A new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organizations.
Figure 1. Top 20 countries based on numbers of affected organizations
Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself. However it also uses classic SMB network spreading techniques, meaning that it can spread within organizations, even if they’ve patched against Eternal Blue.
Initial infection vector
Symantec has confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.
Spread and lateral movement
Petya is a worm, meaning it has the ability to self-propagate. It does this by building a list of target computers and using two methods to spread to those computers.
IP address and credential gathering
Petya builds a list of IP addresses to spread to, which includes primarily addresses on the local area network (LAN) but also remote IPs. The full list is built as follows:
- All IP addresses and DHCP servers of all network adaptors
- All DHCP clients of the DHCP server if ports 445/139 are open
- All IP addresses within the subnet as defined by the subnet mask if ports 445/139 are open
- All computers you have a current open network connection with
- All computers in the ARP cache
- All resources in Active Directory
- All server and workstation resources in Network Neighborhood
- All resources in the Windows Credential Manager (including Remote Desktop Terminal Services computers)
Once the list of target computers has been identified, Petya builds out a list of user names and passwords it can use to spread to those targets. The list of user names and passwords is stored in memory. It uses two methods to gather credentials:
- Gathers user names and passwords from Windows Credential Manager
- Drops and executes a 32bit or 64bit credential dumper
Petya uses two primary methods to spread across networks:
- Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
- SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.
Initial infection and installation
Petya is initially executed via rundll32.exe using the following command:
- rundll32.exe perfc.dat, #1
Once the DLL has been loaded, it will first attempt to remove itself from the infected system. This is done by opening the file and overwriting its contents with null bytes before finally deleting the file from disk. Overwriting the file with null bytes is used as an attempt to thwart recovery of the file using forensic techniques.
Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:
MBR infection and encryption
Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.
MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network
At this point, a system reboot is scheduled using the following command:
- “/c at 00:49 C:\Windows\system32\shutdown.exe /r /f”
By scheduling and not forcing a reboot, it provides time to allow Petya to spread to other computers in the network before user-mode encryption occurs.
Petya performs encryption in two ways:
- After Petya has spread to other computers, user-mode encryption occurs where files with a specific extension are encrypted on disk.
- The MBR is modified to add a custom loader which is used to load a CHKDSK simulator. This simulator is used to hide the fact that disk encryption is occurring. This is done after user-mode encryption occurs and thus encryption is twofold: user mode and full disk.
Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
If any of the file extensions match that of the file list, encryption occurs.
At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.
Am I protected from the Petya Ransomware?
Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.
Symantec products using definitions version 20170627.009 also detect Petya components as Ransom.Petya.
What is Petya?
Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, the following ransom note is displayed on infected computers, demanding that $300 in bitcoins be paid to recover files:
Figure 2. Ransom note displayed on computers infected with the Petya ransomware, demanding $300 in bitcoins
How does Petya spread and infect computers?
The MEDoc accounting software is used to drop and install Petya into organizations’ networks. Once in the network it uses two methods to spread.
One of the ways in which Petya propagates itself is by exploiting the MS17-010 vulnerability, also known as EternalBlue. It also spreads by acquiring user names and passwords and spreading across network shares.
Who is impacted?
Petya is primarily impacting organizations in Europe.
Is this a targeted attack?
It’s unclear at this time, however, the initial infector is software used solely in Ukraine, indicating that organizations there were the initial targets.
Should I pay the ransom?
Symantec recommends that users do not pay the ransom, particularly as there is no evidence that files will be restored.