Keeping up with the Petyas: Demystifying the malware family

Last June 27, there was a huge outbreak of a Petya-esque malware with WannaCry-style infector in the Ukraine. Since there is still confusion about how exactly this malware is linked to the original Petya, we have prepared this small guide on the background of the Petya family. The origin of Petya...

All this EternalPetya stuff makes me WannaCry

Another week goes by and yet again we have another ransomware outbreak initially dropped by a malicious software update and eventually spreading within internal networks using several methods - including EternalBlue - the leaked exploit from the ShadowBrokers group. Security researchers can’t see...

EternalPetya and the lost Salsa20 key

We have recently been facing a huge outbreak of a new Petya-like malware armed with an infector similar to WannaCry. The research is still in progress, and the full report will be published soon. In this post, we will focus on some new important aspects of the current malware. The low-level attac...

New Petya Distribution Vectors Bubbling to Surface

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend. While Microsoft and others continue to shore up links between yesterday’s global ransomware outbreak and the update...

Complex Petya-Like Ransomware Outbreak Worse than WannaCry

Join Kaspersky Lab and Comae Technologies Thursday June 29, 2017 at 10 a.m. Eastern time for a webinar “The Inside Story of the Petya/ExPetr Ransomware.” Click here to attend. The attackers behind today’s global ransomware outbreak are spreading the malware using a modified version of the leaked...

NTFS 3.1 - Master File Table Denial of Service

Y0U HAVE BEEN EXPL0ITED!...

ir-rescue - A Windows Batch Script To Comprehensively Collect Host Forensic Data

ir-rescue is a lightweight Windows Batch script that collects a myriad of forensic data from 32-bit and 64-bit Windows systems while respecting the order of volatility and artifacts that are changed with the execution of the script e.g. , prefetch files. It is intended for incident response use a...

Petya Ransomware Installs Mischa As Failsafe

The Petya ransomware strain signaled a new escalation for crypto-malware when it surfaced in March. For the first time, ransomware went beyond encrypting files on local and shared drives and instead set its sights on locking up the Master File Table on compromised machines. Petya did have its...

Researchers Learning More About Petya Ransomware

Researchers are digging through samples of the Petya ransomware, and while they’ve learned some about its inner workings, they still haven’t mastered enough to come up with a decryptor. Petya is the latest twist on crypto-malware. It was found recently targeting companies in Germany in a spam...

Petya Ransomware Master File Table Encryption

First ransomware locked your desktop. Then it encrypted your files. Not long after, webservers, shared drives and backups were targeted. Now? Introducing Petya, ransomware that targets the Master Boot Record. Spotted in email campaigns sent to human resources offices in German companies, the...

CVE-2005-3177

CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4, Windows XP, and Windows Server 2003, when running in fix mode, does not properly handle security descriptors if the master file table contains a large number of files or if the descriptors do not satisfy certain NTFS conventions,...