response

Eradicate cyberthreats with world-class intel and expertise

Managed Security Services

Expand your team’s capabilities and strengthen your security posture

Consulting & Professional Services

Tap into our global team of tenured cybersecurity specialists

Penetration Testing

Subscription- or project-based testing, delivered by global experts

Database Security

Get ahead of database risk, protect data and exceed compliance requirements

Email Security & Management

Catch email threats others miss with layered security & maximum control

Co-Managed SOC (SIEM)

Eliminate alert fatigue, focus your SecOps team, stop threats fast, and reduce cyber risk

Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
The Trustwave Approach
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Platform
SpiderLabs Fusion Center
Security Operations Centers
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Petya/NotPetya Ransomware Campaign

This is an ongoing, emerging story and may be updated after posting.

There is a new wormlike ransomware campaign on the loose today and you wouldn't be mistaken if you're experiencing a little WannaCry deja vu. The campaign has been called Petya, NotPetya, PetWrap, or Pnyetya depending on whom you talk to and it exploits a least one of the same vulnerabilities exploited in order to spread WannaCry, namely EternalBlue (Petya also uses the EternalRomance exploit). These exploits were publicly disclosed as a part of the Shadow Brokers alleged NSA release back in April. Microsoft patched the vulnerabilities back in March in the MS17-010 bulletin. In the wake of WannaCry, Microsoft later released patches for even legacy Windows operating systems like Windows XP.

While the malware has the capacity to spread via the EternalBlue/EternalRomance vulnerabilities, the malware appears to be more focused on spreading on the Local Area Network rather than out to the Internet. One of its first actions it performs on an infected system is to pull local credentials and then attempt to use those credentials to spread to other locally networked systems. To accomplish this lateral spread, the malware uses the common Windows tools, WMI and PSExec. This means that damage can be spread wider if a system with network administration credentials is exploited. Finally it appears that infection can occur through a fake update for a piece of Ukrainian software called MeDoc. Some researchers are currently suggesting that the MeDoc infection process may have been the initial method of getting the ransomware out there.

The actual ransomware that is eventually dropped on the victim's system seems to emulate a ransomware family called Petya and specifically the GoldenEye variant first discovered toward the end of 2016. Other malware analysts have suggested that the ransomware is not Petya directly but a completely new variant or family.

Regardless of the ransomware's pedigree, it is a bit unique in the ransomware arena. While most ransomware encrypts your important files, like documents, movies, and images, NotPetya takes an extra step and, after encrypting your files, it encrypts your entire hard drive. By encrypting the system volume, Master File Table and the Master Boot Record, Petya prevents the system from booting normally and hooks it into Petya's own bootloader with the ransom note displayed on the screen. This prevents attempts at file recovery using standard forensic techniques such as booting to a LiveCD or other OS.

After infection Petya demands approximately 300$USD in bitcoins in order to decrypt your files. After transferring the bitcoins you are supposed to email the criminals your sending wallet's address so that they can verify the transaction and respond with the decryption keys. However, since the criminal's email address has apparently already been taken down, paying the ransom in order to decrypt your files is currently not possible. With such a poor payment chain, many are suggesting that collecting ransom was not the goal of the malware.

Ransomware continues to be a one of the most popular threats in the wild today, especially to large organizations with both valuable data and legacy systems hidden unpatched in the cracks and corners of their networks. Consistent and up-to-date system backups are critical to recovering from a ransomware infection. Criminals can't hold data hostage if it is recoverable.

Keeping your systems patched and upgrading legacy systems will also go a long way toward preventing infection to begin with. Microsoft has had patches available for the vulnerabilities exploited in this attack since March.

Our Forensic and Incident Response team also put together a Threat Brief back in May during the WannaCry outbreak. The brief includes a lot of technical information surrounding WannaCry and is basically a how-to guide for companies to protect themselves against EnternalBlue based attacks. Since the same exploit is being used, this would also apply to preventing how Petya spreads.

Trustwave customers will find active protection against this campaign in many of our security offerings including:

  • Trustwave Managed Detection & Response (MDR) for Endpoints
  • Trustwave AV (which can detect the ransomware itself)
  • Trustwave UTM (which will block MS17-010 exploitation attempts)
  • Trustwave Vulnerability Scanner (which will detect if a system is missing the MS17-010 patch)

Finally, if you find yourself or your organization infected, our Trustwave Incident Response team is happy to help you. You can visit for more information or call our 24 hour Incident Response Hotline: +1 (866) 659-9097 and select "Option 5".

Latest SpiderLabs Blogs

The 2023 Retail Services Sector Threat Landscape: A Trustwave Threat Intelligence Briefing

The annual holiday shopping season is poised for a surge in spending, a fact well-known to retailers, consumers, and cybercriminals alike. The latter group, however, is poised to exploit any...

Read More

Pwning Electroencephalogram (EEG) Medical Devices by Default

Overall Analysis of Vulnerability Identification – Default Credentials Leading to Remote Code Execution During internal network testing, a document was discovered titled the “XL Security Site...

Read More

Hidden Data Exfiltration Using Time, Literally

I was looking at my watch last week and my attention was moved towards the seconds over at the right of the watch face, incrementing nicely along as you’d expect. Now, I don’t know if I’d just spent...

Read More