SYMBOLCOMMON_NAMEaka. SYNONYMS
win.eternal_petya (Back to overview)

EternalPetya

aka: ExPetr, Pnyetya, Petna, NotPetya, Nyetya, NonPetya, nPetya, Diskcoder.C, BadRabbit

Actor(s): TeleBots, Sandworm

According to proofpoint, Bad Rabbit is a strain of ransomware that first appeared in 2017 and is a suspected variant of Petya. Like other strains of ransomware, Bad Rabbit virus infections lock up victims’ computers, servers, or files preventing them from regaining access until a ransom—usually in Bitcoin—is paid.

References
2023-01-29AcronisIlan Duhin
@online{duhin:20230129:petyanot:23c3555, author = {Ilan Duhin}, title = {{Petya/Not Petya Ransomware Analysis}}, date = {2023-01-29}, organization = {Acronis}, url = {https://medium.com/@Ilandu/petya-not-petya-ransomware-9619cbbb0786}, language = {English}, urldate = {2023-01-31} } Petya/Not Petya Ransomware Analysis
EternalPetya
2022-11-18Atlantic CouncilJustin Sherman
@online{sherman:20221118:gru:afc977c, author = {Justin Sherman}, title = {{GRU 26165: The Russian cyber unit that hacks targets on-site}}, date = {2022-11-18}, organization = {Atlantic Council}, url = {https://www.atlanticcouncil.org/content-series/tech-at-the-leading-edge/the-russian-cyber-unit-that-hacks-targets-on-site/}, language = {English}, urldate = {2022-12-20} } GRU 26165: The Russian cyber unit that hacks targets on-site
EternalPetya
2022-10-31The RecordAlexander Martin
@online{martin:20221031:mondelez:a33b8ce, author = {Alexander Martin}, title = {{Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit}}, date = {2022-10-31}, organization = {The Record}, url = {https://therecord.media/mondelez-and-zurich-reach-settlement-in-notpetya-cyberattack-insurance-suit/}, language = {English}, urldate = {2022-11-03} } Mondelez and Zurich reach settlement in NotPetya cyberattack insurance suit
EternalPetya
2022-10-24Youtube (Virus Bulletin)Alexander Adamov
@online{adamov:20221024:russian:97d3e2a, author = {Alexander Adamov}, title = {{Russian wipers in the cyberwar against Ukraine}}, date = {2022-10-24}, organization = {Youtube (Virus Bulletin)}, url = {https://www.youtube.com/watch?v=mrTdSdMMgnk}, language = {English}, urldate = {2023-03-20} } Russian wipers in the cyberwar against Ukraine
AcidRain CaddyWiper DesertBlade DoubleZero EternalPetya HermeticWiper HermeticWizard INDUSTROYER2 IsaacWiper KillDisk PartyTicket WhisperGate
2022-04-28FortinetGergely Revay
@online{revay:20220428:overview:0ac963f, author = {Gergely Revay}, title = {{An Overview of the Increasing Wiper Malware Threat}}, date = {2022-04-28}, organization = {Fortinet}, url = {https://www.fortinet.com/blog/threat-research/the-increasing-wiper-malware-threat}, language = {English}, urldate = {2022-04-29} } An Overview of the Increasing Wiper Malware Threat
AcidRain CaddyWiper DistTrack DoubleZero EternalPetya HermeticWiper IsaacWiper Olympic Destroyer Ordinypt WhisperGate ZeroCleare
2022-04-20CISACISA, NSA, FBI, Australian Cyber Security Centre (ACSC), Canadian Centre for Cyber Security (CCCS), Government Communications Security Bureau, NCSC UK, National Crime Agency (NCA)
@techreport{cisa:20220420:aa22110a:4fde5d6, author = {CISA and NSA and FBI and Australian Cyber Security Centre (ACSC) and Canadian Centre for Cyber Security (CCCS) and Government Communications Security Bureau and NCSC UK and National Crime Agency (NCA)}, title = {{AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, institution = {CISA}, url = {https://www.cisa.gov/uscert/sites/default/files/publications/AA22-110A_Joint_CSA_Russian_State-Sponsored_and_Criminal_Cyber_Threats_to_Critical_Infrastructure_4_20_22_Final.pdf}, language = {English}, urldate = {2022-04-25} } AA22-110A Joint CSA: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader
2022-04-20CISACISA
@online{cisa:20220420:alert:529e28c, author = {CISA}, title = {{Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure}}, date = {2022-04-20}, organization = {CISA}, url = {https://www.cisa.gov/uscert/ncas/alerts/aa22-110a}, language = {English}, urldate = {2022-04-25} } Alert (AA22-110A): Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure
VPNFilter BlackEnergy DanaBot DoppelDridex Emotet EternalPetya GoldMax Industroyer Sality SmokeLoader TrickBot Triton Zloader Killnet
2022-03-01Marco Ramilli's BlogMarco Ramilli
@online{ramilli:20220301:diskkillhermeticwiper:e543742, author = {Marco Ramilli}, title = {{DiskKill/HermeticWiper and NotPetya (Dis)similarities}}, date = {2022-03-01}, organization = {Marco Ramilli's Blog}, url = {https://marcoramilli.com/2022/03/01/diskkill-hermeticwiper-and-notpetya-dissimilarities/}, language = {English}, urldate = {2022-03-02} } DiskKill/HermeticWiper and NotPetya (Dis)similarities
EternalPetya HermeticWiper
2022-02-25CyberPeace Institute
@online{institute:20220225:ukraine:eb66e34, author = {CyberPeace Institute}, title = {{UKRAINE: Timeline of Cyberattacks}}, date = {2022-02-25}, url = {https://cyberpeaceinstitute.org/ukraine-timeline-of-cyberattacks}, language = {English}, urldate = {2022-03-01} } UKRAINE: Timeline of Cyberattacks
VPNFilter EternalPetya HermeticWiper WhisperGate
2022-02-24nvisoMichel Coene
@online{coene:20220224:threat:f0dba09, author = {Michel Coene}, title = {{Threat Update – Ukraine & Russia conflict}}, date = {2022-02-24}, organization = {nviso}, url = {https://blog.nviso.eu/2022/02/24/threat-update-ukraine-russia-tensions/}, language = {English}, urldate = {2022-03-01} } Threat Update – Ukraine & Russia conflict
EternalPetya GreyEnergy HermeticWiper Industroyer KillDisk WhisperGate
2022-02-24TalosMitch Neff
@online{neff:20220224:threat:93f498c, author = {Mitch Neff}, title = {{Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine}}, date = {2022-02-24}, organization = {Talos}, url = {https://blog.talosintelligence.com/2022/02/current-executive-guidance-for-ongoing.html}, language = {English}, urldate = {2022-03-01} } Threat Advisory: Current executive guidance for ongoing cyberattacks in Ukraine
VPNFilter EternalPetya
2022-02-24TesorionTESORION
@techreport{tesorion:20220224:report:e2f2082, author = {TESORION}, title = {{Report OSINT: Russia/ Ukraine Conflict Cyberaspect}}, date = {2022-02-24}, institution = {Tesorion}, url = {https://www.tesorion.nl/en/resources/pdfstore/Report-OSINT-Russia-Ukraine-Conflict-Cyberaspect.pdf}, language = {English}, urldate = {2022-03-01} } Report OSINT: Russia/ Ukraine Conflict Cyberaspect
Mirai VPNFilter BlackEnergy EternalPetya HermeticWiper Industroyer WhisperGate
2022-02-23ISTARIManuel Hepfer
@online{hepfer:20220223:recap:48c7c69, author = {Manuel Hepfer}, title = {{Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History}}, date = {2022-02-23}, organization = {ISTARI}, url = {https://istari-global.com/spotlight/the-untold-story-of-notpetya/}, language = {English}, urldate = {2022-03-01} } Re-cap: The Untold Story of NotPetya, The Most Devastating Cyberattack in History
EternalPetya
2021-09-09Recorded FutureInsikt Group
@techreport{group:20210909:dark:cd6bb6a, author = {Insikt Group}, title = {{Dark Covenant: Connections Between the Russian State and Criminal Actors}}, date = {2021-09-09}, institution = {Recorded Future}, url = {https://go.recordedfuture.com/hubfs/reports/cta-2021-0909.pdf}, language = {English}, urldate = {2021-09-10} } Dark Covenant: Connections Between the Russian State and Criminal Actors
BlackEnergy EternalPetya Gameover P2P Zeus
2021-05-31WiredAndy Greenberg
@online{greenberg:20210531:hacker:8874190, author = {Andy Greenberg}, title = {{Hacker Lexicon: What Is a Supply Chain Attack?}}, date = {2021-05-31}, organization = {Wired}, url = {https://www.wired.com/story/hacker-lexicon-what-is-a-supply-chain-attack/}, language = {English}, urldate = {2022-10-17} } Hacker Lexicon: What Is a Supply Chain Attack?
EternalPetya SUNBURST
2021-04-29The Institute for Security and TechnologyThe Institute for Security and Technology
@techreport{technology:20210429:combating:0d7c48e, author = {The Institute for Security and Technology}, title = {{Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force}}, date = {2021-04-29}, institution = {The Institute for Security and Technology}, url = {https://securityandtechnology.org/wp-content/uploads/2021/04/IST-Ransomware-Task-Force_Final_Report.pdf}, language = {English}, urldate = {2021-05-03} } Combating Ransomware A Comprehensive Framework for Action: Key Recommendations from the Ransomware Task Force
Conti EternalPetya
2020-12-21IronNetAdam Hlavek, Kimberly Ortiz
@online{hlavek:20201221:russian:804662f, author = {Adam Hlavek and Kimberly Ortiz}, title = {{Russian cyber attack campaigns and actors}}, date = {2020-12-21}, organization = {IronNet}, url = {https://www.ironnet.com/blog/russian-cyber-attack-campaigns-and-actors}, language = {English}, urldate = {2021-01-05} } Russian cyber attack campaigns and actors
WellMail elf.wellmess Agent.BTZ BlackEnergy EternalPetya Havex RAT Industroyer Ryuk Triton WellMess
2020-11-04Stranded on Pylos BlogJoe Slowik
@online{slowik:20201104:enigmatic:c2d7b4e, author = {Joe Slowik}, title = {{The Enigmatic Energetic Bear}}, date = {2020-11-04}, organization = {Stranded on Pylos Blog}, url = {https://pylos.co/2020/11/04/the-enigmatic-energetic-bear/}, language = {English}, urldate = {2020-11-06} } The Enigmatic Energetic Bear
EternalPetya Havex RAT
2020-10-19CyberScoopTim Starks
@online{starks:20201019:us:d77b8f8, author = {Tim Starks}, title = {{US charges Russian GRU officers for NotPetya, other major hacks}}, date = {2020-10-19}, organization = {CyberScoop}, url = {https://www.cyberscoop.com/russian-hackers-notpetya-charges-gru/}, language = {English}, urldate = {2020-10-19} } US charges Russian GRU officers for NotPetya, other major hacks
EternalPetya
2020-10-19Riskint BlogCurtis
@online{curtis:20201019:revisited:df05745, author = {Curtis}, title = {{Revisited: Fancy Bear's New Faces...and Sandworms' too}}, date = {2020-10-19}, organization = {Riskint Blog}, url = {https://www.riskint.blog/post/revisited-fancy-bear-s-new-faces-and-sandworms-too}, language = {English}, urldate = {2020-10-23} } Revisited: Fancy Bear's New Faces...and Sandworms' too
BlackEnergy EternalPetya Industroyer Olympic Destroyer
2020-10-19UK GovernmentForeignCommonwealth & Development Office, Dominic Raab
@online{office:20201019:uk:7ead390, author = {ForeignCommonwealth & Development Office and Dominic Raab}, title = {{UK exposes series of Russian cyber attacks against Olympic and Paralympic Games}}, date = {2020-10-19}, organization = {UK Government}, url = {https://www.gov.uk/government/news/uk-exposes-series-of-russian-cyber-attacks-against-olympic-and-paralympic-games}, language = {English}, urldate = {2020-10-23} } UK exposes series of Russian cyber attacks against Olympic and Paralympic Games
VPNFilter BlackEnergy EternalPetya Industroyer
2020-10-19WiredAndy Greenberg
@online{greenberg:20201019:us:89aec2c, author = {Andy Greenberg}, title = {{US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit}}, date = {2020-10-19}, organization = {Wired}, url = {https://www.wired.com/story/us-indicts-sandworm-hackers-russia-cyberwar-unit/}, language = {English}, urldate = {2020-10-19} } US Indicts Sandworm, Russia's Most Destructive Cyberwar Unit
EternalPetya Olympic Destroyer
2020-08-29AguinetAdrien Guinet
@online{guinet:20200829:emulating:45c0c16, author = {Adrien Guinet}, title = {{Emulating NotPetya bootloader with Miasm}}, date = {2020-08-29}, organization = {Aguinet}, url = {https://aguinet.github.io//blog/2020/08/29/miasm-bootloader.html}, language = {English}, urldate = {2020-09-04} } Emulating NotPetya bootloader with Miasm
EternalPetya
2020-07-29Atlantic CouncilTrey Herr, June Lee, William Loomis, Stewart Scott
@techreport{herr:20200729:breaking:d37db04, author = {Trey Herr and June Lee and William Loomis and Stewart Scott}, title = {{BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain}}, date = {2020-07-29}, institution = {Atlantic Council}, url = {https://www.atlanticcouncil.org/wp-content/uploads/2020/07/Breaking-trust-Shades-of-crisis-across-an-insecure-software-supply-chain.pdf}, language = {English}, urldate = {2020-08-05} } BREAKING TRUST: Shades of Crisis Across an Insecure Software Supply Chain
EternalPetya GoldenSpy Kwampirs Stuxnet
2020-07-29Kaspersky LabsGReAT
@online{great:20200729:trends:6810325, author = {GReAT}, title = {{APT trends report Q2 2020}}, date = {2020-07-29}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2020/97937/}, language = {English}, urldate = {2020-07-30} } APT trends report Q2 2020
PhantomLance Dacls Penquin Turla elf.wellmess AppleJeus Dacls AcidBox Cobalt Strike Dacls EternalPetya Godlike12 Olympic Destroyer PlugX shadowhammer ShadowPad Sinowal VHD Ransomware Volgmer WellMess X-Agent XTunnel
2020-06-21GVNSHTNGavin Ashton
@online{ashton:20200621:maersk:5121522, author = {Gavin Ashton}, title = {{Maersk, me & notPetya}}, date = {2020-06-21}, organization = {GVNSHTN}, url = {https://gvnshtn.com/maersk-me-notpetya/}, language = {English}, urldate = {2020-08-18} } Maersk, me & notPetya
EternalPetya
2020-06-09Kaspersky LabsCostin Raiu
@online{raiu:20200609:looking:3038dce, author = {Costin Raiu}, title = {{Looking at Big Threats Using Code Similarity. Part 1}}, date = {2020-06-09}, organization = {Kaspersky Labs}, url = {https://securelist.com/big-threats-using-code-similarity-part-1/97239/}, language = {English}, urldate = {2020-08-18} } Looking at Big Threats Using Code Similarity. Part 1
Penquin Turla CCleaner Backdoor EternalPetya Regin WannaCryptor XTunnel
2020-03-05MicrosoftMicrosoft Threat Protection Intelligence Team
@online{team:20200305:humanoperated:d90a28e, author = {Microsoft Threat Protection Intelligence Team}, title = {{Human-operated ransomware attacks: A preventable disaster}}, date = {2020-03-05}, organization = {Microsoft}, url = {https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-preventable-disaster/}, language = {English}, urldate = {2020-03-06} } Human-operated ransomware attacks: A preventable disaster
Dharma DoppelPaymer Dridex EternalPetya Gandcrab Hermes LockerGoga MegaCortex MimiKatz REvil RobinHood Ryuk SamSam TrickBot WannaCryptor PARINACOTA
2020SecureworksSecureWorks
@online{secureworks:2020:iron:3c939bc, author = {SecureWorks}, title = {{IRON VIKING}}, date = {2020}, organization = {Secureworks}, url = {https://www.secureworks.com/research/threat-profiles/iron-viking}, language = {English}, urldate = {2020-05-23} } IRON VIKING
BlackEnergy EternalPetya GreyEnergy Industroyer KillDisk TeleBot TeleDoor
2019-08-01Kaspersky LabsGReAT
@online{great:20190801:trends:5e25d5b, author = {GReAT}, title = {{APT trends report Q2 2019}}, date = {2019-08-01}, organization = {Kaspersky Labs}, url = {https://securelist.com/apt-trends-report-q2-2019/91897/}, language = {English}, urldate = {2020-08-13} } APT trends report Q2 2019
ZooPark magecart POWERSTATS Chaperone COMpfun EternalPetya FinFisher RAT HawkEye Keylogger HOPLIGHT Microcin NjRAT Olympic Destroyer PLEAD RokRAT Triton Zebrocy
2018-10-11ESET ResearchAnton Cherepanov, Robert Lipovsky
@online{cherepanov:20181011:new:8e588c3, author = {Anton Cherepanov and Robert Lipovsky}, title = {{New TeleBots backdoor: First evidence linking Industroyer to NotPetya}}, date = {2018-10-11}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/}, language = {English}, urldate = {2019-11-14} } New TeleBots backdoor: First evidence linking Industroyer to NotPetya
Exaramel EternalPetya Exaramel Industroyer
2018-08-22WiredAndy Greenberg
@online{greenberg:20180822:untold:9dcac56, author = {Andy Greenberg}, title = {{The Untold Story of NotPetya, the Most Devastating Cyberattack in History}}, date = {2018-08-22}, organization = {Wired}, url = {https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/}, language = {English}, urldate = {2022-07-29} } The Untold Story of NotPetya, the Most Devastating Cyberattack in History
EternalPetya
2018-01-13The Washington PostEllen Nakashima
@online{nakashima:20180113:russian:fce58a2, author = {Ellen Nakashima}, title = {{Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes}}, date = {2018-01-13}, organization = {The Washington Post}, url = {https://www.washingtonpost.com/world/national-security/russian-military-was-behind-notpetya-cyberattack-in-ukraine-cia-concludes/2018/01/12/048d8506-f7ca-11e7-b34a-b85626af34ef_story.html}, language = {English}, urldate = {2020-01-06} } Russian military was behind ‘NotPetya’ cyberattack in Ukraine, CIA concludes
EternalPetya
2017-10-27F-SecureF-Secure Global
@online{global:20171027:big:916374a, author = {F-Secure Global}, title = {{The big difference with Bad Rabbit}}, date = {2017-10-27}, organization = {F-Secure}, url = {https://labsblog.f-secure.com/2017/10/27/the-big-difference-with-bad-rabbit/}, language = {English}, urldate = {2020-01-07} } The big difference with Bad Rabbit
EternalPetya
2017-10-26FireEyeBarry Vengerik, Ben Read, Brian Mordosky, Christopher Glyer, Ian Ahl, Matt Williams, Michael Matonis, Nick Carr
@online{vengerik:20171026:backswing:3aab9cf, author = {Barry Vengerik and Ben Read and Brian Mordosky and Christopher Glyer and Ian Ahl and Matt Williams and Michael Matonis and Nick Carr}, title = {{BACKSWING - Pulling a BADRABBIT Out of a Hat}}, date = {2017-10-26}, organization = {FireEye}, url = {https://www.fireeye.com/blog/threat-research/2017/10/backswing-pulling-a-badrabbit-out-of-a-hat.html}, language = {English}, urldate = {2019-12-20} } BACKSWING - Pulling a BADRABBIT Out of a Hat
EternalPetya
2017-10-26Reversing LabsNone
@online{none:20171026:reversinglabs:d3543db, author = {None}, title = {{ReversingLabs' YARA rule detects BadRabbit encryption routine specifics}}, date = {2017-10-26}, organization = {Reversing Labs}, url = {https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html}, language = {English}, urldate = {2019-10-17} } ReversingLabs' YARA rule detects BadRabbit encryption routine specifics
EternalPetya
2017-10-25RiskIQYonathan Klijnsma
@online{klijnsma:20171025:down:8d41ef5, author = {Yonathan Klijnsma}, title = {{Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection}}, date = {2017-10-25}, organization = {RiskIQ}, url = {https://www.riskiq.com/blog/labs/badrabbit/}, language = {English}, urldate = {2020-01-10} } Down the Rabbit Hole: Tracking the BadRabbit Ransomware to a Long Ongoing Campaign of Target Selection
EternalPetya
2017-10-24IntezerJay Rosenberg
@online{rosenberg:20171024:notpetya:7146657, author = {Jay Rosenberg}, title = {{NotPetya Returns as Bad Rabbit}}, date = {2017-10-24}, organization = {Intezer}, url = {http://www.intezer.com/notpetya-returns-bad-rabbit/}, language = {English}, urldate = {2020-01-05} } NotPetya Returns as Bad Rabbit
EternalPetya
2017-10-24ESET ResearchEditor
@online{editor:20171024:kiev:b706a68, author = {Editor}, title = {{Kiev metro hit with a new variant of the infamous Diskcoder ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/kiev-metro-hit-new-variant-infamous-diskcoder-ransomware/?utm_content=buffer8ffe4&utm_medium=social&utm_source=twitter.com&utm_campaign=buffer}, language = {English}, urldate = {2019-11-14} } Kiev metro hit with a new variant of the infamous Diskcoder ransomware
EternalPetya
2017-10-24Cisco TalosNick Biasini
@online{biasini:20171024:threat:7bd8515, author = {Nick Biasini}, title = {{Threat Spotlight: Follow the Bad Rabbit}}, date = {2017-10-24}, organization = {Cisco Talos}, url = {http://blog.talosintelligence.com/2017/10/bad-rabbit.html}, language = {English}, urldate = {2019-12-10} } Threat Spotlight: Follow the Bad Rabbit
EternalPetya
2017-10-24ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20171024:bad:5653a57, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-10-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back/}, language = {English}, urldate = {2019-07-11} } Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya
2017-10-24Kaspersky LabsOrkhan Mamedov, Fedor Sinitsyn, Anton Ivanov
@online{mamedov:20171024:bad:3c21717, author = {Orkhan Mamedov and Fedor Sinitsyn and Anton Ivanov}, title = {{Bad Rabbit ransomware}}, date = {2017-10-24}, organization = {Kaspersky Labs}, url = {https://securelist.com/bad-rabbit-ransomware/82851/}, language = {English}, urldate = {2019-12-20} } Bad Rabbit ransomware
EternalPetya
2017-10-24WiredAndy Greenberg
@online{greenberg:20171024:new:5359735, author = {Andy Greenberg}, title = {{New Ransomware Linked to NotPetya Sweeps Russia and Ukraine}}, date = {2017-10-24}, organization = {Wired}, url = {https://www.wired.com/story/badrabbit-ransomware-notpetya-russia-ukraine/}, language = {English}, urldate = {2020-01-06} } New Ransomware Linked to NotPetya Sweeps Russia and Ukraine
EternalPetya
2017-09-19NCC GroupOllie Whitehouse
@online{whitehouse:20170919:eternalglue:c4348e0, author = {Ollie Whitehouse}, title = {{EternalGlue part one: Rebuilding NotPetya to assess real-world resilience}}, date = {2017-09-19}, organization = {NCC Group}, url = {https://www.nccgroup.trust/uk/about-us/newsroom-and-events/blogs/2017/september/eternalglue-part-one-rebuilding-notpetya-to-assess-real-world-resilience/}, language = {English}, urldate = {2019-12-10} } EternalGlue part one: Rebuilding NotPetya to assess real-world resilience
EternalPetya
2017-08-24ESET ResearchMarc-Etienne M.Léveillé
@online{mlveill:20170824:bad:78b7a5e, author = {Marc-Etienne M.Léveillé}, title = {{Bad Rabbit: Not‑Petya is back with improved ransomware}}, date = {2017-08-24}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/10/24/bad-rabbit-not-petya-back}, language = {English}, urldate = {2022-08-25} } Bad Rabbit: Not‑Petya is back with improved ransomware
EternalPetya Sandworm
2017-08-11ThreatpostTom Spring
@online{spring:20170811:ukrainian:eb4451f, author = {Tom Spring}, title = {{Ukrainian Man Arrested, Charged in NotPetya Distribution}}, date = {2017-08-11}, organization = {Threatpost}, url = {https://threatpost.com/ukrainian-man-arrested-charged-in-notpetya-distribution/127391/}, language = {English}, urldate = {2020-01-05} } Ukrainian Man Arrested, Charged in NotPetya Distribution
EternalPetya
2017-07-14MalwarebytesMalwarebytes Labs
@online{labs:20170714:keeping:0759a8b, author = {Malwarebytes Labs}, title = {{Keeping up with the Petyas: Demystifying the malware family}}, date = {2017-07-14}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/}, language = {English}, urldate = {2019-12-20} } Keeping up with the Petyas: Demystifying the malware family
EternalPetya GoldenEye PetrWrap Petya
2017-07-03The GuardianAlex Hern
@online{hern:20170703:notpetya:ba6bc6c, author = {Alex Hern}, title = {{'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher}}, date = {2017-07-03}, organization = {The Guardian}, url = {https://www.theguardian.com/technology/2017/jul/03/notpetya-malware-attacks-ukraine-warrant-retaliation-nato-researcher-tomas-minarik}, language = {English}, urldate = {2019-07-11} } 'NotPetya' malware attacks could warrant retaliation, says Nato affiliated-researcher
EternalPetya
2017-07-03G DataG Data
@online{data:20170703:who:7b53706, author = {G Data}, title = {{Who is behind Petna?}}, date = {2017-07-03}, organization = {G Data}, url = {https://www.gdatasoftware.com/blog/2017/07/29859-who-is-behind-petna}, language = {English}, urldate = {2020-01-08} } Who is behind Petna?
EternalPetya
2017-07-03CrowdStrikeShaun Hurley, Karan Sood
@online{hurley:20170703:notpetya:1453645, author = {Shaun Hurley and Karan Sood}, title = {{NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery}}, date = {2017-07-03}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/petrwrap-technical-analysis-part-2-further-findings-and-potential-for-mbr-recovery/}, language = {English}, urldate = {2019-12-20} } NotPetya Technical Analysis Part II: Further Findings and Potential for MBR Recovery
EternalPetya
2017-06-30ESET ResearchAnton Cherepanov
@online{cherepanov:20170630:telebots:84aa93d, author = {Anton Cherepanov}, title = {{TeleBots are back: Supply‑chain attacks against Ukraine}}, date = {2017-06-30}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/30/telebots-back-supply-chain-attacks-against-ukraine/}, language = {English}, urldate = {2019-12-20} } TeleBots are back: Supply‑chain attacks against Ukraine
EternalPetya
2017-06-30MalwarebytesMalwarebytes Labs
@online{labs:20170630:eternalpetya:122fb36, author = {Malwarebytes Labs}, title = {{EternalPetya – yet another stolen piece in the package?}}, date = {2017-06-30}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-yet-another-stolen-piece-package/}, language = {English}, urldate = {2019-12-20} } EternalPetya – yet another stolen piece in the package?
EternalPetya
2017-06-30Kaspersky LabsGReAT
@online{great:20170630:from:d91b457, author = {GReAT}, title = {{From BlackEnergy to ExPetr}}, date = {2017-06-30}, organization = {Kaspersky Labs}, url = {https://securelist.com/from-blackenergy-to-expetr/78937/}, language = {English}, urldate = {2019-12-20} } From BlackEnergy to ExPetr
EternalPetya
2017-06-29MicrosoftMicrosoft Defender ATP Research Team
@online{team:20170629:windows:f957ff3, author = {Microsoft Defender ATP Research Team}, title = {{Windows 10 platform resilience against the Petya ransomware attack}}, date = {2017-06-29}, organization = {Microsoft}, url = {https://blogs.technet.microsoft.com/mmpc/2017/06/29/windows-10-platform-resilience-against-the-petya-ransomware-attack/}, language = {English}, urldate = {2020-01-07} } Windows 10 platform resilience against the Petya ransomware attack
EternalPetya
2017-06-29MalwarebytesMalwarebytes Labs
@online{labs:20170629:eternalpetya:bdd5896, author = {Malwarebytes Labs}, title = {{EternalPetya and the lost Salsa20 key}}, date = {2017-06-29}, organization = {Malwarebytes}, url = {https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/}, language = {English}, urldate = {2019-12-20} } EternalPetya and the lost Salsa20 key
EternalPetya
2017-06-29Bleeping ComputerCatalin Cimpanu
@online{cimpanu:20170629:ransomware:d2d7b40, author = {Catalin Cimpanu}, title = {{Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone}}, date = {2017-06-29}, organization = {Bleeping Computer}, url = {https://www.bleepingcomputer.com/news/security/ransomware-attacks-continue-in-ukraine-with-mysterious-wannacry-clone/}, language = {English}, urldate = {2019-12-20} } Ransomware Attacks Continue in Ukraine with Mysterious WannaCry Clone
EternalPetya
2017-06-29Robert Graham
@online{graham:20170629:nonpetya:c470dd8, author = {Robert Graham}, title = {{NonPetya: no evidence it was a "smokescreen"}}, date = {2017-06-29}, url = {http://blog.erratasec.com/2017/06/nonpetya-no-evidence-it-was-smokescreen.html}, language = {English}, urldate = {2020-01-07} } NonPetya: no evidence it was a "smokescreen"
EternalPetya
2017-06-28hacks4pancakes
@online{hacks4pancakes:20170628:why:8053178, author = {hacks4pancakes}, title = {{Why NotPetya Kept Me Awake (& You Should Worry Too)}}, date = {2017-06-28}, url = {https://tisiphone.net/2017/06/28/why-notpetya-kept-me-awake-you-should-worry-too/}, language = {English}, urldate = {2020-01-09} } Why NotPetya Kept Me Awake (& You Should Worry Too)
EternalPetya
2017-06-28Kaspersky LabsAnton Ivanov, Orkhan Mamedov
@online{ivanov:20170628:expetrpetyanotpetya:903b1fc, author = {Anton Ivanov and Orkhan Mamedov}, title = {{ExPetr/Petya/NotPetya is a Wiper, Not Ransomware}}, date = {2017-06-28}, organization = {Kaspersky Labs}, url = {https://securelist.com/expetrpetyanotpetya-is-a-wiper-not-ransomware/78902/}, language = {English}, urldate = {2019-12-20} } ExPetr/Petya/NotPetya is a Wiper, Not Ransomware
EternalPetya
2017-06-28CrowdStrikeFalcon Intelligence Team
@online{team:20170628:crowdstrike:e933e49, author = {Falcon Intelligence Team}, title = {{CrowdStrike Protects Against NotPetya Attack}}, date = {2017-06-28}, organization = {CrowdStrike}, url = {https://www.crowdstrike.com/blog/fast-spreading-petrwrap-ransomware-attack-combines-eternalblue-exploit-credential-stealing/}, language = {English}, urldate = {2019-12-20} } CrowdStrike Protects Against NotPetya Attack
EternalPetya
2017-06-27Kaspersky LabsGReAT
@online{great:20170627:schroedingers:43c7e28, author = {GReAT}, title = {{Schroedinger’s Pet(ya)}}, date = {2017-06-27}, organization = {Kaspersky Labs}, url = {https://securelist.com/schroedingers-petya/78870/}, language = {English}, urldate = {2019-12-20} } Schroedinger’s Pet(ya)
EternalPetya
2017-06-27SANSBrad Duncan
@online{duncan:20170627:checking:23c2251, author = {Brad Duncan}, title = {{Checking out the new Petya variant}}, date = {2017-06-27}, organization = {SANS}, url = {https://isc.sans.edu/forums/diary/Checking+out+the+new+Petya+variant/22562/}, language = {English}, urldate = {2020-01-06} } Checking out the new Petya variant
EternalPetya
2017-06-27Medium thegrugqthegrugq
@online{thegrugq:20170627:pnyetya:45771f2, author = {thegrugq}, title = {{Pnyetya: Yet Another Ransomware Outbreak}}, date = {2017-06-27}, organization = {Medium thegrugq}, url = {https://medium.com/@thegrugq/pnyetya-yet-another-ransomware-outbreak-59afd1ee89d4}, language = {English}, urldate = {2020-01-13} } Pnyetya: Yet Another Ransomware Outbreak
EternalPetya
2017-06-27ESET ResearchEditor
@online{editor:20170627:new:4f7cbcd, author = {Editor}, title = {{New WannaCryptor‑like ransomware attack hits globally: All you need to know}}, date = {2017-06-27}, organization = {ESET Research}, url = {https://www.welivesecurity.com/2017/06/27/new-ransomware-attack-hits-ukraine}, language = {English}, urldate = {2022-08-25} } New WannaCryptor‑like ransomware attack hits globally: All you need to know
EternalPetya Sandworm
2017-05-31MITREMITRE ATT&CK
@online{attck:20170531:sandworm:1a9a446, author = {MITRE ATT&CK}, title = {{Sandworm Team}}, date = {2017-05-31}, organization = {MITRE}, url = {https://attack.mitre.org/groups/G0034}, language = {English}, urldate = {2022-08-25} } Sandworm Team
CyclopsBlink Exaramel BlackEnergy EternalPetya Exaramel GreyEnergy KillDisk MimiKatz Olympic Destroyer Sandworm
Yara Rules
[TLP:WHITE] win_eternal_petya_auto (20230407 | Detects win.eternal_petya.)
rule win_eternal_petya_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.eternal_petya."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { 49 75f9 56 ff15???????? }
            // n = 4, score = 400
            //   49                   | dec                 ecx
            //   75f9                 | jne                 0xfffffffb
            //   56                   | push                esi
            //   ff15????????         |                     

        $sequence_1 = { 53 68f0000000 6a40 ff15???????? 8bd8 }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   68f0000000           | push                0xf0
            //   6a40                 | push                0x40
            //   ff15????????         |                     
            //   8bd8                 | mov                 ebx, eax

        $sequence_2 = { 55 8bec 51 57 68000000f0 6a18 33ff }
            // n = 7, score = 400
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   51                   | push                ecx
            //   57                   | push                edi
            //   68000000f0           | push                0xf0000000
            //   6a18                 | push                0x18
            //   33ff                 | xor                 edi, edi

        $sequence_3 = { 53 8d4644 50 53 6a02 }
            // n = 5, score = 400
            //   53                   | push                ebx
            //   8d4644               | lea                 eax, [esi + 0x44]
            //   50                   | push                eax
            //   53                   | push                ebx
            //   6a02                 | push                2

        $sequence_4 = { 53 6a21 8d460c 50 }
            // n = 4, score = 400
            //   53                   | push                ebx
            //   6a21                 | push                0x21
            //   8d460c               | lea                 eax, [esi + 0xc]
            //   50                   | push                eax

        $sequence_5 = { 55 8bec 83ec50 53 68???????? }
            // n = 5, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec50               | sub                 esp, 0x50
            //   53                   | push                ebx
            //   68????????           |                     

        $sequence_6 = { 55 8bec 83ec7c 33c0 33d2 }
            // n = 5, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   83ec7c               | sub                 esp, 0x7c
            //   33c0                 | xor                 eax, eax
            //   33d2                 | xor                 edx, edx

        $sequence_7 = { 33db 53 33ff 53 }
            // n = 4, score = 300
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   33ff                 | xor                 edi, edi
            //   53                   | push                ebx

        $sequence_8 = { 55 8bec 8b4508 85c0 741a 8b481c }
            // n = 6, score = 300
            //   55                   | push                ebp
            //   8bec                 | mov                 ebp, esp
            //   8b4508               | mov                 eax, dword ptr [ebp + 8]
            //   85c0                 | test                eax, eax
            //   741a                 | je                  0x1c
            //   8b481c               | mov                 ecx, dword ptr [eax + 0x1c]

        $sequence_9 = { 03c8 8bc2 c1e818 03c8 33c0 }
            // n = 5, score = 300
            //   03c8                 | add                 ecx, eax
            //   8bc2                 | mov                 eax, edx
            //   c1e818               | shr                 eax, 0x18
            //   03c8                 | add                 ecx, eax
            //   33c0                 | xor                 eax, eax

        $sequence_10 = { 33db 47 395e34 7520 }
            // n = 4, score = 300
            //   33db                 | xor                 ebx, ebx
            //   47                   | inc                 edi
            //   395e34               | cmp                 dword ptr [esi + 0x34], ebx
            //   7520                 | jne                 0x22

        $sequence_11 = { 33db 50 53 33ff 895df8 }
            // n = 5, score = 300
            //   33db                 | xor                 ebx, ebx
            //   50                   | push                eax
            //   53                   | push                ebx
            //   33ff                 | xor                 edi, edi
            //   895df8               | mov                 dword ptr [ebp - 8], ebx

        $sequence_12 = { 33db 53 53 6aff ff7508 bfe9fd0000 }
            // n = 6, score = 300
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx
            //   53                   | push                ebx
            //   6aff                 | push                -1
            //   ff7508               | push                dword ptr [ebp + 8]
            //   bfe9fd0000           | mov                 edi, 0xfde9

        $sequence_13 = { 8b7008 57 33db 53 }
            // n = 4, score = 200
            //   8b7008               | mov                 esi, dword ptr [eax + 8]
            //   57                   | push                edi
            //   33db                 | xor                 ebx, ebx
            //   53                   | push                ebx

        $sequence_14 = { 8b7008 57 8b7d18 6a00 }
            // n = 4, score = 200
            //   8b7008               | mov                 esi, dword ptr [eax + 8]
            //   57                   | push                edi
            //   8b7d18               | mov                 edi, dword ptr [ebp + 0x18]
            //   6a00                 | push                0

        $sequence_15 = { 8bf8 eb3f 688c000000 50 }
            // n = 4, score = 200
            //   8bf8                 | mov                 edi, eax
            //   eb3f                 | jmp                 0x41
            //   688c000000           | push                0x8c
            //   50                   | push                eax

    condition:
        7 of them and filesize < 851968
}
[TLP:WHITE] win_eternal_petya_w0   (20171222 | No description)
rule win_eternal_petya_w0 {

    meta:
        author = "ReversingLabs"
        date = "2017-11-29"
        source = "https://www.reversinglabs.com/newsroom/news/reversinglabs-yara-rule-detects-badrabbit-encryption-routine-specifics.html"
        info = "ReversingLabs' YARA rule detects BadRabbit encryption routine specifics."
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.eternal_petya"
        malpedia_version = "20171222"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"
    
    strings:
        $encrypt_file = { 55 8B EC 83 EC ?? 53 56 57 8B 7D ?? 8B 4F ?? 33 DB 8D 45 ?? 50 53 53 51 89 5D ?? 89  5D ?? 89 5D ?? FF 15 ?? ?? ?? ?? 85 C0 0F 84 ?? ?? ?? ?? 8B 55 ?? 53 53 6A ?? 53 53  68 ?? ?? ?? ?? 52 FF 15 ?? ?? ?? ?? 8B F0 83 FE ?? 0F 84 ?? ?? ?? ?? 8D 45 ?? 50 8D  4D ?? 51 57 8B CE E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 0F 84 ?? ?? ?? ?? 39 5D ?? 0F 84 ??  ?? ?? ?? 39 5D ?? 0F 84 ?? ?? ?? ?? 8D 55 ?? 52 56 FF 15 ?? ?? ?? ?? 8B 4F ?? 8B 45  ?? 83 C1 ?? 2B C1 19 5D ?? 89 45 ?? 89 5D ?? 78 ?? 7F ?? 3D ?? ?? ?? ?? 76 ?? B8 ??  ?? ?? ?? EB ?? C7 45 ?? ?? ?? ?? ?? 53 50 53 6A ?? 53 8B F8 56 89 45 ?? 89 7D ?? FF  15 ?? ?? ?? ?? 8B D8 85 DB 74 ?? 8B 55 ?? 52 6A ?? 6A ?? 6A ?? 53 FF 15 ?? ?? ?? ??  8B F8 85 FF 74 ?? 8B 4D ?? 8B 55 ?? 8D 45 ?? 50 57 6A ?? 51 6A ?? 52 FF 15 ?? ?? ??  ?? 85 C0 74 ?? 8B 45 ?? 50 57 FF 15 ?? ?? ?? ?? 8B 4D ?? 51 68 ?? ?? ?? ?? E8 ?? ??  ?? ?? 83 C4 ?? 57 FF 15 ?? ?? ?? ?? 53 FF 15 ?? ?? ?? ?? 8B 7D ?? 8B 45 ?? 3B C7 73  ?? 2B F8 EB ?? 33 FF 8B 55 ?? 8B 42 ?? 8D 4C 38 ?? 6A ?? 51 E8 ?? ?? ?? ?? 8B 7D ??  83 C4 ?? 33 DB 56 FF 15 ?? ?? ?? ?? 8B 55 ?? 52 FF 15 ?? ?? ?? ?? 39 5D ?? 74 ?? 39  5D ?? 75 ?? 8B 47 ?? 8B 35 ?? ?? ?? ?? 50 FF D6 8B 7F ?? 3B FB 74 ?? 57 FF D6 5F 5E  5B 8B E5 5D C3 }

        $main_encrypt = { 55 8B EC 56 6A ?? 6A ?? 6A ?? 6A ?? FF 15 ?? ?? ?? ?? 8B 75 ?? 89 46 ?? 85 C0 0F 84  ?? ?? ?? ?? 53 8B 1D ?? ?? ?? ?? 57 68 ?? ?? ?? ?? 6A ?? 6A ?? 6A ?? 8D 7E ?? 57 FF  D3 85 C0 75 ?? FF 15 ?? ?? ?? ?? 3D ?? ?? ?? ?? 75 ?? 6A ?? 6A ?? 6A ?? 6A ?? 57 FF  D3 85 C0 74 ?? 8B 07 8D 5E ?? 53 50 8B 46 ?? E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8B  C6 E8 ?? ?? ?? ?? 85 C0 74 ?? E8 ?? ?? ?? ?? 85 C0 74 ?? 56 8D 4E ?? 6A ?? 51 E8 ??  ?? ?? ?? 8B 56 ?? 83 C4 ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ?? 8B 0B  51 FF 15 ?? ?? ?? ?? 8B 17 6A ?? 52 FF 15 ?? ?? ?? ?? 8B 46 ?? 50 FF 15 ?? ?? ?? ??  5F 5B B9 ?? ?? ?? ?? 8D 46 ?? 8B FF C6 00 ?? 40 49 75 ?? 56 FF 15 ?? ?? ?? ?? 33 C0  5E 5D C2 ?? ?? }

        $encryption_loop = { 8B 7C 24 ?? 6A ?? 6A ?? 8D 43 ?? 50 33 C0 39 43 ?? 0F 95 C0 40 50 FF 15 ?? ?? ?? ??  85 C0 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? 83 F8 ?? 0F 84 ?? ?? ?? ?? B9 ??  ?? ?? ?? 8D 44 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ?? 66 8B 50 ?? 66 3B 51 ??  75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83 D8 ?? 85 C0 0F 84 ?? ??  ?? ?? B9 ?? ?? ?? ?? 8D 44 24 ?? 8D 64 24 ?? 66 8B 10 66 3B 11 75 ?? 66 85 D2 74 ??  66 8B 50 ?? 66 3B 51 ?? 75 ?? 83 C0 ?? 83 C1 ?? 66 85 D2 75 ?? 33 C0 EB ?? 1B C0 83  D8 ?? 85 C0 0F 84 ?? ?? ?? ?? 8D 4C 24 ?? 51 57 8D 94 24 ?? ?? ?? ?? 52 FF 15 ?? ??  ?? ?? 85 C0 74 ?? 8B 44 24 ?? A8 ?? 74 ?? A9 ?? ?? ?? ?? 75 ?? 8D BC 24 ?? ?? ?? ??  E8 ?? ?? ?? ?? 85 C0 75 ?? 8B 45 ?? 53 48 50 8B CF 51 E8 ?? ?? ?? ?? 83 C4 ?? EB ??  8D 54 24 ?? 52 FF 15 ?? ?? ?? ?? 8D 4C 24 ?? 8D 71 ?? 90 66 8B 11 83 C1 ?? 66 85 D2  75 ?? 2B CE D1 F9 8D 4C 4C ?? 3B C1 74 ?? 50 E8 ?? ?? ?? ?? 83 C4 ?? 85 C0 74 ?? 8D  94 24 ?? ?? ?? ?? 53 52 E8 ?? ?? ?? ?? 83 C4 ?? 8B 74 24 ?? 8D 44 24 ?? 50 56 FF 15  ?? ?? ?? ?? 85 C0 0F 85 ?? ?? ?? ??}

    condition:
        $encrypt_file and $main_encrypt and $encryption_loop 
}
Download all Yara Rules