Home / malwarePDF  

Ransom:Win32/Petya


First posted on 28 June 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Petya.

Explanation :

Installation

We have seen the following entry vectors for this ransomware:

  1. Through Eternal Blue SMB exploitation, if the machine is vulnerable.
  2. Through remote execution from another compromised machine where password or tokens to login to a the machine can be obtained.


If the machine is vulnerable, it uses smb admin$ method to drop the payload to the system under %systemroot%\perfc.dat and tries to execute via psexc or wmi remoting.

If the machine already has the file perfc.dat in %SystemRoot% (for example: c:\windows\perfc.dat), the second method stops.

This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.

You might also see the following email:

Payload

Encrypts Master Boot Record (MBR)

If the malware is executed with ‘SeShutdownPrivilege' or ‘SeDebugPrivilege' or ‘SeTcbPrivilege' privilege, then it will overwrite the MBR of the victim's machine. It directly access the drive0 ‘\\\\.\\PhysicalDrive0' using DeviceIoControl() APIs.

Encrypts files

This malware encrypts fixed drives using AES-128 and RSA-2048 and encrypts the following file extensions:

.3ds .pdf .7z .php .accdb .pmf .ai .ppt .asp .pptx .aspx .pst .avhd .pv .back .py .bak .pyc .c .rar .cfg .rtf .conf .sln .cpp .sql .cs .tar .ctl .vbox .dbf .vbs .disk .vcb .djvu .vdi .doc .vfd .docx .vmc .dwg .vmd .eml .vmsd .fdb .vmx .gz .vsdx .h .vsv .hdd .work .kdbx .xls .mail .xlsx .mdb .xvd .msg .zip .nrg .ora .ost .ova .ovf

It skips the folder "C:Windows".

It drops the following decryption instructions:

Last update 28 June 2017

 

TOP