Expetr

Threat Actor updated a month ago (2024-11-29T14:08:47.832Z)
Download STIX
Preview STIX
ExPetr, also known as PetrWrap, Petya, or NotPetya, is a threat actor that emerged in the cybersecurity landscape on April 15, 2017, with its first ransomware attack infused with EternalBlue. The code used by ExPetr was borrowed from another malicious software called Win32/Diskcoder.Petya ransomware, leading to various names attributed to this threat actor. ExPetr's actions are characterized by their malicious intent, with attacks typically targeted against corporate networks using methods similar to those seen in other high-profile cyber threats. On June 27, 2017, ExPetr launched a significant attack using the EternalBlue exploit. This attack was particularly notable due to its destructive nature. Unlike typical ransomware attacks where data can be recovered upon payment of a ransom, analysis revealed that the threat actors behind ExPetr were technically unable to decrypt the Master File Table (MFT) that was encrypted with the GoldenEye component. This led to the conclusion that ExPetr was not truly ransomware, but rather a "wiper," designed more for destruction than financial gain. Further analysis showed a notable similarity between the code of ExPetr and that of another threat actor, Bad Rabbit. However, unlike ExPetr, evidence suggests that Bad Rabbit was not intended as a wiper. This comparison between the two threat actors' hashing routines adds an additional layer of complexity to understanding the motivations and capabilities of these groups. Despite the similarities, each threat actor presents unique challenges and requires distinct countermeasures.
Description last updated: 2024-05-04T19:43:55.128Z
What's your take? (Question 1 of 1)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Aliases We are not currently tracking any aliases
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Vulnerabilities
To see the evidence that has resulted in these vulnerability associations, create a free account
Alias DescriptionAssociation TypeVotes
The Eternalblue Vulnerability is associated with Expetr. EternalBlue is a software vulnerability, specifically a flaw in the design or implementation of Microsoft's Server Message Block (SMB) protocol. This vulnerability, officially known as CVE-2017-0144, allows for the execution of arbitrary code on affected systems. It became publicly known after a groUnspecified
2
Source Document References
Information about the Expetr Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more