Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Wide-scale Petya variant ransomware attack noted - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Wide-scale Petya variant ransomware attack noted

Sent from a reader earlier today:

  • Hearing some rumors that the company Merck is having a major virus outbreak with something new and their Europe networks are affected more than their US offices.  Have you heard anything on this?

A quick check reveals that, apparently, another global ransomware attack is making the rounds today.

Initial reports indicate this is much like last month's WannaCry attack.  According to the Verge article, today's ransomware appears to be a new Petya variant called Petyawrap.  At this point, we see plenty of speculation on how the ransomware is spreading (everything from email to an EternalBlue-style SMB exploit), but nothing has been confirmed yet for the initial infection vector.

Alleged samples of this ransomware include the following SHA256 hashes:

AlienVault Open Threat Exchange (OTX) is currently tracking this threat at:

We'll provide more information as it becomes available.


435 Posts
ISC Handler
Jun 27th 2017
Symantec is claiming ETERNALBLUE (SMBv1) is being used as the exploit. Ref:

1 Posts
Good timing on the diary from 21 June... 'It has been a month and a bit how is your new patching program holding up?'

4 Posts
BLEEPING Computer:


NAKED Security (Sophos):




RECORDED Future stats show an uptick today

19 Posts
Thanks for the additional links, Brett. Definitely a lot is being written about today's attack.

435 Posts
ISC Handler
Seems like wmic and psexec is being used for lateral movement too.

Regards Falk

2 Posts
Heard same rumors about Merck, PRG employees told not to start PCs and sent home.

Sign Up for Free or Log In to start participating in the conversation!