[carvalho]

It is basically WannaCry without the kill switch. It is using the same exploits (EternalBlue). Not some recent zero-day, but sloppy patching.

[guilhermetk]

Seems like there is a kill switch: https://twitter.com/PTsecurity_UK/status/879779707075665922

[pritambaral]

Originally found by: https://twitter.com/0xAmit/status/879768194545836032

[celticninja]

Do you have a source for that?

[hypervis0r]

Not OP, but he is right. I just walked out of work, where I had to reverse the sample. It indeed uses EternalBlue (attacks by enumerating local network IPs with Windows APIs and randomly scanning the internet). Apart from that, it overwrites the MBR with a custom bootloader and schedules a restart ("shutdown /t /r") as SYSTEM in a random amount of time. After rebooting, it fakes a chkdsk and meanwhile, encrypts your files.

It is also true that it uses PsExec to spread.

TL;DR good old Petya ransomware (old as shit) with a copy/pasted EternalBlue-based spreading method. Nothing new.

[fosco]

can you share literature on what tools you used to reverse engineer and maybe other items worth reading if I am interested in this type of research?

[hypervis0r]

Literature: sorry no, I didn't read anything; everything I know is from practice.

As for the tools: just IDA Pro, really, if you don't count the standard stuff: a VM to avoid getting the host infected (VirtualBox), Burp (to analyze malware HTTP traffic), etc. Nothing too fancy.