Blog #NotPetya Correlations & Enrichment on TruSTAR

#NotPetya Correlations & Enrichment on TruSTAR

We’re seeing relevant activity on our platform related to the new ransomware attack spreading across Europe and the US. In the past 24 hours, companies from multiple sectors have reported #NotPetya IoCs in the TruSTAR Community. If you’re interested in enrichment data look no further.


Timelapse of NotPetya IoCs reported on TruSTAR from March 2016 - Present:



Here’s what we know:

  • Security researchers believe this is a variant of Petya ransomware but there still isn't consensus in the research community. What has been confirmed is this ransomware, just like WannaCry, is using the ETERNALBLUE tool which exploits CVE-2017-0144 and was originally revealed in the ShadowBrokers April Wikileaks release.
  • This ransomware has affected a number of large enterprise and government operations across Europe (hospitals, supermarkets, banks) and there are reports of US companies also being impacted.


Here’s what we’re seeing on TruSTAR:

  • Petya is not new - the group behind it has essentially repurposed it most likely based on the success of WannaCry. We have reports dating back to late 2016 with Petya infrastructure IoC's.
  • The group behind Petya has taken a page out of the WannaCry playbook and the TTP's are strikingly similar.


What you can do:

  • Immediately apply security patch MS17-010 and block or monitor incoming traffic on TCP port 445.
  • Log into TruSTAR and search for Petya or NotPetya in the search bar. You can download IoC's from reports of the latest outbreak, as well as the ones we have been tracking since 2016.
  • We’re collecting more IoC’s and relevant context by the minute. Submit reports and update them regularly to enhance contextual data.
  • Use our anonymous chat to collaborate with others investigating the attack.


Don’t hesitate to reach out with questions or concerns to the TS Responder team. Log into TruSTAR now.

Want to learn more about TruSTAR's IoC Search? Click here.

Improved Enclave Filter View Since launching Marketplace in January we have been collecting feedback to improve user experience. Read More
Our New Automated Whitelisting Capability False positives waste time. At TruSTAR, our mission is to empower analysts to make smarter decisions faster about where to focus precious ... Read More
Launching the New TruSTAR Experience Welcome to your new TruSTAR experience! Read More
Product Update: Search and Annotate Investigations on TruSTAR Today we are excited to announce the release of a brand new feature that will help you add information to reports and IOCs that you can refer to a ... Read More