PetyaWrap
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
PetyaWrap, as some researchers are calling the ransomware, uses a cocktail of potent techniques to break into a network and from there spread from computer to computer.
Techniques & procedures
9 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
1 techniqueat least some of the attacks also exploited the update mechanism of a third-party Ukrainian software product called MeDoc... MeDoc was itself compromised by malware that took control of the mechanism that sends updates to end users.
Execution
1 techniqueinfected computers would then use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines
Stealth
1 techniqueCredential Access
1 techniqueOne, according to Kaspersky, was the use of the Mimikatz hacking tool to extract passwords from other computers on a network.
Discovery
1 techniqueLateral Movement
3 techniquesWith those network credentials in hand, infected computers would then use PSExec, a legitimate Windows component known as the Windows Management Instrumentation, and possibly other command-line utilities to infect other machines...
With those network credentials in hand, infected computers would then use PSExec... and possibly other command-line utilities to infect other machines.
Tuesday's attack made use of EternalBlue... Tuesday's attack also repurposed a separate NSA exploit dubbed EternalRomance.
Impact
2 techniquesThe encryption routine that permanently locks data until targets pay a $300 fee starts only after the computer restarts.
The ransomware targets the computer's master boot record, which is a crucial file that allows a computer to locate its operating system and other key components.
Recent activity
2 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware that spreads laterally across networks using NSA-linked exploits EternalBlue and EternalRomance, credential theft via Mimikatz, and remote execution through PSExec/WMI. It also reportedly leveraged the MeDoc software update mechanism in some attacks.
A fast-spreading ransomware/wiper-like malware that encrypts the master boot record and entire file system rather than individual files, demands a $300 Bitcoin payment, steals credentials, and propagates across networks using stolen credentials and SMB exploitation. The article notes researchers suspected its true intent may have been destructive rather than profit-driven.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.