Expetr

ExPetr, also known as PetrWrap, Petya, or NotPetya, is a threat actor that emerged in the cybersecurity landscape on April 15, 2017, with its first ransomware attack infused with EternalBlue. The code used by ExPetr was borrowed from another malicious software called Win32/Diskcoder.Petya ransomware, leading to various names attributed to this threat actor. ExPetr's actions are characterized by their malicious intent, with attacks typically targeted against corporate networks using methods similar to those seen in other high-profile cyber threats. On June 27, 2017, ExPetr launched a significant attack using the EternalBlue exploit. This attack was particularly notable due to its destructive nature. Unlike typical ransomware attacks where data can be recovered upon payment of a ransom, analysis revealed that the threat actors behind ExPetr were technically unable to decrypt the Master File Table (MFT) that was encrypted with the GoldenEye component. This led to the conclusion that ExPetr was not truly ransomware, but rather a "wiper," designed more for destruction than financial gain. Further analysis showed a notable similarity between the code of ExPetr and that of another threat actor, Bad Rabbit. However, unlike ExPetr, evidence suggests that Bad Rabbit was not intended as a wiper. This comparison between the two threat actors' hashing routines adds an additional layer of complexity to understanding the motivations and capabilities of these groups. Despite the similarities, each threat actor presents unique challenges and requires distinct countermeasures.