Blog #NotPetya Correlations & Enrichment on TruSTAR

#NotPetya Correlations & Enrichment on TruSTAR

We’re seeing relevant activity on our platform related to the new ransomware attack spreading across Europe and the US. In the past 24 hours, companies from multiple sectors have reported #NotPetya IoCs in the TruSTAR Community. If you’re interested in enrichment data look no further.


Timelapse of NotPetya IoCs reported on TruSTAR from March 2016 - Present:



Here’s what we know:

  • Security researchers believe this is a variant of Petya ransomware but there still isn't consensus in the research community. What has been confirmed is this ransomware, just like WannaCry, is using the ETERNALBLUE tool which exploits CVE-2017-0144 and was originally revealed in the ShadowBrokers April Wikileaks release.
  • This ransomware has affected a number of large enterprise and government operations across Europe (hospitals, supermarkets, banks) and there are reports of US companies also being impacted.


Here’s what we’re seeing on TruSTAR:

  • Petya is not new - the group behind it has essentially repurposed it most likely based on the success of WannaCry. We have reports dating back to late 2016 with Petya infrastructure IoC's.
  • The group behind Petya has taken a page out of the WannaCry playbook and the TTP's are strikingly similar.


What you can do:

  • Immediately apply security patch MS17-010 and block or monitor incoming traffic on TCP port 445.
  • Log into TruSTAR and search for Petya or NotPetya in the search bar. You can download IoC's from reports of the latest outbreak, as well as the ones we have been tracking since 2016.
  • We’re collecting more IoC’s and relevant context by the minute. Submit reports and update them regularly to enhance contextual data.
  • Use our anonymous chat to collaborate with others investigating the attack.


Don’t hesitate to reach out with questions or concerns to the TS Responder team. Log into TruSTAR now.

Want to learn more about TruSTAR's IoC Search? Click here.

TruSTAR Intel Workflows Series: Shifting from App-Centric to Data-Centric Security Operations We recently introduced API 2.O featuring TruSTAR Intel Workflows. This blog series will explain our motivations for building this feature, how it ... Read More
How to Get the Most out of Your Community Plus Toolkit TruSTAR is the Intelligence Management Platform that powers some of the largest ISAC/ISAO threat intelligence exchanges in North America.  Read More
Announcing TruSTAR Phishing Triage & New Intelligence Scoring Capabilities Today TruSTAR has launched Phishing Triage, a new suite of features designed to automatically ingest, extract, normalize, prioritize, and take action ... Read More
COVID-19 Intelligence Briefing: What Happens Next? TruSTAR recently held an intelligence briefing with leaders from IBM X-Force IRIS, BAE Systems, and Intel471 to discuss the threatscape surrounding ... Read More