Expetr

Threat Actor Profile Updated 25 days ago
Download STIX
Preview STIX
ExPetr, also known as PetrWrap, Petya, or NotPetya, is a threat actor that emerged in the cybersecurity landscape on April 15, 2017, with its first ransomware attack infused with EternalBlue. The code used by ExPetr was borrowed from another malicious software called Win32/Diskcoder.Petya ransomware, leading to various names attributed to this threat actor. ExPetr's actions are characterized by their malicious intent, with attacks typically targeted against corporate networks using methods similar to those seen in other high-profile cyber threats. On June 27, 2017, ExPetr launched a significant attack using the EternalBlue exploit. This attack was particularly notable due to its destructive nature. Unlike typical ransomware attacks where data can be recovered upon payment of a ransom, analysis revealed that the threat actors behind ExPetr were technically unable to decrypt the Master File Table (MFT) that was encrypted with the GoldenEye component. This led to the conclusion that ExPetr was not truly ransomware, but rather a "wiper," designed more for destruction than financial gain. Further analysis showed a notable similarity between the code of ExPetr and that of another threat actor, Bad Rabbit. However, unlike ExPetr, evidence suggests that Bad Rabbit was not intended as a wiper. This comparison between the two threat actors' hashing routines adds an additional layer of complexity to understanding the motivations and capabilities of these groups. Despite the similarities, each threat actor presents unique challenges and requires distinct countermeasures.
What's your take? (Question 1 of 1)
7ef83375-bd65-4565-8ae6-c27e9349b031 Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Ransomware
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
EternalblueUnspecified
2
EternalBlue is a software vulnerability that lies in the design or implementation of certain systems. This flaw has been exploited by various malicious actors over time, most notably during severe ransomware attacks like WannaCry, which prompted Microsoft to issue patches even for unsupported Operat
Source Document References
Information about the Expetr Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
SourceCreatedAtTitle
MITRE
a year ago
Bad Rabbit ransomware
MITRE
a year ago
APT Trends report Q2 2017
MITRE
a year ago
TeleBots are back: Supply‑chain attacks against Ukraine | WeLiveSecurity
CERT-EU
7 months ago
StripedFly: Perennially flying under the radar
CERT-EU
7 months ago
StripedFly: Perennially flying under the radar – GIXtools