Ransomware Pentya

Spread The Knowledge 😌


Another form of Ransomeware whose propagation route is similar to that of wanna cry. Companies are using the unpacked version of windows which lead the another wide spread of Petya which uses the same SMBV1 exploit which wanna cry uses. It mostly starting the exploit when user download a attachment from anonymous sender just like wanna cry then use SMBV1 to spread in the network.  

Now lets look a little closer what petya us and how it works. 

Petya is a nasty piece of ransomware and works very differently from any other ransomware malware. Unlike other traditional ransomware, Petya does not encrypt files on a targeted system one by one.Instead, Petya reboots victims computers and encrypts the hard drive’s master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.
Petya replaces the computer’s MBR with its own malicious code that displays the ransom note and leaves computers unable to boot.
Screenshots of the latest Petya infection shared on Twitter shows that the ransomware displays a text, demanding $300 worth of Bitcoins. Here’s what the text read:

“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”

Now the main question is “is the world not ready”. Most of the people thought tha after the wanna cry attack the giants would have geared up and increased their security against these type of attack. Maersk, an international logistics company, has also confined on Twitter that the latest Petya attacks have shut down its IT systems at multiple locations and business units.

“We can confirm that Maersk IT systems are down across multiple sites and business units. We are currently asserting the situation. The safety of our employees, our operations and customers’ business is our top priority. We will update when we have more information,” the company said.

The ransomware also impacts multiple workstations at Ukrainian branch’s mining company Evraz.

The most severe damages reported by Ukranian businesses also include compromised systems at Ukraine’s local metro, and Kiev’s Boryspil Airport.

Affected Telecommunication Industry:

Three Ukrainian telecommunication operators, Kyivstar, LifeCell, Ukrtelecom, have also affected in the latest Petya attack. 

Petya ransomware has already  infected — Russian state-owned oil giant Rosneft, Ukrainian state power distributors “Kyivenergo” and “Ukrenergo,” in last year hours.

“We were attacked. Two hours ago, we had to turn off all our computers. We are waiting for permission from Ukraine’s Security Service (SBU) to switch them back on,” Kyivenergo’s press service said.

There are reports from several banks, including National Bank of Ukraine (NBU), Oschadbank; and companies that they have been hit by the Petya ransomware attacks.


Now as the Ransome ware is spreading there are some measures which we or the companies can take to prevent it from entering its environment. Below are the precautions : 

1. Block source E-mail address


2. Block domains:











 3. Block IPs:

4. Apply patches:

Refer(in Russian): https://habrahabr.ru/post/331762/

5. Disable SMBv1

6. Update Anti-Virus hashes












myguy.xls EE29B9C01318A1E23836B949942DB14D4811246FDAE2F41DF9F0DCD922C63BC6

BCA9D6.exe 17DACEDB6F0379A65160D73C0AE3AA1F03465AE75CB6AE754C7DCB3017AF1FBD


As told at the time of WannaCry these type of Ransomeware will keep spreading and causing damage until people are fully aware about their IT security. No should take light even if you are a personal user and not part of a organization network and this is the reason some giants like Apple and Google 

One Reply to “Ransomware Pentya”

Leave a Reply