Defeating NotPetya from your iLO

NotPetya [0] is a variant of the Petya ransomware [1] that appeared in June 2017 in Ukraine. These malwares have the particularity to rewrite the MBR of computers that are still using an old fashioned BIOS-based booting system. This MBR encrypts the Master File Table (MFT) of the underlying NTFS partition systems.

Synacktiv, Airbus, Medallia and Quarkslab joined their efforts to show how we can decrypt NotPetya's bootloader encryption [2] using previous vulnerabilities [3] found in iLO 4. Download the whitepaper!

[0]https://www.crowdstrike.com/blog/petrwrap-ransomware-technical-analysis-triple-threat-file-encryption-mft-encryption-credential-theft/
[1]https://en.wikipedia.org/wiki/Petya_(malware)
[2]https://github.com/aguinet/petya2017_notes
[3]https://github.com/airbus-seclab/ilo4_toolbox

Comments