Talk:Petya (malware family)

Skull and crossbones image
Is that copyrightable? I'd like to upload a version to commons. Anna Frodesiak (talk) 23:18, 27 June 2017 (UTC)

The skull and bones is to my knowledge an old gnostic symbol, often representing secret knowledge. It is accusedly used by certain societies and it is also e.g. in use by German football club FC St. Pauli in its "Totenkopf"- logo. Combination of skull and bones can also be used to indicate poisonous thing or substance. This symbol on item indicates it is dangerous for consumption and doing so can result to loss of life. Buddhaball 13:21, 22 July 2017 (UTC) — Preceding unsigned comment added by Partaj1 (talk • contribs)

A PNG version (instead of BadJPEG) could be found here: https://media.kasperskydaily.com/wp-content/uploads/sites/86/2016/03/05194038/petya-ransomware-featured.png — Preceding unsigned comment added by 193.178.171.60 (talk) 15:35, 11 July 2019 (UTC)

Main article and attack articles
We have WannaCry ransomware attack and Petya (malware) but both are really about the attack, no? Couldn't we have a parent article about the basic thing, and then attack articles about how each attack happened and how the thing was a bit of a variant and worked differently this time? Wouldn't that serve visitors well and prevent duplicate/conflicting info? Anna Frodesiak (talk) 04:02, 28 June 2017 (UTC)
 * The difference with Petya is that there are several variants over a longer duration; while the variant of WannaCry that caused the most damage was one of the first variants (if not the first variant), Petya variants had been out for about a year before this version incorporated some of the NSA exploits popularised by WannaCry. So we could potentially create a separate article for this version of Petya (that people are ironically calling NotPetya), but just as we would need to ask what makes this version of Petya notable to have its own article, we would likewise need to ask what makes the other variants of Petya notable enough to have their own article separate from the current major variant. — Sasuke Sarutobi (talk) 15:42, 28 June 2017 (UTC)
 * To clarify, it is partly a matter of quantity of content. If sufficient content can be developed to support two articles (one about the software and one about the attack), by all means, but I'd rather have one well-developed article than two stubs. — Sasuke Sarutobi (talk) 15:45, 28 June 2017 (UTC)
 * Hi Sasuke Sarutobi. Fair enough, my friend. Thank you. :) Anna Frodesiak (talk) 02:22, 29 June 2017 (UTC)
 * I also support two separate articles. Content about the petya malware should be separated from this NotPetya cyberattack. --Fixuture (talk) 11:21, 29 June 2017 (UTC)
 * Technical analysis by NCCIC & US-CERT on Petya available at: https://www.us-cert.gov/sites/default/files/publications/MIFR-10130295.pdf Buddhaball 16:27, 22 July 2017 (UTC)

The claim that NotPetya was meant to be destructive is at least arguable
I know that the article says "prompted researchers to speculate" - but maybe the arguments of the alternate view point should also be listed? Let me expand on this.

There are several Petya variants - the original Petya (which encrypts the MFT), Misha (which encrypts files), and Goldeneye (which tries to encrypt the MFT and resorts to encrypting files, if that fails because the victim doesn't have admin privileges). NotPetya is very heavily based on Goldeneye (the boot loader is like 98% the same code). The reason why people are speculating that it was a wiper (masquerading as ransomware), instead of ransomware, is because once the MFT is encrypted, the key is overwritten and lost irrecoverably, instead of being encrypted with the public key of the author, therefore making recovery impossible even by the author.

However, if the victim does not have admin privileges then NotPetya, just like Goldeneye, resorts to encrypting files. The key for them is not lost. They could be decrypted, if the author provides the decrypted encryption key (e.g., after ransom is paid). Of course, just about anyone is running as admin, so this situation occurs rarely. The point I am trying to make is that NotPetya has two ransomware components and while one of them is broken and made destructive, the other one is fully functional.

Now, let's assume that the motive of the attacker was indeed damage instead of profit. In that case, why go through all the trouble of implementing the fully functional second part of the ransomware - an effort that is mostly wasted since most of the time it is not used anyway? And if the idea was to make a destructive program that masqueraded as ransomware, why making the destructive part obvious (by intentionally destroying the encryption key) instead of simply not delivering a decryption key after receiving a ransom payment? It simply does not make sense.

The only reasonable explanation is that it (the ransomware part) was badly coded by incompetent attackers who botched their work while trying to modify Goldeneye (change the public key of the author, etc.), resulting in a destructive program. Note that the other parts of the operation - the compromise of the supply chain at M.E.Doc and the worm replication mechanism in NotPetya - are anything but incompetent. Which makes me conclude that, while Russian intelligence bears responsibility for this operation, they did not control it directly. Most likely, they provided the tools (worm replication, exploit) and the infrastructure (hacked M.E.Doc machines) to some incompetent cyber criminals and gave them the general direction to "cause trouble to Ukraine".

I normally don't edit Wikipedia entries, so I don't have an account but my name is Vesselin Bontchev, I am a computer virus expert, and can be reached at vbontchev@yahoo.com. 46.10.52.5 (talk) 14:44, 26 May 2019 (UTC)

Size or identifier?
Is there an expected size to the virus? And if so how many bites or lines of code is it? (original) Then to identify it, usually there is code unique to this virus and can be reported? I did not see this in the article on a quick glance.--Mark v1.0 (talk) 15:40, 25 June 2022 (UTC)

Requested move 28 August 2023

 * The following is a closed discussion of a requested move. Please do not modify it. Subsequent comments should be made in a new section on the talk page. Editors desiring to contest the closing decision should consider a move review after discussing it on the closer's talk page. No further edits should be made to this discussion.

The result of the move request was: moved. Uncontested request. (closed by non-admin page mover)  ❯❯❯  Raydann  (Talk)   22:23, 4 September 2023 (UTC)

Petya and NotPetya → Petya (malware family) – as per intro section – John192746 (talk) 17:41, 28 August 2023 (UTC)


 * Alternatively: Petya and NotPetya → Petya (malware) or Petya and NotPetya → Petya – John192746 (talk) 17:41, 28 August 2023 (UTC)

The discussion above is closed. Please do not modify it. Subsequent comments should be made on the appropriate discussion page. No further edits should be made to this discussion.