A Glimpse at Petya Ransomware

Ransomware has become an increasingly serious threat. Cryptowall, TeslasCrypt and Locky are just some of the ransomware variants that infected large numbers of victims. Petya is the newest strain and the most devious among them.

Petya will not only encrypt files but it will make the system completely useless, leaving the victim no choice but to pay for the ransom, and it will encrypt filesystem’s Master File Table, which leaves the operating system unable to load. MFT is an essential file in NTFS file system. It contains every file record and directory on NTFS logical volume. Each record contains all the particulars that the operating system need to boot properly.

Like any other malware, Petya is widely distributed via a job application spear-phishing email that comes with a Dropbox link luring the victim by claiming the link contains self-extracting CV; in fact, it contains self-extracting executable that would later unleash its malicious behavior.

Petya dropper

Petya’s dropper

Petya's infection behavior

Petya’s infection behavior

 Petya ransomware has two infection stages. The first stage is MBR infection and encryption key generation, including the decryption code used in ransom messages. The second stage is MFT encryption.

First Stage of Encryption

First infection stage behavior

First infection stage behavior

An MBR infection is made through straightforward .PhysicalDrive0 manipulation with the help of DeviceIOControl API. It first retrieves the physical location of the root drive .c by sending IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code to the device driver.  Then it sends the extended disk partition info of .PhysicalDrive0 through IOCTL_VOLUME_GET_VOLUME_DISK_EXTENTS control code.

GET_VOLUME_Data

The dropper will encrypt the original MBR using XOR opcode and 0x37 and save it for later use. It will also create 34 disk sectors containing 0x37. Right after the 34 sectors are Petya’s MFT infecting code. Located on Sector 56 is the original encrypted MBR.

Infected disk view

Infected disk view

Infected disk view

Infected disk view

Original Encrypted MBR

Original Encrypted MBR

After the MBR infection, it will intentionally crash the system by triggering NTRaiseHardError. This will trigger BSOD and the system will start, which will cause the machine to load using the infected MBR.

Code snippet triggering BSOD

Code snippet in triggering BSOD

BSOD

BSOD

Once we inspected the dumped image of the disk, we discovered it was showing a fake CHKDSK screen. We will also see the ransom message and ASCII skull art.

Dumped disk image

Dumped disk image

Second Infection Stage

The stage 2 infection code is written in 16-bit architecture, which uses BIOS interrupt calls.

Upon system boot up, it will load into memory Petya’s malicious code, which is located at sector 34. It will first determine if the system is already infected by checking the first byte at sector is 0x0. If not infected, it will display fake CHKDSK.

Fake CHKDSK

Fake CHKDSK

When someone sees the Figure 8, it means that the MFT table is already encrypted using salsa20 algorithm.

Figure 8

The victim will see this screen upon boot.

The victim will see this screen upon boot.

Ransom message and instructions

Ransom message and instructions

Petya Ransomware Page

The webpage for the victim to access their personal decryption key is protected against bots and contains information about when the Petya ransomware project was launched, warnings on what not to do when recovering files and an FAQ page. The page is surprisingly very user friendly and shows the days left before the ransom price will be doubled.

Ransom page captcha

Ransom page captcha

 Petya’s homepage

Petya’s homepage

It also contains news feeds, including different blogs and news from AV companies warning about Petya.

News 1 Figure 13

News 2

They also provide a step-by-step process on how to pay the ransom, including instructions on how to purchase bitcoin. Support via web is included too in case the victim encounters problems in the transaction they’ve made. Petya’s ransom is a lot cheaper compared to other ransomware, too.

Petya web page 1

Petya web page 2

Petya web page 3

Petya web page 4

On Step 4 of the payment procedure, the “next” button is disabled until they’ve confirmed that they already received the payment.

Petya support page

Petya’s support page

Below is a shot of ThreatTrack’s ThreatSecure Network dashboard catching Petya. Tools like ThreatSecure can detect and disrupt attacks in real time.

ThreatSecure Network catching Petya ransomware

ThreatSecure Network catching Petya ransomware

ThreatTrack Security Labs

About Author

ThreatTrack Security Labs is the power behind the malware analysis, detection and remediation technologies developed by ThreatTrack Security. From facilities in the United States and the Philippines, our team of cybersecurity professionals, malware researchers, engineers and software developers work around the clock to discover and combat Advanced Persistent Threats, targeted attacks, Zero-days and other sophisticated malware. The company develops advanced cybersecurity solutions that Expose, Analyze and Eliminate the latest malicious threats, including its ThreatSecure advanced threat detection and remediation platform, ThreatAnalyzer malware behavioral analysis sandbox, ThreatIQ real-time threat intelligence service, and VIPRE business antivirus endpoint protection. Learn more about ThreatTrack Security.