Go Back

Petya Ransomware cyber attack is spreading across the globe – Part 1

June 27, 2017

As you might know, Petya Ransomware is currently devastating Airlines, Banks & Utilities and many other businesses across the globe.

Denmark, France, Spain, Ukraine, and the USA are already impacted and many others might be too in the coming hours.

So far, it seems that the sample is being distributed with an RTF file which drops a DLL as a payload to block the system.

Protect your business before it is too late!

  • Export multiples IOC´s shared on the Blueliv Threat Exchange Network:
  • Leverage Blueliv Threat Intelligence Feed and ingest millions of IOC´s in your security arsenal: crime servers, malware hashes, attacking IPs, Bot IPs, Tor IPs, hacktivism.
  • Patch your applications and get a solid backup


What we have seen so far in our first analysis

  • If the malware detects that the infected computer has admin right it rewrites the Master Boot Record (MBR) preventing Windows startup:



It is worth noting that the widely mentioned “killswitch” is not really a killswitch of any kind: it is just a flag which marks the system as infected, so that the malware doesn’t try to infect you again. In addition, it is not remotely controllable.


  • It seems that it uses PsExec and WMIC (Windows Management Instrumentation Command-Line) to infect computers in the same network:



The command-lines executed are as follows:


       psexec \\%s -accepteula -s -d C:\Windows\System32\rundll32.exe "C:\Windows\<malware>",#1


        wbem\wmic.exe /node:"%ws" /user:"%ws" /password:"%ws" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\<malware>\" #1"
  • Target file extensions:



Quick Tips

In case you’re breached, isolate your computers from the network, by disconnecting the cord. Do not restart computers because it triggers the malware on restart. This will give some precious time to your incident response team (CSIRT) before the malware shutdowns the computer (after a while ).

The malware adds a task to the Windows Task Scheduler, which turns off the computer in a random amount of time. The encryption of the files happens after the computer restarts, so it is important to delete the task so that the computer doesn’t shut down.
To do it, follow these steps:

  • Open the Task Scheduler (by searching for it in the Start Menu, or executing “taskschd.msc”)
  • Click on the “Task Scheduler Library”


  •  On the list on the right, find a task with a name like {XXXXXXXX-XXX-XXX…}


  •  Delete it by right-clicking and selecting “Delete”



  • Do not turn off your computer: backup your files first!

Blueliv in-house Threat Intelligence Lab team is already monitoring the attacks to collect more insights from the Petya attack leveraging malware reversing and our Honeypots network.

We will keep you informed and will update this blog with any new relevant development about the Petya attack which can help you to protect your organization.

Feel free to get in touch with us!


Community Support Demo