Petya: Four Things You Need to Know

UPDATE: For those infected by older versions of Petya, you can find a decryptor here. 

With the recent release of the Petya ransomware, it is important to understand a few things about it. In this article, I hope to provide you with a brief history of Petya, and provide you with four things that you should know about this latest release of a new ransomware attack.

What is it?

Before we begin, allow me to provide a brief history of Petya. Based on initial reporting, this Petya campaign involves multiple methods of initial infection and propagation, including exploiting vulnerabilities in Server Message Block (SMB). Microsoft released a security update for the MS17-010 vulnerability on March 14, 2017. This security update resolves vulnerabilities in Microsoft Windows. The most severe of the vulnerabilities could allow remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server.

1. How does it work?

Petya encrypts the victim’s files with a dynamically generated, 128-bit key and creates a unique ID of the victim. Petya spreads using the SMB exploit as described in MS17-010 and by stealing the user’s Windows credentials. Some variants of Petya are notable for installing a modified version of the Mimikatz tool, which can be used to obtain the user’s credentials. The stolen credentials can be used to access other systems on the network. Petya will also attempt to identify other hosts on the network by checking the compromised system’s IP physical address mapping table. Next, it scans for other systems that are vulnerable to the SMB exploit and installs the malicious payload.

The compromised system’s files are encrypted with a 128-bit Advanced Encryption Standard (AES) algorithm during runtime. Petya writes a text file on the “C:\” drive with the Bitcoin wallet information and RSA keys for the ransom payment. It modifies the master boot record (MBR) to enable encryption of the master file table (MFT) and the original MBR, then reboots the system. Based on the encryption methods used, it appears unlikely that the files can be restored even if the attacker received the victim’s unique ID.

2. Who has been infected?

Major networks across Russia, Ukraine, Australia, and India are among the hardest hit by Petya, while a total of at least 65 countries have reported infections. The National Bank of Ukraine said it has been hit by an “unknown virus” and is having difficulty providing customer services and banking operations as a result. According to Microsoft, “we saw the first infections in Ukraine — more than 12,500 machines encountered the threat.” Petya is still affecting airports and ATMs in Ukraine and hampering international businesses from the shipping giant Maersk to the drug company Merck. Its victims also include hospitals in Pennsylvania’s Heritage Valley Health System.

3. How is it different from WannaCry?

While Petya has many similarities to WannaCry, there is one major difference that should be noted. WannaCry only infects the files on an infected system. Petya, however, locks down the entire hard drive, and, because of the way that Petya works, it is highly unlikely that you will ever recover your files, even if you pay the ransom.

4. How can you avoid it?

There are a number of things that users and organizations can do you prevent being infected by Petya.

• First, apply the Microsoft patch for the MS17-010 SMB vulnerability dated March 14, 2017.
• Make sure you have strong spam filters in place to prevent phishing emails from reaching the end users and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
• Scan all incoming and outgoing emails to detect threats and filter executable files from reaching the end users.
• Manage the use of privileged accounts. Implement the principle of least privilege. No users should be assigned administrative access unless absolutely needed. Those with a need for administrator accounts should only use them when necessary.
• Run regular penetration tests against the network, no less than once a year. Ideally, run these as often as possible and practical.
• Test your backups to ensure they work correctly upon use. You don’t want to find yourself in a position where not only are your files gone or encrypted, but your backups are useless.

That, of course, is only a handful of the things you should do to protect yourself from such attacks, but they should be part of a well-developed incident response plan.

If you want to gain additional context with regard to your network, download our network traffic analytics platform, Scrutinizer, to see where everything is going on your network.