Petya Ransomeware: An Overview

Petya Ransomeware

What is Ransomware?

It is a piece of code/software which infects any computer with user intervention and encrypts all the system information. To decrypt the infected files the victim has to enter a key which is only available with the attacker. A Petya Ransomeware in Bitcoin is demanded by the attacker, following which, the victim has to follow a process specified by the attacker to get the decryption key. 

What is Petya Ransomware?

The names Petya originates from the 1995 James Bond film GoldenEye. In the film Petya and Mischa are the disposable satellites used to carry out Goldeneye, an electromagnetic pulse-based weapon. Initially security expects thought that the petya ransomware is communicating/sharing its code with an older piece of ransomware. Later, they identified that the sharing does not last very long and in the meantime, independent researches who spotted this malware gave it other names like GoldenEye, Petna and Pneytna.

The Petya Ransomware is taking advantage of the EternalBlue vulnerability in Microsoft Windows and demands a ransom of $300 in Bitcoin from its victims. EternalBlue is an exploit, and is used for identifying vulnerability in Server Message Block [SMB] protocol which is implemented by Microsoft.

When was this identified?

Petya was first found in March 2016, while being propagated through emails. On June 27, 2017, a new version of Petya started affecting Germany, Poland, France and UK with majority of infections in Russia and Ukraine. Petya spread rapidly by taking advantage of the EternalBlue exploit which was developed by NSA.

What family of virus does it belong to?

There are 3 types of ransomware:

  1. Encryption Ransomware (CryptoLocker – Jigsaw).
  2. Lock Screen Ransomware.
  3. Master Boot Record (MBR) Ransomware [Satana].

Petya belongs to family of MBR Ransomware which infects master boot record to execute its payloads which encrypts NTFS file system. 

What kind of damage can it do?

Petya performs 2 layers of encryption:

  1. It encrypts both system files and the hard drive.
  2. Petya’s hidden trojan steals victim’s usernames and passwords.
  3. If one system is injected by Petya malware in an organisation network, then Petya will dump all the other systems’ usernames and passwords within the network.

How do systems get infected by this? (ex: Social Engineering)

  • By browsing untrusted websites.
  • Phishing attacks. Don’t download executables in these formats – .ade, .adp, .ani, .bas, .bat, .com, .cmd, .com, .cpl, .crt, .hlp, .ht, .hta, .inf, .ins, .isp, .job, .js, .jse, .lnk, .mda, .mdb, .mde, .mdz, .msc, .msi, .msp, .mst, .pcd, .reg, .scr, .sct, .shs, .url, .vb, .vbe, .vbs, .wsc, .wsf, .wsh, .exe, .pif, and so on.
  • Installing pirated software, outdated software programs or operating systems.

How can you avoid getting infected?

Keep Windows Operating System and antivirus/anti-malware up-to-date.  

Regular back-up of files to an external hard-drive.

Beware of phishing emails, spams, and do not click on malicious attachments.

If affected by the ransomware…

Kill-switch – the ability to locally disable the ransomware: The ransomware checks if perfc file is present (or another empty file with a different name) without an extension in the C:\Windows\ folder. The presence of such a file in the specified folder can be one of the indicators of compromise. If the file is present in this folder, malware execution stops, so creating a file with the correct name can prevent the substitution of MBR and further encryption.

For prevention, create a file with the name perfc in the following location C:\Windows\perfc.dat.

1.Petya” checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won’t run the encryption side of the software. 

2.Disconnect PC from the Internet, reformat the hard drive and reinstall files from a backup.

3.If the machine reboots and you see a message like “CHKDSK is repairing the sectors”, switch off the power immediately – that is the encryption process. If the power is not switched on for 1 day, then the files are safe.