Petya: behind the mask

Tuesday, June 26, 2017 started out like any other day except for the fact that another ransomware infection started spreading around the world. Initially it looked like Petya, a ransomware worm that purported to encrypt data at a hard disk level. This, however, was not the case – in more ways than one.

The original Petya (released in March 2016) encrypted the master file table (MFT), rendering the file system unreadable. It had 2 distinct stages. First stage, it rewrites the master boot record (MBR) and inserts a tiny malicious kernel. At this point the drive is still recoverable. It then reboots by causing a blue screen of death (BSOD), which brings up a fake Windows CHKDSK. Stage 2 now begins encrypting the MFT in the background. Once it completes, it displays the ransomware screen, giving a code and asking you to make a bitcoin payment to retrieve the decryption key.

In 2017, a new Petya seemed to be doing the same thing. It looked and behaved just like the original. Analysis subsequently determined that they were not related and it was just a smoke screen. Thus it was renamed NotPetya or PetrWrap.

This incarnation was a destructive disk wiper masquerading as ransomware, leading researchers to believe that this was not a financially motivated attack, and speculation increased suggesting it was state sponsored attack.

NotPetya was initially discovered in the Ukraine where it hit critical services throughout the country. It infected companies, government computers and even banks – causing the ATM network to fail. According to security researchers, the initial infection happened when a popular accounting software called M.E.DOC had a software update that was pushed out by its developers, Intellect Service. The company denied that it had been compromised, but when asked whether a back door had been injected into the update, the CEO – Olesya Bilousova – confirmed that it was indeed true and that it needed to be closed.

According to Ukraine authorities, malware-laden phishing emails were also sent out, which could account for infections within companies that did not use the tainted software.

Security experts from U.S. based Cisco Systems Inc said they had examined the servers at Intellect’s request and determined that the attacker had use a stolen employee password to access the servers. After a privilege escalation, the attacker re-wrote configuration files to point to web servers hosted in France where tainted versions of the software were stored.  These servers have subsequently been taken offline, limiting the ability to push out clean updates to undo the tainted software. More concerning is what else might have been pushed out during earlier altered updates.

Once installed on computers, the worm spread in multiple ways. One was in the same way that Wannacry spread, using EternalBlue and EternalRomance, tools purloined from the U.S.’s NSA. It also tries to gain admin privileges and use external programs like Mimikatz to steal credentials. It then uses to infect other computers using industry standard tools like PSEXEC (from SysInternals) and Windows Management Interface (WMI) after which it proceeds to unpack the payload into memory. If no activation time is specified, it defaults to 60 minutes before rebooting and encrypting the system while displaying a ransomware screen. If it runs on a domain controller, it will attempt to enumerate DHCP leases to add to its list of computers to infect. NotPetya does not try and leave the network, instead concentrating on infecting everything it can on the inside.

What happens next?

Don’t pay the ransom. It is said that the malware does not provide enough information to the extortionists to generate the correct decryption key, and besides, the email addresses used to accept requests have been shut down.

By far the most affected country was the Ukraine, followed by Russia and to a lesser extent other countries.

Tuesday, 4 July 2017, a video surfaced showing Ukrainian state security (SBU) raiding the offices of Intellect software, seizing server suspected of spreading NotPetya and possibly other malware.

Security experts suggest several ways to mitigate the effect of this worm and its ability to infect other systems.

  • Use modern operating systems: Windows XP and Windows 7 do not have the latest developments designed to thwart such attacks.
  • Patch servers and workstations, specifically to block SMB exploits like EternalBlue uses.
  • Block outside access to SMB ports.
  • Follow best practices and limit admin access. Do not use every-day accounts to do admin work.
  • Create a read-only file in the Windows directory called perfc.dat to stop the file encryption (this will not stop the spreading).
  • Do not open email attachments unless absolutely necessary.
  • Keep your anti-virus up to date.

These basic security principals can help you limit the impact of this worm, if not prevent it entirely.


The following two tabs change content below.

Andrew Smith

Andrew is a senior systems-engineer with over 20 years experience in corporate and small business environments. This includes consulting for large ICT service providers. He has supported systems at every level in the organization, including infrastructure, operating systems, applications, and perimeter protection. He also collaborates with software development teams on web, database, and infrastructure security. Andrew has co-founded multiple ICT businesses, where he advises on cybersecurity strategies and policies. Andrew has a 3-year National Diploma in Electronics (light current).

Latest posts by Andrew Smith (see all)