EternalPetya_BadRabbit_Comparison.xlsx
 Share
The version of the browser you are using is no longer supported. Please upgrade to a supported browser.Dismiss

 
View only
 
 
ABCDEFGHIJKLMNOPQRSTUVWXYZ
1
EternalPetyaBadRabbit
2
Other namesExPetr; NotPetya
Nyetya; Petna
Bad Rabbit
3
Most affected countries
UKR; Other European countries;
RU; US
UKR; RU; BG; TR
4
Most affected organisationsTelecomms; energy; shipping
(Multinational)
Media; transportation
5
Infection vectorSupply-chain attack
(M.E. Doc)
Compromised website
(drive-by download)
6
Ransomware DLLs / filenamesperfc.datinfpub.dat; cscc.dat
7
Binaries are signedYes (expired Microsoft signature)Yes (expired Microsoft signature;
invalid Symantec signature)
8
Creates serviceNo
Yes
(Windows Client Side Caching DDriver)
9
Exploits/vulnerabilitiesEternalRomance (ER);
EternalBlue (EB)
EternalRomance-like,
but no DoublePulsar or shellcode
(based on zzz_exploit.py by sleepya)
10
Credential-grabbingMimikatz (custom; limited version)Mimikatz (custom; limited version)
Hardcoded credential list
11
Uses named pipes for grabbed
credentials
YesYes
12
Lateral movement/spreadingER; EB; PsExec;
WMIC;
SMB/NetBIOS(scanning)
zzz_exploit;
WMIC;
SMB/NetBIOS (scanning)
13
Forces rebootYes (scheduled task; NtRaiseHardError)Yes (scheduled task)
14
Uses scheduled tasks for reboot
and persistence
YesYes
15
Deletes event logs / journalYesYes
16
Uses Tor for C2 / payment portal
YesYes
17
Encryption algorithmAES-128 (CBC) +
RSA-2048
AES-128 (CBC) +
RSA-2048
18
Encrypts filesYesYes
19
Encrypts/modifies MBRYes (installed at begin of the MBR)Yes (installed at end of the MBR)
20
Encrypts/modifies MFTYes (Salsa20)Yes (AES-256-XTS)
21
Kernel bootloaderModified Petya
bootloader
Custom + DiskCryptor
22
Fake CHKDSK messageYesNo
23
Uses DiskCryptor
(Legitimate tool by itself)
NoYes
24
Ransomware demand$300 in Bitcoin (~ 0.05 BTC)0.05 Bitcoin (~ $300)
25
Bitcoin walletsMultipleMultiple
26
Number of targeted filetypes /
extensions
62113
27
Decryption possibleNo (key is erased or wiped)
Possibly (volume shadow copies;
or with the cyber-criminal's private key)
28
References to pop cultureNo
Yes (Game of Thrones; Hackers movie)
29
PurposeLikely destruction/
disruption
Likely extortion /
disruption
30
Date of outbreak2017-06-272017-10-24
31
Date significance in UKRConstitution day (28th)None
32
Date significance in RUNoneDay of the special forces
33
Date significance globallyNoneUnited Nations day
34
AttributionLikely Russia-based
actors
Likely Russia-based
actors
35
36
Created by@bartblaze
37
Sourcehttps://bartblaze.blogspot.com
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
Loading...
 
 
 
table