{ "Event": { "analysis": "2", "date": "2017-03-20", "extends_uuid": "", "info": "OSINT - PetrWrap: the new Petya-based ransomware used in targeted attacks", "publish_timestamp": "1490031726", "published": true, "threat_level_id": "3", "timestamp": "1490031717", "uuid": "58d013c1-6abc-472a-bbeb-41ba950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "local": false, "name": "tlp:white", "relationship_type": "" }, { "colour": "#006c6c", "local": false, "name": "ecsirt:malicious-code=\"ransomware\"", "relationship_type": "" } ], "Attribute": [ { "category": "Payload installation", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490031644", "to_ids": true, "type": "md5", "uuid": "58d013ce-8000-4021-8d1b-45ea950d210f", "value": "17c25c8a7c141195ee887de905f33d7b" }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490031680", "to_ids": false, "type": "link", "uuid": "58d013e3-c1f0-49d4-8f2d-4bc2950d210f", "value": "https://securelist.com/blog/research/77762/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks/", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1490031681", "to_ids": false, "type": "text", "uuid": "58d013f5-522c-481a-9fab-464b950d210f", "value": "This year we found a new family of ransomware used in targeted attacks against organizations. After penetrating an organization\u00e2\u20ac\u2122s network the threat actors used the PsExec tool to install ransomware on all endpoints and servers in the organization. The next interesting fact about this ransomware is that the threat actors decided to use the well-known Petya ransomware to encrypt user data. As you may know, this family of ransomware has a RaaS model, but the threat actor decided not to use this ability. To get a workable version of the ransomware, the group behind PetrWrap created a special module that patches the original Petya ransomware \u00e2\u20ac\u0153on the fly\u00e2\u20ac\u009d. This is what makes this new malware so unique.", "Tag": [ { "colour": "#00223b", "local": false, "name": "osint:source-type=\"blog-post\"", "relationship_type": "" }, { "colour": "#075200", "local": false, "name": "admiralty-scale:source-reliability=\"b\"", "relationship_type": "" } ] }, { "category": "Payload installation", "comment": "- Xchecked via VT: 17c25c8a7c141195ee887de905f33d7b", "deleted": false, "disable_correlation": false, "timestamp": "1490031647", "to_ids": true, "type": "sha256", "uuid": "58d0141f-9e94-4fea-9020-400b02de0b81", "value": "e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660" }, { "category": "Payload installation", "comment": "- Xchecked via VT: 17c25c8a7c141195ee887de905f33d7b", "deleted": false, "disable_correlation": false, "timestamp": "1490031648", "to_ids": true, "type": "sha1", "uuid": "58d01420-8a3c-4ece-aa5d-4a3602de0b81", "value": "7fa8079e8dca773574d01839efc623d3cd8e6a47" }, { "category": "External analysis", "comment": "- Xchecked via VT: 17c25c8a7c141195ee887de905f33d7b", "deleted": false, "disable_correlation": false, "timestamp": "1490031649", "to_ids": false, "type": "link", "uuid": "58d01421-45b8-4f3c-af63-4c6902de0b81", "value": "https://www.virustotal.com/file/e079fa28ea51fa98644164caf585ae3231d25372fccca1245902fb57488d4660/analysis/1489720430/" } ] } }