<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p><img src="https://info.threatstop.com/hubfs/Golden%20eye.jpg" alt="Golden eye" style="display: block; margin-left: auto; margin-right: auto; width: 455px;" title="Golden eye" caption="false" data-constrained="true" width="455"></p> <p>In light of the devastating <a href="https://blog.threatstop.com/notpetya-ransomware-attack-hits-europe-moving-on-to-u.s">NotPetya attack</a>, the creator of the original <strong>Petya</strong> ransomware <a href="https://blog.malwarebytes.com/cybercrime/2017/07/the-key-to-the-old-petya-has-been-published-by-the-malware-author/">has released</a> his private key for the malware. This means victims of the original <strong>Petya</strong> attacks (excluding <strong>NotPetya</strong>) will be able to decrypt their files for free.</p> <!--more--> <p>The original <strong>Petya</strong> ransomware (aka GoldenEye) encrypts the Master File Table using Salsa20, locking the victim’s entire system down.</p> <p>It was hijacked by the creators of <strong>NotPetya</strong>, who carefully manipulated its assembly code to create the destructive wiper that swept through Ukraine two weeks ago. Important changes include removing of the ability to actually restore encrypted files, as the victim’s keys <a href="https://blog.malwarebytes.com/threat-analysis/2017/06/eternalpetya-lost-salsa20-key/">are erased after encryption</a>.</p> <p>To obtain the key, security researchers had to jump through a couple hoops. About a week after the <strong>NotPetya</strong> outbreak, the creator tweeted a link to an encrypted file, with a password hint.</p> <p><img src="https://info.threatstop.com/hubfs/Janus%20Petya%20Key%20Clue.png" alt="Janus Petya Key clue" style="display: block; margin-left: auto; margin-right: auto; width: 455px;" title="Janus Petya Key clue" caption="false" data-constrained="true" width="455"></p> <p>Researchers used this quote (from the GoldenEye movie) to figure out the password and decrypt the file, which contained the private key and some implementation details for the ransomware.&nbsp;</p> <p>&nbsp;<span style="font-size: 12.1612px; background-color: transparent;">To add protection against</span><span style="font-size: 12.1612px; background-color: transparent;">&nbsp;<strong>Petya</strong>,&nbsp;</span><span style="font-size: 12.1612px; background-color: transparent;">we recommend enabling the following targets:</span></p> <ul> <li>Standard Mode <ul> <li>TS Curated - Ransomware - IPs</li> <li>TS Curated - Ransomware - Domains</li> </ul> </li> <li>Expert Mode&nbsp;<span>(included in the curated targets for standard mode)</span>&nbsp;<br> <ul> <li>TS Originated - Ransomware - IPs</li> <li>TS Originated - Ransomware - Domains</li> </ul> </li> </ul> <p>If you do not have a ThreatSTOP account,&nbsp;<span>&nbsp;</span>to try a free demo.</p> <p>If you do have a ThreatSTOP account, instructions to add targets to<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+DNS+Firewall#ThreatSTOPDNSFirewall-DNSFWPolicy" target="_blank">DNS</a><span>&nbsp;</span>or<span>&nbsp;</span><a href="http://dochub.threatstop.com/display/TS/ThreatSTOP+IP+Firewall" target="_blank">IP</a><span>&nbsp;</span>Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our&nbsp;<span>&nbsp;</span>team.</p></span>
![45.146.165[.]168 exploiting Log4j is another reason to block Selectel](https://www.threatstop.com/hs-fs/hubfs/selectel_ip_virustotal.png?width=600&name=selectel_ip_virustotal.png)
