{"id":75612,"date":"2017-06-27T23:57:32","date_gmt":"2017-06-28T06:57:32","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=75612"},"modified":"2025-12-10T11:47:22","modified_gmt":"2025-12-10T19:47:22","slug":"new-ransomware-old-techniques-petya-adds-worm-capabilities","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/","title":{"rendered":"New ransomware, old techniques: Petya adds worm capabilities"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p class=\"wp-block-paragraph\">On June 27, 2017 reports of a <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/ransomware.aspx\" target=\"_blank\" rel=\"noopener\">ransomware<\/a> infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>(Note: We have published a follow-up blog entry on this ransomware attack. We have new findings from our continued investigation, as well as platform mitigation and protection information: <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/29\/windows-10-platform-resilience-against-the-petya-ransomware-attack\/\" target=\"_blank\" rel=\"noopener\">Windows 10 platform resilience against the Petya ransomware attack<\/a>.)<\/em><\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-table is-style-stripes\"><table class=\"has-fixed-layout\"><tbody><tr><td><em>The trend towards increasingly sophisticated malware behavior, highlighted by the use of exploits and other attack vectors, makes older platforms so much more susceptible to ransomware attacks. From June to November 2017, Windows 7 devices were 3.4 times more likely to encounter ransomware compared to Windows 10 devices.<\/em> <br><br><em>Read our latest report: <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/01\/10\/a-worthy-upgrade-next-gen-security-on-windows-10-proves-resilient-against-ransomware-outbreaks-in-2017\/\" target=\"_blank\" rel=\"noreferrer noopener\"><strong>A worthy upgrade: Next-gen security on Windows 10 proves resilient against ransomware outbreaks in 2017<\/strong><\/a><\/em><br>\u00a0<\/td><\/tr><\/tbody><\/table><\/figure>\n<\/div>\n<\/div>\n\n\n\n<p class=\"wp-block-paragraph\">The new ransomware has worm capabilities, which allows it to move laterally across infected networks. Based on our investigation, this new ransomware shares similar codes and is a new variant of <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=Ransom:Win32\/Petya\" target=\"_blank\" rel=\"noopener\">Ransom:Win32\/Petya<\/a>. This new strain of ransomware, however, is more sophisticated.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To protect our customers, we released cloud-delivered protection updates and made updates to our signature definition packages shortly after. These updates were automatically delivered to all Microsoft free antimalware products, including <a href=\"https:\/\/technet.microsoft.com\/en-us\/itpro\/windows\/keep-secure\/windows-defender-in-windows-10\" target=\"_blank\" rel=\"noopener\">Windows Defender Antivirus<\/a> and Microsoft Security Essentials. You can download the latest version of these files manually at the <a href=\"https:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\" target=\"_blank\" rel=\"noopener\">Malware Protection Center<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Windows Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">Windows Defender ATP<\/a>) automatically detects behaviors used by this new ransomware variant without any updates.&nbsp;To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, <strong><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a><\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"delivery-and-installation\">Delivery and installation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Initial infection appears to involve a software supply-chain threat involving the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc. Although this vector was speculated at length by news media and security researchers\u2014including Ukraine\u2019s own Cyber Police\u2014there was only circumstantial evidence for this vector. Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process. As we highlighted previously, <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/05\/04\/windows-defender-atp-thwarts-operation-wilysupply-software-supply-chain-cyberattack\/\" target=\"_blank\" rel=\"noopener\">software supply chain attacks<\/a> are a recent dangerous trend with attackers, and it requires advanced defense.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We observed telemetry showing the MEDoc software updater process (<em>EzVit.exe)<\/em> executing a malicious command-line matching this exact attack pattern on Tuesday, June 27 around 10:30 a.m. GMT.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that<em> EzVit.exe<\/em> process from MEDoc, for unknown reasons, at some moment executed the following command-line:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>C:\\\\Windows\\\\system32\\\\rundll32.exe\\&#8221; \\&#8221;C:\\\\ProgramData\\\\perfc.dat\\&#8221;,#1 30<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The same update vector was also mentioned by the Ukraine Cyber Police in a public list of indicators of compromise (IOCs) , which includes the MEDoc updater.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"a-single-ransomware-multiple-lateral-movement-techniques\">A single ransomware, multiple lateral movement techniques<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Given this new ransomware&#8217;s added lateral movement capabilities it only takes a single infected machine to affect a network. The ransomware spreading functionality is composed of multiple methods responsible for:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">stealing credentials or re-using existing active sessions<\/li>\n\n\n\n<li class=\"wp-block-list-item\">using file-shares to transfer the malicious file across machines on the same network<\/li>\n\n\n\n<li class=\"wp-block-list-item\">using existing legitimate functionalities to execute the payload or abusing SMB vulnerabilities for unpatched machines<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">In the next sections, we discuss the details of each technique.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"lateral-movement-using-credential-theft-and-impersonation\">Lateral movement using credential theft and impersonation<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware drops a credential dumping tool (typically as a .tmp file in the <em>%Temp%<\/em> folder) that shares code similarities with <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/threat\/encyclopedia\/Entry.aspx?Name=HackTool:Win32\/Mimikatz\" target=\"_blank\" rel=\"noopener\">Mimikatz<\/a> and comes in 32-bit and 64-bit variants. Because users frequently log in using accounts with local admin privileges and have active sessions opens across multiple machines, stolen credentials are likely to provide the same level of access the user has on other machines.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Once the ransomware has valid credentials, it scans the local network to establish valid connections on ports <em>tcp\/139<\/em> and <em>tcp\/445<\/em>. A special behavior is reserved for Domain Controllers or servers: this ransomware attempts to call <em>DhcpEnumSubnets()<\/em> to enumerate DHCP subnets; for each subnet, it gathers all hosts\/clients (using <em>DhcpEnumSubnetClients()<\/em>) for scanning for <em>tcp\/139<\/em> and <em>tcp\/445<\/em> services. If it gets a response, the malware attempts to copy a binary on the remote machine using regular file-transfer functionalities with the stolen credentials.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">It then tries to execute remotely the malware using either PSEXEC or WMIC tools.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The ransomware attempts to drop the legitimate <em>psexec.exe<\/em> (typically renamed to <em>dllhost.dat<\/em>) from an embedded resource within the malware. It then scans the local network for <em>admin$<\/em> shares, copies itself across the network, and executes the newly copied malware binary remotely using PSEXEC.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In addition to credential dumping, the malware also tries to steal credentials by using the <em>CredEnumerateW<\/em> function to get all the other user credentials potentially stored on the credential store. If a credential name starts with <em>&#8220;TERMSRV\/&#8221;<\/em> and the type is set as 1 (generic) it uses that credential to propagate through the network.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware also uses the Windows Management Instrumentation Command-line (WMIC) to find remote shares (using <em>NetEnum\/NetAdd<\/em>) to spread to. It uses either a duplicate token of the current user (for existing connections), or a username\/password combination (spreading through legit tools).<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"lateral-movement-using-eternalblue-and-eternalromance\">Lateral movement using EternalBlue and EternalRomance<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">The new ransomware can also spread using an exploit for the Server Message Block (SMB) vulnerability <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0144\" target=\"_blank\" rel=\"noopener\">CVE-2017-0144<\/a> (also known as EternalBlue), which was fixed in <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"noopener\">security update MS17-010<\/a> and was also exploited by <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/05\/12\/wannacrypt-ransomware-worm-targets-out-of-date-systems\/\" target=\"_blank\" rel=\"noopener\">WannaCrypt<\/a> to spread to out-of-date machines. In addition, this ransomware also uses a second exploit for <a href=\"http:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2017-0145\" target=\"_blank\" rel=\"noopener\">CVE-2017-0145<\/a> (also known as EternalRomance, and fixed by the same bulletin).<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We\u2019ve seen this ransomware attempt to use these exploits by generating SMBv1 packets (which are all <em>XOR 0xCC<\/em> encrypted) to trigger these vulnerabilities.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">These two exploits were leaked by a group called <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/16\/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security\/\" target=\"_blank\" rel=\"noopener\">Shadow Brokers<\/a>. However, it is important to note that both of these vulnerabilities have been fixed by Microsoft in <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"noopener\">security update MS17-010<\/a> on March 14, 2017.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Machines that are patched against these exploits (with <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"noopener\">security update MS17-010<\/a>) or <a href=\"https:\/\/support.microsoft.com\/kb\/2696547\" target=\"_blank\" rel=\"noopener\">have disabled SMBv1<\/a> are not affected by this particular spreading mechanism. Please refer to our previous <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/16\/analysis-of-the-shadow-brokers-release-and-mitigation-with-windows-10-virtualization-based-security\/\" target=\"_blank\" rel=\"noopener\">blog<\/a> for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"encryption\">Encryption<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware\u2019s encryption behavior depends on the malware process privilege level and the processes found to be running on the machine. It does this by employing a simple XOR-based hashing algorithm on the process names, and checks against the following hash values to use as a behavior exclusion:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>0x6403527E<\/em> or <em>0x651B3005<\/em> \u2013 if these hashes of process names are found running on the machine, then the ransomware does not do SMB exploitation.<\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>0x2E214B44 <\/em> \u2013 if a process with this hashed name is found, the ransomware trashes the first 10 sectors of <em>\\\\\\\\.\\\\PhysicalDrive0<\/em>, including the MBR.<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware then writes to the master boot record (MBR) and then sets up the system to reboot. It sets up scheduled tasks to shut down the machine after at least 10 minutes past the current time. The exact time is random <em>(GetTickCount())<\/em>. For example:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><em>schtasks \/Create \/SC once \/TN &#8220;&#8221; \/TR &#8220;&lt;system folder&gt;\\shutdown.exe \/r \/f&#8221; \/ST 14:23<\/em><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After successfully modifying the MBR, it displays the following fake system message, which notes a supposed error in the drive and shows the fake integrity checking.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Only if the malware is running with highest privilege (i.e., with <em>SeDebugPrivilege<\/em> enabled), it tries to overwrite the MBR code.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware attempts to encrypt all files with the following file name extensions in all folders in all fixed drives, except for <em>C:\\Windows<\/em>:<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>.3ds<\/td><td>.7z<\/td><td>.accdb<\/td><td>.ai<\/td><\/tr><tr><td>.asp<\/td><td>.aspx<\/td><td>.avhd<\/td><td>.back<\/td><\/tr><tr><td>.bak<\/td><td>.c<\/td><td>.cfg<\/td><td>.conf<\/td><\/tr><tr><td>.cpp<\/td><td>.cs<\/td><td>.ctl<\/td><td>.dbf<\/td><\/tr><tr><td>.disk<\/td><td>.djvu<\/td><td>.doc<\/td><td>.docx<\/td><\/tr><tr><td>.dwg<\/td><td>.eml<\/td><td>.fdb<\/td><td>.gz<\/td><\/tr><tr><td>.h<\/td><td>.hdd<\/td><td>.kdbx<\/td><td>.mail<\/td><\/tr><tr><td>.mdb<\/td><td>.msg<\/td><td>.nrg<\/td><td>.ora<\/td><\/tr><tr><td>.ost<\/td><td>.ova<\/td><td>.ovf<\/td><td>.pdf<\/td><\/tr><tr><td>.php<\/td><td>.pmf<\/td><td>.ppt<\/td><td>.pptx<\/td><\/tr><tr><td>.pst<\/td><td>.pvi<\/td><td>.py<\/td><td>.pyc<\/td><\/tr><tr><td>.rar<\/td><td>.rtf<\/td><td>.sln<\/td><td>.sql<\/td><\/tr><tr><td>.tar<\/td><td>.vbox<\/td><td>.vbs<\/td><td>.vcb<\/td><\/tr><tr><td>.vdi<\/td><td>.vfd<\/td><td>.vmc<\/td><td>.vmdk<\/td><\/tr><tr><td>.vmsd<\/td><td>.vmx<\/td><td>.vsdx<\/td><td>.vsv<\/td><\/tr><tr><td>.work<\/td><td>.xls<\/td><td>.xlsx<\/td><td>.xvd<\/td><\/tr><tr><td>.zip<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><td>&nbsp;<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p class=\"wp-block-paragraph\">It uses file mapping APIs instead of a usual <em>ReadFile()<\/em>\/<em>WriteFile()<\/em> APIs.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Unlike most other ransomware, this threat does not append a new file name extension to encrypted files. Instead, it overwrites the said files.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The AES key generated for encryption is per machine, per fixed drive, and gets exported and encrypted using the embedded 2048-bit RSA public key of the attacker.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The unique key used for files encryption (AES) is added, in encrypted form, to the <em>README.TXT<\/em> file the threat writes under section <em>&#8220;Your personal installation key:&#8221;<\/em>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Beyond encrypting files, this ransomware also attempts to infect the MBR or destroy certain sectors of VBR and MBR.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">After completing its encryption routine, this ransomware drops a text file called <em>README.TXT<\/em> in each fixed drive.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">This ransomware also clears the System, Setup, Security, Application event logs and deletes NTFS journal info.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"detection-and-investigation-with-windows-defender-advanced-threat-protection\">Detection and investigation with Windows Defender Advanced Threat Protection<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Windows Defender Advanced Threat Protection (<a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">Windows Defender ATP<\/a>) is a post-breach solution and offers by-design detections for this attack without need of any signature updates. Windows Defender ATP sensors constantly monitor and collect telemetry from the endpoints and offers machine-learning detections for common lateral movement techniques and tools used by this ransomware, including, for example, the execution of <em>PsExec.exe<\/em> with different filename, and the creation of the <em>perfc.dat<\/em> file in remote shares (UNC) paths.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">The second alert targets the distribution of the ransomware\u2019s .dll file over the network. This event provides helpful information during investigation as it includes the User context that was used to move the file remotely. This user has been compromised and could represent the user associated with patient-zero.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">With Windows Defender ATP, enterprise customers are well-equipped to quickly identify Petya outbreaks, investigate the scope of the attack, and respond early to malware delivery campaigns.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"protection-against-this-new-ransomware-attack\">Protection against this new ransomware attack<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Keeping your <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-upgrade\" target=\"_blank\" rel=\"noopener\">Windows 10<\/a> <a href=\"https:\/\/support.microsoft.com\/en-us\/help\/311047\/how-to-keep-your-windows-computer-up-to-date\" target=\"_blank\" rel=\"noopener\">up-to-date<\/a> gives you the benefits of the latest features and proactive mitigations built into the latest versions of Windows. In Creators Update, we further <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/08\/windows-10-creators-update-hardens-security-with-next-gen-defense\/\" target=\"_blank\" rel=\"noopener\">hardened Windows 10 against ransomware attacks<\/a> by introducing new next-gen technologies and enhancing existing ones.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">As another layer of protection, <a href=\"https:\/\/www.microsoft.com\/en-us\/windows\/windows-10-s\" target=\"_blank\" rel=\"noopener\">Windows 10 S<\/a> only allows apps that come from the Windows Store to run. Windows 10 S users are further protected from this threat.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">We recommend customers that have not yet installed security update <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"noopener\">MS17-010<\/a> to do so as soon as possible. Until you can apply the patch, we also recommend two possible workarounds to reduce the attack surface:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Disable SMBv1 with the steps documented at <a href=\"https:\/\/support.microsoft.com\/kb\/2696547\" target=\"_blank\" rel=\"noopener\">Microsoft Knowledge Base Article 2696547<\/a> and as <a href=\"https:\/\/blogs.technet.microsoft.com\/filecab\/2016\/09\/16\/stop-using-smb1\/\" target=\"_blank\" rel=\"noopener\">recommended previously<\/a><\/li>\n\n\n\n<li class=\"wp-block-list-item\">Consider adding a rule on your router or firewall to block incoming SMB traffic on port 445<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">As the threat targets ports 139 and 445, you customers can block any traffic on those ports to prevent propagation either into or out of machines in the network. You can also disable remote WMI and file sharing. These may have large impacts on the capability of your network, but may be suggested for a very short time period while you assess the impact and <a href=\"https:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\" target=\"_blank\" rel=\"noopener\">apply definition updates<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Aside from exploiting vulnerabilities, this threat can also spread across networks by stealing credentials, which it then uses to attempt to copy and execute a copy on remote machines. You can prevent credential theft by ensuring credential hygiene across the organization. <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows-server\/identity\/securing-privileged-access\/securing-privileged-access\">Secure privileged access<\/a> to prevent the spread of threats like Petya and to protect your organization\u2019s assets. Use <a href=\"https:\/\/docs.microsoft.com\/en-us\/windows\/access-protection\/credential-guard\/credential-guard\">Credential Guard<\/a> to protect domain credentials stored in the Windows Credential Store.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Windows Defender Antivirus detects this threat as <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/threat\/encyclopedia\/entry.aspx?Name=Ransom:Win32\/Petya\" target=\"_blank\" rel=\"noopener\">Ransom:Win32\/Petya<\/a> as of the <a href=\"https:\/\/www.microsoft.com\/security\/portal\/definitions\/adl.aspx\" target=\"_blank\" rel=\"noopener\">1.247.197.0 update<\/a>. Windows Defender Antivirus uses cloud-based protection, helping to protect you from the latest threats.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">For enterprises, use <a href=\"https:\/\/technet.microsoft.com\/itpro\/windows\/keep-secure\/device-guard-deployment-guide\">Device Guard<\/a> to lock down devices and provide kernel-level virtualization-based security, allowing only trusted applications to run, effectively preventing malware from running.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Monitor networks with <a href=\"http:\/\/www.microsoft.com\/en-us\/WindowsForBusiness\/windows-atp\">Windows Defender Advanced Threat Protection<\/a>, which alerts security operations teams about suspicious activities. Download this playbook to see how you can leverage Windows Defender ATP to detect, investigate, and mitigate ransomware in networks: <a href=\"https:\/\/www.microsoft.com\/en-us\/download\/details.aspx?id=55090\">Windows Defender Advanced Threat Protection \u2013 Ransomware response playbook<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">To test how Windows Defender ATP can help your organization detect, investigate, and respond to advanced attacks, <strong><a href=\"https:\/\/www.microsoft.com\/en-us\/windowsforbusiness\/windows-atp?ocid=cx-blog-mmpc\" target=\"_blank\" rel=\"noopener\">sign up for a free trial<\/a><\/strong>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"resources\">Resources<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">MSRC blog: <a href=\"https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/06\/28\/update-on-petya-malware-attacks\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blogs.technet.microsoft.com\/msrc\/2017\/06\/28\/update-on-petya-malware-attacks\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Next-generation ransomware protection with Windows 10 Creators Update: <a href=\"https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/08\/windows-10-creators-update-hardens-security-with-next-gen-defense\/\" target=\"_blank\" rel=\"noopener\">https:\/\/blogs.technet.microsoft.com\/mmpc\/2017\/06\/08\/windows-10-creators-update-hardens-security-with-next-gen-defense\/<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Download English language security updates: <a href=\"http:\/\/download.windowsupdate.com\/d\/csa\/csa\/secu\/2017\/02\/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe\">Windows Server 2003 SP2 x64<\/a>, <a href=\"http:\/\/download.windowsupdate.com\/c\/csa\/csa\/secu\/2017\/02\/windowsserver2003-kb4012598-x86-custom-enu_f617caf6e7ee6f43abe4b386cb1d26b3318693cf.exe\">Windows Server 2003 SP2 x86,<\/a> <a href=\"http:\/\/download.windowsupdate.com\/d\/csa\/csa\/secu\/2017\/02\/windowsserver2003-kb4012598-x64-custom-enu_f24d8723f246145524b9030e4752c96430981211.exe\">Windows XP SP2 x64<\/a>, <a href=\"http:\/\/download.windowsupdate.com\/d\/csa\/csa\/secu\/2017\/02\/windowsxp-kb4012598-x86-custom-enu_eceb7d5023bbb23c0dc633e46b9c2f14fa6ee9dd.exe\">Windows XP SP3 x86<\/a>, <a href=\"http:\/\/download.windowsupdate.com\/c\/csa\/csa\/secu\/2017\/02\/windowsxp-kb4012598-x86-embedded-custom-enu_8f2c266f83a7e1b100ddb9acd4a6a3ab5ecd4059.exe\">Windows XP Embedded SP3 x86<\/a>, <a href=\"http:\/\/download.windowsupdate.com\/c\/msdownload\/update\/software\/secu\/2017\/05\/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu\">Windows 8 x86,<\/a> <a href=\"http:\/\/download.windowsupdate.com\/c\/msdownload\/update\/software\/secu\/2017\/05\/windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu\">Windows 8 x64<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Download localized language security updates: <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=d3cb7407-3339-452e-8371-79b9c301132e\">Windows Server 2003 SP2 x64<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=350ec04d-a0ba-4a50-9be3-f900dafeddf9\">Windows Server 2003 SP2 x86<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=5fbaa61b-15ce-49c7-9361-cb5494f9d6aa\">Windows XP SP2 x64<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=7388c05d-9de6-4c6a-8b21-219df407754f\">Windows XP SP3 x86<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=a1db143d-6ad2-4e7e-9e90-2a73316e1add\">Windows XP Embedded SP3 x86<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=6e2de6b7-9e43-4b42-aca2-267f24210340\">Windows 8 x86<\/a>, <a href=\"http:\/\/www.microsoft.com\/downloads\/details.aspx?FamilyId=b08bb3f1-f156-4e61-8a68-077963bae8c0\">Windows 8 x64<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">MS17-010 Security Update: <a href=\"https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx\" target=\"_blank\" rel=\"noopener\">https:\/\/technet.microsoft.com\/en-us\/library\/security\/ms17-010.aspx<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">General information on ransomware: <a href=\"https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/ransomware.aspx\" target=\"_blank\" rel=\"noopener\">https:\/\/www.microsoft.com\/en-us\/security\/portal\/mmpc\/shared\/ransomware.aspx<\/a><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Security for IT Pros: <a href=\"https:\/\/technet.microsoft.com\/en-us\/security\/default\" target=\"_blank\" rel=\"noopener\">https:\/\/technet.microsoft.com\/en-us\/security\/default<\/a><\/p>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"indicators-of-compromise\">Indicators of Compromise<\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Network defenders may search for the following indicators:<\/p>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>File indicators<\/strong><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">34f917aaba5684fbe56d3c57d48ef2a1aa7cf06d<\/li>\n\n\n\n<li class=\"wp-block-list-item\">9717cfdc2d023812dbc84a941674eb23a2a8ef06<\/li>\n\n\n\n<li class=\"wp-block-list-item\">38e2855e11e353cedf9a8a4f2f2747f1c5c07fcf<\/li>\n\n\n\n<li class=\"wp-block-list-item\">56c03d8e43f50568741704aee482704a4f5005ad<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Command lines<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In environments where command-line logging is available, the following command lines may be searched:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Scheduled Reboot Task: Petya schedules a reboot for a random time between 10 and 60 minutes from the current time\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>schtasks \/Create \/SC once \/TN &#8220;&#8221; \/TR &#8220;&lt;system folder>\\shutdown.exe \/r \/f&#8221; \/ST &lt;time><\/em><\/li>\n\n\n\n<li class=\"wp-block-list-item\"><em>cmd.exe \/c schtasks \/RU &#8220;SYSTEM&#8221; \/Create \/SC once \/TN &#8220;&#8221; \/TR &#8220;C:\\Windows\\system32\\shutdown.exe \/r \/f&#8221; \/ST &lt;time><\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\">This may be surfaced by searching for EventId 106 (General Task Registration) which captures tasks registered with the Task Scheduler service.<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Lateral Movement (Remote WMI)\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\"><em>&#8220;process call create \\&#8221;C:\\\\Windows\\\\System32\\\\rundll32.exe \\\\\\&#8221;C:\\\\Windows\\\\perfc.dat\\\\\\&#8221; #1&#8243;<\/em><\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n<p class=\"wp-block-paragraph\"><strong>Network indicators<\/strong><\/p>\n\n\n\n<p class=\"wp-block-paragraph\">In environments where NetFlow data are available, this ransomware\u2019s subnet-scanning behavior may be observed by looking for the following:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li class=\"wp-block-list-item\">Workstations scanning ports tcp\/139 and tcp\/445 on their own local (\/24) network scope<\/li>\n\n\n\n<li class=\"wp-block-list-item\">Servers (in particular, domain controllers) scanning ports tcp\/139 and tcp\/445 across multiple \/24 scopes<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator has-alpha-channel-opacity\"\/>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"talk-to-us\"><strong>Talk to us<\/strong><\/h2>\n\n\n\n<p class=\"wp-block-paragraph\">Questions, concerns, or insights on this story? Join discussions at the <a href=\"https:\/\/answers.microsoft.com\/en-us\/protect\" target=\"_blank\" rel=\"noopener\">Microsoft community<\/a> and <a href=\"https:\/\/www.microsoft.com\/en-us\/wdsi\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n\n\n\n<p class=\"wp-block-paragraph\">Follow us on Twitter <a href=\"https:\/\/twitter.com\/WDSecurity\" target=\"_blank\" rel=\"noopener\">@WDSecurity<\/a> and Facebook <a href=\"https:\/\/www.facebook.com\/MsftWDSI\/\" target=\"_blank\" rel=\"noopener\">Windows Defender Security Intelligence<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.<\/p>\n","protected":false},"author":61,"featured_media":78332,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ms_queue_id":[],"ep_exclude_from_search":false,"_classifai_error":"","_classifai_text_to_speech_error":"","_alt_title":"","ms-ems-related-posts":[],"footnotes":""},"post_tag":[3896],"threat-intelligence":[3735],"content-type":[3663],"job-role":[],"product":[],"topic":[3687],"coauthors":[1968],"class_list":["post-75612","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","tag-credential-theft","threat-intelligence-ransomware","content-type-research","topic-threat-intelligence"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.2 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2017-06-28T06:57:32+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-12-10T19:47:22+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png\" \/>\n\t<meta property=\"og:image:width\" content=\"640\" \/>\n\t<meta property=\"og:image:height\" content=\"400\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"Microsoft Defender Security Research Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Microsoft Defender Security Research Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/\",\"@type\":\"Person\",\"@name\":\"Microsoft Defender Security Research Team\"}],\"headline\":\"New ransomware, old techniques: Petya adds worm capabilities\",\"datePublished\":\"2017-06-28T06:57:32+00:00\",\"dateModified\":\"2025-12-10T19:47:22+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\"},\"wordCount\":2397,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png\",\"keywords\":[\"Credential theft\"],\"articleSection\":[\"Cloud Access Security Broker\",\"Cybersecurity\",\"Security Intelligence\",\"Security Response\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\",\"name\":\"New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png\",\"datePublished\":\"2017-06-28T06:57:32+00:00\",\"dateModified\":\"2025-12-10T19:47:22+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png\",\"width\":640,\"height\":400},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"New ransomware, old techniques: Petya adds worm capabilities\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/a385e64377ec1eb81d3bd7f9839f060b\",\"name\":\"Microsoft Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=gea2dea4ce5dbbbe4077dc25334909eb7\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g\",\"caption\":\"Microsoft Security\"},\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mssecurity\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/","og_locale":"en_US","og_type":"article","og_title":"New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog","og_description":"On June 27, 2017 reports of a ransomware infection began spreading across Europe. We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States.","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/","og_site_name":"Microsoft Security Blog","article_published_time":"2017-06-28T06:57:32+00:00","article_modified_time":"2025-12-10T19:47:22+00:00","og_image":[{"width":640,"height":400,"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png","type":"image\/png"}],"author":"Microsoft Defender Security Research Team","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Microsoft Defender Security Research Team","Est. reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/windows-defender-research\/","@type":"Person","@name":"Microsoft Defender Security Research Team"}],"headline":"New ransomware, old techniques: Petya adds worm capabilities","datePublished":"2017-06-28T06:57:32+00:00","dateModified":"2025-12-10T19:47:22+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/"},"wordCount":2397,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png","keywords":["Credential theft"],"articleSection":["Cloud Access Security Broker","Cybersecurity","Security Intelligence","Security Response"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/","name":"New ransomware, old techniques: Petya adds worm capabilities | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png","datePublished":"2017-06-28T06:57:32+00:00","dateModified":"2025-12-10T19:47:22+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/01\/petya-ransom-note.png","width":640,"height":400},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2017\/06\/27\/new-ransomware-old-techniques-petya-adds-worm-capabilities\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"New ransomware, old techniques: Petya adds worm capabilities"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/person\/a385e64377ec1eb81d3bd7f9839f060b","name":"Microsoft Security","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=gea2dea4ce5dbbbe4077dc25334909eb7","url":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/0242738c3da64c97e705834683728e774a3f4e29c071681ed74a68e3a671d270?s=96&d=microsoft&r=g","caption":"Microsoft Security"},"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mssecurity\/"}]}},"bloginabox_animated_featured_image":null,"bloginabox_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75612","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=75612"}],"version-history":[{"count":2,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75612\/revisions"}],"predecessor-version":[{"id":144344,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/75612\/revisions\/144344"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media\/78332"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=75612"}],"wp:term":[{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/post_tag?post=75612"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=75612"},{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=75612"},{"taxonomy":"job-role","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/job-role?post=75612"},{"taxonomy":"product","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/product?post=75612"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=75612"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=75612"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}