{"id":80063,"date":"2018-02-05T09:00:26","date_gmt":"2018-02-05T17:00:26","guid":{"rendered":"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/?p=80063"},"modified":"2023-08-03T14:43:26","modified_gmt":"2023-08-03T21:43:26","slug":"overview-of-petya-a-rapid-cyberattack","status":"publish","type":"post","link":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/","title":{"rendered":"Overview of Petya, a rapid cyberattack"},"content":{"rendered":"<p>In the <a href=\"https:\/\/cloudblogs.microsoft.com\/microsoftsecure\/2018\/01\/23\/overview-of-rapid-cyberattacks\/\">first blog post<\/a> of this 3-part series, we introduced what rapid cyberattacks are and illustrated how they are different in terms of execution and outcome. Next, we will go into some more details on the Petya (aka NotPetya) attack.<\/p>\n<h2>How Petya worked<\/h2>\n<p>The Petya attack chain is well understood, although a few small mysteries remain. Here are the four steps in the Petya kill chain:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80066 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png\" alt=\"\" width=\"1024\" height=\"493\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-300x144.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-768x370.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked.png 1924w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center\"><em>Figure 1:\u00a0How the Petya attack worked<\/em><\/p>\n<ol>\n<li><strong>Prepare<\/strong> &#8211; The Petya attack began with a compromise of the MEDoc application. As organizations updated the application, the Petya code was initiated.<\/li>\n<li><strong>Enter<\/strong> &#8211; When MEDoc customers installed the software update, the Petya code ran on an enterprise host and began to propagate in the enterprise.<\/li>\n<li><strong>Traverse<\/strong> &#8211; The malware used two means to traverse:\n<ul>\n<li><em>Exploitation<\/em> \u2013 Exploited vulnerability in SMBv1 (<a href=\"https:\/\/docs.microsoft.com\/en-us\/security-updates\/SecurityBulletins\/2017\/ms17-010\">MS17-010<\/a>).<\/li>\n<li><em>Credential theft<\/em> \u2013 Impersonated any currently logged on accounts (including service accounts).<\/li>\n<li>Note that Petya only compromised accounts that were logged on with an active session (e.g. credentials loaded into LSASS memory).<\/li>\n<\/ul>\n<\/li>\n<li><strong>Execute<\/strong> &#8211; Petya would then reboot and start the encryption process. While the screen text claimed to be ransomware, this attack was clearly intended to wipe data as there was no technical provision in the malware to generate individual keys and register them with a central service (standard ransomware procedures to enable recovery).<\/li>\n<\/ol>\n<h2>Unknowns and Unique Characteristics of Petya:<\/h2>\n<p>Although it is unclear if Petya was intended to have as widespread an impact as it ended up having, it is likely that this attack was built by an advanced group, considering the following:<\/p>\n<ul>\n<li>The Petya attack wiped the event logs on the system, which is \u201cunneeded\u201d as the drive was wiped later anyways. This leaves an open question on whether this is just standard anti-forensic practice (as is common for many advanced attack groups) or whether there were other attack actions\/operations being covered up by Petya.<\/li>\n<li>The supply chain approach taken by Petya requires a well-funded adversary with a high level of investment into attack skills\/capability. Although supply chain attacks are rising, these still represent a small percentage of how attackers get into corporate environments and require a higher degree of sophistication to execute.<\/li>\n<\/ul>\n<h2>Petya and Traversal\/Propagation<\/h2>\n<p>Our observation was that Petya spread more by using identity impersonation techniques than through MS17-010 vulnerability exploitation. This is likely because of the emergency patching initiatives organizations followed to deploy MS17-010 in response to the WannaCrypt attacks and associated publicity.<\/p>\n<p>The Petya attacks also resurfaced a popular misconception about mitigating lateral traversal which comes up frequently in targeted data theft attacks. <em>If a threat actor has acquired the credentials needed for lateral traversal, you can <span style=\"text-decoration: underline\"><strong>NOT<\/strong><\/span> block the attack by disabling execution methods like PowerShell or WMI<\/em>. This is not a good choke point because legitimate remote management requires at least one process execution method to be enabled.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80069 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-spreads-1024x436.png\" alt=\"\" width=\"1024\" height=\"436\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-spreads-1024x436.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-spreads-300x128.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-spreads-768x327.png 768w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center\"><em>Figure 2:\u00a0How the Petya attack spreads<\/em><\/p>\n<p>You\u2019ll see in the illustration above that achieving traversal requires three technical phases:<\/p>\n<p><strong>1st phase: Targeting<\/strong> \u2013 Identify which machines to attack\/spread to next.<\/p>\n<p>Petya\u2019s targeting mechanism was consistent with normal worm behavior. However, Petya did include a unique \u201cinnovation\u201d where it acquired IPs to target from the DHCP subnet configuration from servers and DCs to accelerate its spread.<\/p>\n<p><strong>2nd phase: Privilege acquisition<\/strong> \u2013 Gain the privileges required to compromise those remote machines.<\/p>\n<p>A unique aspect of Petya is that it used automated credential theft and re-use to spread, in addition to the vulnerability exploitation. As mentioned earlier, most of the propagation in the attacks we investigated was due to the impersonation technique. This resulted in impersonation of the SYSTEM context (computer account) as well as any other accounts that were logged in to those systems (including service accounts, administrators, and standard users).<\/p>\n<p><strong>3rd phase: Process execution<\/strong> \u2013 Obtain the means to launch the malware on the compromised machine.<\/p>\n<p>This phase is not an area we recommend focusing defenses on because:<\/p>\n<ol>\n<li>An attacker (or worm) with legitimate credentials (or impersonated session) can easily use another available process execution method.<\/li>\n<li>Remote management by IT operations requires at least one process execution method to be available.<\/li>\n<\/ol>\n<p>Because of this, we strongly advise organizations to <strong>focus mitigation efforts on the privilege acquisition phase (2)<\/strong> for both rapid destruction and targeted data theft attacks, and <strong>not prioritize blocking at the process execution phase (3)<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80072 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Most-Petya-propagations-were-due-to-impersonation-credential-theft-1024x492.png\" alt=\"\" width=\"1024\" height=\"492\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Most-Petya-propagations-were-due-to-impersonation-credential-theft-1024x492.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Most-Petya-propagations-were-due-to-impersonation-credential-theft-300x144.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Most-Petya-propagations-were-due-to-impersonation-credential-theft-768x369.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Most-Petya-propagations-were-due-to-impersonation-credential-theft.png 1950w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center\"><em>Figure 3:\u00a0Most Petya propagations were due to impersonation (credential theft)<\/em><\/p>\n<p>Because of the dual channel approach to propagation, even an organization that had reached 97% of their endpoints with MS17-010 patching was infected enterprise-wide by Petya. This shows that mitigating just one vector is not enough.<\/p>\n<p>The good news here is that any investment made into credential theft defenses (as well as patching and other defenses) will directly benefit your ability to stave off targeted data theft attacks because Petya simply re-used attack methods popularized in those attacks.<\/p>\n<h2>Attack and Recovery Experience: Learnings from Petya<\/h2>\n<p>Many impacted organizations were not prepared for this type of disaster in their disaster recovery plan. The key areas of learnings from real world cases of these attacks are:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-large wp-image-80075 aligncenter\" src=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Common-learnings-from-rapid-cyberattack-recovery-1024x583.png\" alt=\"\" width=\"1024\" height=\"583\" srcset=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Common-learnings-from-rapid-cyberattack-recovery-1024x583.png 1024w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Common-learnings-from-rapid-cyberattack-recovery-300x171.png 300w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Common-learnings-from-rapid-cyberattack-recovery-768x437.png 768w, https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/Common-learnings-from-rapid-cyberattack-recovery.png 1394w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><\/p>\n<p style=\"text-align: center\"><em>Figure 4:<\/em>\u00a0<em>Common learnings from rapid cyberattack recovery<\/em><\/p>\n<p><strong>Offline Recovery Required<\/strong> \u2013 Many organizations affected by Petya found that their backup applications and Operating System (OS) deployment systems were taken out in the attack, significantly delaying their ability to recover business operations. In some cases, IT staff had to resort to printed documentation because the servers housing their recovery process documentation were also down.<\/p>\n<p><strong>Communications down<\/strong> \u2013 Many organizations also found themselves without standard corporate communications like email. In almost all cases, company communications with employees was reliant on alternate mechanisms like WhatsApp, copy\/pasting broadcast text messages, mobile phones, personal email addresses, and Twitter.<\/p>\n<p>In several cases, organizations had a fully functioning Office 365 instance (SaaS services were unaffected by this attack), but users couldn\u2019t access Office 365 services because authentication was federated to the on premises Active Directory (AD), which was down.<\/p>\n<h2>More information<\/h2>\n<p>To learn more about rapid cyber attacks and how to protect against them, watch the on-demand webinar: <a href=\"https:\/\/aka.ms\/rapidattack-webinar\">Protect Against Rapid Cyberattacks (Petya, WannaCrypt, and similar)<\/a>.<\/p>\n<p>Look out for the next and final blog post of a 3-part series to learn about Microsoft&#8217;s recommendations on mitigating rapid cyberattacks.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how they are different in terms of execution and outcome. Next, we will go into some more details on the Petya (aka NotPetya) attack. How Petya worked The Petya attack chain is well understood, although a few small [&hellip;]<\/p>\n","protected":false},"author":61,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"ep_exclude_from_search":false,"_classifai_error":"","footnotes":""},"content-type":[3662],"topic":[3684,3688],"products":[],"threat-intelligence":[],"tags":[3896,3822],"coauthors":[1906],"class_list":["post-80063","post","type-post","status-publish","format-standard","hentry","content-type-news","topic-security-operations","topic-threat-trends","tag-credential-theft","tag-microsoft-security-insights"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.9 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Overview of Petya, a rapid cyberattack | Microsoft Security Blog<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Overview of Petya, a rapid cyberattack | Microsoft Security Blog\" \/>\n<meta property=\"og:description\" content=\"In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how they are different in terms of execution and outcome. Next, we will go into some more details on the Petya (aka NotPetya) attack. How Petya worked The Petya attack chain is well understood, although a few small [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\" \/>\n<meta property=\"og:site_name\" content=\"Microsoft Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2018-02-05T17:00:26+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2023-08-03T21:43:26+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png\" \/>\n<meta name=\"author\" content=\"Mark Simos\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Mark Simos\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"4 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\"},\"author\":[{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/\",\"@type\":\"Person\",\"@name\":\"Mark Simos\"}],\"headline\":\"Overview of Petya, a rapid cyberattack\",\"datePublished\":\"2018-02-05T17:00:26+00:00\",\"dateModified\":\"2023-08-03T21:43:26+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\"},\"wordCount\":1042,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png\",\"keywords\":[\"Credential theft\",\"Microsoft Security Insights\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\",\"name\":\"Overview of Petya, a rapid cyberattack | Microsoft Security Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png\",\"datePublished\":\"2018-02-05T17:00:26+00:00\",\"dateModified\":\"2023-08-03T21:43:26+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked.png\",\"width\":1924,\"height\":926},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Overview of Petya, a rapid cyberattack\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"name\":\"Microsoft Security Blog\",\"description\":\"Expert coverage of cybersecurity topics\",\"publisher\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization\",\"name\":\"Microsoft Security Blog\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"contentUrl\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png\",\"width\":512,\"height\":512,\"caption\":\"Microsoft Security Blog\"},\"image\":{\"@id\":\"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Overview of Petya, a rapid cyberattack | Microsoft Security Blog","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/","og_locale":"en_US","og_type":"article","og_title":"Overview of Petya, a rapid cyberattack | Microsoft Security Blog","og_description":"In the first blog post of this 3-part series, we introduced what rapid cyberattacks are and illustrated how they are different in terms of execution and outcome. Next, we will go into some more details on the Petya (aka NotPetya) attack. How Petya worked The Petya attack chain is well understood, although a few small [&hellip;]","og_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/","og_site_name":"Microsoft Security Blog","article_published_time":"2018-02-05T17:00:26+00:00","article_modified_time":"2023-08-03T21:43:26+00:00","og_image":[{"url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png"}],"author":"Mark Simos","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Mark Simos","Est. reading time":"4 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#article","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/"},"author":[{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/author\/mark-simos\/","@type":"Person","@name":"Mark Simos"}],"headline":"Overview of Petya, a rapid cyberattack","datePublished":"2018-02-05T17:00:26+00:00","dateModified":"2023-08-03T21:43:26+00:00","mainEntityOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/"},"wordCount":1042,"commentCount":0,"publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png","keywords":["Credential theft","Microsoft Security Insights"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/","name":"Overview of Petya, a rapid cyberattack | Microsoft Security Blog","isPartOf":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage"},"thumbnailUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked-1024x493.png","datePublished":"2018-02-05T17:00:26+00:00","dateModified":"2023-08-03T21:43:26+00:00","breadcrumb":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#primaryimage","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/02\/How-the-Petya-attack-worked.png","width":1924,"height":926},{"@type":"BreadcrumbList","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/2018\/02\/05\/overview-of-petya-a-rapid-cyberattack\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/"},{"@type":"ListItem","position":2,"name":"Overview of Petya, a rapid cyberattack"}]},{"@type":"WebSite","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#website","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","name":"Microsoft Security Blog","description":"Expert coverage of cybersecurity topics","publisher":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#organization","name":"Microsoft Security Blog","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","contentUrl":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-content\/uploads\/2018\/08\/cropped-cropped-microsoft_logo_element.png","width":512,"height":512,"caption":"Microsoft Security Blog"},"image":{"@id":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/#\/schema\/logo\/image\/"}}]}},"msxcm_display_generated_audio":false,"distributor_meta":false,"distributor_terms":false,"distributor_media":false,"distributor_original_site_name":"Microsoft Security Blog","distributor_original_site_url":"https:\/\/www.microsoft.com\/en-us\/security\/blog","push-errors":false,"_links":{"self":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/80063"}],"collection":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/users\/61"}],"replies":[{"embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/comments?post=80063"}],"version-history":[{"count":0,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/posts\/80063\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/media?parent=80063"}],"wp:term":[{"taxonomy":"content-type","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/content-type?post=80063"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/topic?post=80063"},{"taxonomy":"products","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/products?post=80063"},{"taxonomy":"threat-intelligence","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/threat-intelligence?post=80063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/tags?post=80063"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.microsoft.com\/en-us\/security\/blog\/wp-json\/wp\/v2\/coauthors?post=80063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}