Petya: What you need to know

Petya: What you need to know

Context has become aware of a new self-propagating variant of the “Petya” ransomware which spreads using the EternalBlue SMB exploit made famous by WannaCry.

By Kevin O’Reilly

Principal Consultant

27 Jun 2017

Like WannaCry, this malware variant contains an embedded payload which is automatically extracted by Context’s malware configuration and payload extraction system, CAPE. 

We have added a signature to CAPE to allow detection of the extracted payload, which can be seen in the following CAPE analysis:

Our advice with this malware variant is the same as that for the earlier WannaCry outbreak. Read our blog post here: WannaCry: What you need to know

In addition to its ability to spread as a network worm, we believe the initial infection vector to be via email. So the usual advice with regard to caution opening email attachments or links applies here. In addition, please upload attachments you may be suspicious of to our public CAPE instance:, and keep an eye on further submissions for any other variants that we come across.

If you are interested in having your own instance of CAPE to help in the fight against malware, you may find it on Context’s github at 

Subscribe for more Research like this

About Kevin O’Reilly

Principal Consultant

CHECK IT Health Check Service
Cyber Essentials
CESG Certified Service
First - Improving Security Together
BSI ISO 9001 FS 581360
BSI ISO 27001 IS 553326
PCI - Approved Scanning Vendor
NCSC CCSC - Assured Service Provider