- Apr 21, 2016
- 3,409
Petya ransomware outbreak: Am I protected from the Petya Ransomware?
A new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organizations. Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself.
Am I protected from the Petya Ransomware?
Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.
Learn more about Petya ransomware and how Norton protects you from attack.
Initial infection vector
Symantec has confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.
Spread and lateral movement
Petya is a worm, meaning it has the ability to self-propagate. It does this by building a list of target computers and using two methods to spread to those computers.
IP address and credential gathering
Petya builds a list of IP addresses to spread to, which includes primarily addresses on the local area network (LAN) but also remote IPs. The full list is built as follows:
Petya uses two primary methods to spread across networks:
Petya is initially executed via rundll32.exe using the following command:
Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:
Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.
MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network
At this point, a system reboot is scheduled using the following command:
File encryption
Petya performs encryption in two ways:
Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
An AES 128 bit key is generated for each drive. If any of the file extensions match that of the above list, the malware proceeds to encrypt the first 1MB of the file using the generated key.
After encrypting all eligible files, the threat will generate the ransom note and write it to a "README.TXT" file in the current drive.
The generated AES key(s) then encrypts itself using an embedded public key.
The resulting encrypted blob is then appended to the end of the ransom note (README.TXT) as a Base64 encoded string. The ransom note refers to this as the "installation key".
The generated key is then destroyed to ensure it cannot be retrieved from memory.
At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.
FAQs
Am I protected from the Petya Ransomware?
Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.
Symantec products using definitions version 20170627.009 also detect Petya components as Ransom.Petya.
What is Petya?
Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, the following ransom note is displayed on infected computers, demanding that $300 in bitcoins be paid to recover files:
Figure 2. Ransom note displayed on computers infected with the Petya ransomware, demanding $300 in bitcoins
How does Petya spread and infect computers?
The MEDoc accounting software is used to drop and install Petya into organizations’ networks. Once in the network it uses two methods to spread.
One of the ways in which Petya propagates itself is by exploiting the MS17-010 vulnerability, also known as EternalBlue. It also spreads by acquiring user names and passwords and spreading across network shares.
Who is impacted?
Petya is primarily impacting organizations in Europe.
Source: Petya ransomware outbreak: Am I protected from the Petya Ransomware?
A new strain of the Petya ransomware started propagating on June 27, 2017, infecting many organizations. Similar to WannaCry, Petya uses the Eternal Blue exploit as one of the means to propagate itself.
Am I protected from the Petya Ransomware?
Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.
Learn more about Petya ransomware and how Norton protects you from attack.
Initial infection vector
Symantec has confirmed that MEDoc, a tax and accounting software package, is used for the initial insertion of Petya into corporate networks. MEDoc is widely used in Ukraine, indicating that organizations in that country were the primary target.
After gaining an initial foothold, Petya then uses a variety of methods to spread across corporate networks.
Spread and lateral movement
Petya is a worm, meaning it has the ability to self-propagate. It does this by building a list of target computers and using two methods to spread to those computers.
IP address and credential gathering
Petya builds a list of IP addresses to spread to, which includes primarily addresses on the local area network (LAN) but also remote IPs. The full list is built as follows:
- All IP addresses and DHCP servers of all network adaptors
- All DHCP clients of the DHCP server if ports 445/139 are open
- All IP addresses within the subnet as defined by the subnet mask if ports 445/139 are open
- All computers you have a current open network connection with
- All computers in the ARP cache
- All resources in Active Directory
- All server and workstation resources in Network Neighborhood
- All resources in the Windows Credential Manager (including Remote Desktop Terminal Services computers)
- Gathers user names and passwords from Windows Credential Manager
- Drops and executes a 32bit or 64bit credential dumper
Petya uses two primary methods to spread across networks:
- Execution across network shares: It attempts to spread to the target computers by copying itself to [COMPUTER NAME]\\admin$ using the acquired credentials. It is then executed remotely using either PsExec or the Windows Management Instrumentation Command-line (WMIC) tool. Both are legitimate tools.
- SMB exploits: It attempts to spread using variations of the EternalBlue and EternalRomance exploits.
Petya is initially executed via rundll32.exe using the following command:
- rundll32.exe perfc.dat, #1
Next, it attempts to create the following file to be used as a flag indicating that the computer has been infected:
- C:\Windows\perfc
Once installed, Petya proceeds to modify the master boot record (MBR). This allows it to hijack the normal loading process of the infected computer during the next system reboot. The modified MBR is used to encrypt the hard disk while simulating a CHKDSK screen. It then displays a ransom note to the user.
MBR modification does not succeed if the threat is executed as a normal user but the threat will still attempt to spread across the network
At this point, a system reboot is scheduled using the following command:
- "/c at 00:49 C:\Windows\system32\shutdown.exe /r /f"
File encryption
Petya performs encryption in two ways:
- After Petya has spread to other computers, user-mode encryption occurs where files with a specific extension are encrypted on disk.
- The MBR is modified to add a custom loader which is used to load a CHKDSK simulator. This simulator is used to hide the fact that disk encryption is occurring. This is done after user-mode encryption occurs and thus encryption is twofold: user mode and full disk.
Once spreading has occurred, Petya then lists all files on any fixed drive (e.g. C:\) and checks for any of the following file extensions (skipping the %Windir% directory of that drive):
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
An AES 128 bit key is generated for each drive. If any of the file extensions match that of the above list, the malware proceeds to encrypt the first 1MB of the file using the generated key.
After encrypting all eligible files, the threat will generate the ransom note and write it to a "README.TXT" file in the current drive.
The generated AES key(s) then encrypts itself using an embedded public key.
The resulting encrypted blob is then appended to the end of the ransom note (README.TXT) as a Base64 encoded string. The ransom note refers to this as the "installation key".
The generated key is then destroyed to ensure it cannot be retrieved from memory.
At this point, the system is rebooted and the modified MBR code loads the simulated CHKDSK screen and full disk encryption occurs.
FAQs
Am I protected from the Petya Ransomware?
Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.
Symantec products using definitions version 20170627.009 also detect Petya components as Ransom.Petya.
What is Petya?
Petya has been in existence since 2016. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, the following ransom note is displayed on infected computers, demanding that $300 in bitcoins be paid to recover files:
Figure 2. Ransom note displayed on computers infected with the Petya ransomware, demanding $300 in bitcoins
How does Petya spread and infect computers?
The MEDoc accounting software is used to drop and install Petya into organizations’ networks. Once in the network it uses two methods to spread.
One of the ways in which Petya propagates itself is by exploiting the MS17-010 vulnerability, also known as EternalBlue. It also spreads by acquiring user names and passwords and spreading across network shares.
Who is impacted?
Petya is primarily impacting organizations in Europe.
Source: Petya ransomware outbreak: Am I protected from the Petya Ransomware?
