menu

Contact Us

1 (800) 723-1166 |

Petya

HomePetya
HomePetya

NotNotPetya - Bad Rabbit

On 24 October 2017 Bad Rabbit – the third ‘major’ ransomware outbreak of the year – made headlines as it affected large numbers of machines, predominantly in Eastern Europe.

The malware bears many similarities to the Petya - AKA NotPetya, GoldenEye, ExPetr, Petrwrap - attack from June: the ransom messages are very similar in both content and style, the ransom demand is for a similar amount (USD 300 in June versus BTC 0.05 – approximately $280 at current prices), and it attempts to move laterally once inside a network.

Forcepoint Statement on the 'Bad Rabbit' Cyber Attacks

10/26/17 UPDATE: For more details on the Bad Rabbit attacks, including our Labs analysis and discoveries, you can read the blog post here.

 

PsExec & WMIC – Admin Tools, Techniques, and Procedures

The June 2017 Petya (Petna, Petrwrap, etc.) outbreak injected some much un-needed excitement into an IT sector just starting to come to terms with the implications of the WannaCry outbreak a few weeks beforehand.

In the immediate wake of WannaCry there was a discussion around what could have been done to reduce the impact of the outbreak, but even without the benefit of hindsight it was easy to point to slow patching cycles and the questionable architectural/configuration decision of allowing SMB traffic from external addresses past the network boundary.

However, as discussed in our earlier blog post, June 2017’s Petya campaign appears to have been deployed via a malicious software update and used PsExec and WMIC commands in addition to the now-notorious ‘Eternal’ SMB exploits to spread laterally across compromised networks. Do these observations and recommendations therefore still hold true for Petya?

Is this Petya, NotPetya, GoldenEye, ExPetr, or PetrWrap?

The Petya outbreak recorded on 27 June 2017 has had a significant impact on a number of global organisations, with media outlets reporting impacts as significant as the cessation of activity at the Port of Rotterdam in the Netherlands [1].

While many may be loath to think back six weeks to the trauma of May’s WannaCry outbreak (https://blogs.forcepoint.com/security-labs/wannacry-post-outbreak-analysis), there are a number of parallels between the two incidents ranging from the global reach of the outbreak to the techniques by which the malware is spread.