Home / malware Ransom:Win32/Petya.A-joey
First posted on 29 June 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Petya.A-joey.
Explanation :
Installation
This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.
You might see the following email:
Payload
Encrypts Master Boot Record (MBR)
If the malware is executed with ‘SeShutdownPrivilege' or ‘SeDebugPrivilege' or ‘SeTcbPrivilege' privilege, then it will overwrite the MBR of the victim's machine. It directly access the drive0 ‘\\\\.\\PhysicalDrive0' using DeviceIoControl() APIs.
Encrypts files
This malware encrypts fixed drives using AES-128 and RSA-2048 and encrypts the following file extensions:
.3ds .pdf .7z .php .accdb .pmf .ai .ppt .asp .pptx .aspx .pst .avhd .pv .back .py .bak .pyc .c .rar .cfg .rtf .conf .sln .cpp .sql .cs .tar .ctl .vbox .dbf .vbs .disk .vcb .djvu .vdi .doc .vfd .docx .vmc .dwg .vmd .eml .vmsd .fdb .vmx .gz .vsdx .h .vsv .hdd .work .kdbx .xls .mail .xlsx .mdb .xvd .msg .zip .nrg .ora .ost .ova .ovf
It skips the folder "C:Windows".
It drops the following decryption instructions:
If the file C:\Windows\perfc.dat exists in %SystemRoot% , it stops the Windows Management Instrumentation Command-line (WMCI) and PsExec component from running. The EternalBlue exploit will still be executed. Machines that are patched will not be vulnerable to the exploit.Last update 29 June 2017
