Home / malware Ransom:Win32/Petya
First posted on 28 June 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Petya.
Explanation :
Installation
We have seen the following entry vectors for this ransomware:
- Through Eternal Blue SMB exploitation, if the machine is vulnerable.
- Through remote execution from another compromised machine where password or tokens to login to a the machine can be obtained.
If the machine is vulnerable, it uses smb admin$ method to drop the payload to the system under %systemroot%\perfc.dat and tries to execute via psexc or wmi remoting.
If the machine already has the file perfc.dat in %SystemRoot% (for example: c:\windows\perfc.dat), the second method stops.
This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.
You might also see the following email:
Payload
Encrypts Master Boot Record (MBR)
If the malware is executed with ‘SeShutdownPrivilege' or ‘SeDebugPrivilege' or ‘SeTcbPrivilege' privilege, then it will overwrite the MBR of the victim's machine. It directly access the drive0 ‘\\\\.\\PhysicalDrive0' using DeviceIoControl() APIs.
Encrypts files
This malware encrypts fixed drives using AES-128 and RSA-2048 and encrypts the following file extensions:
.3ds .pdf .7z .php .accdb .pmf .ai .ppt .asp .pptx .aspx .pst .avhd .pv .back .py .bak .pyc .c .rar .cfg .rtf .conf .sln .cpp .sql .cs .tar .ctl .vbox .dbf .vbs .disk .vcb .djvu .vdi .doc .vfd .docx .vmc .dwg .vmd .eml .vmsd .fdb .vmx .gz .vsdx .h .vsv .hdd .work .kdbx .xls .mail .xlsx .mdb .xvd .msg .zip .nrg .ora .ost .ova .ovf
It skips the folder "C:Windows".
It drops the following decryption instructions:Last update 28 June 2017