The ransomware is spreading rapidly, affecting organizations, businesses, and end users, turning into an outbreak reminiscent of the one caused by WannaCry. Some questions remain: Do they work the same? Do they both have kill switches? Do they similarly use the EternalBlue vulnerability to infect systems?
Petya is an old, existing ransomware that first emerged in 2016. It’s known to overwrite the system’s Master Boot Record (MBR), locking users out of their machines with a blue screen of death (BSoD). In Petya’s case, the BSoD screen is used to show the ransom note. Known to be peddled as ransomware as a service (RaaS) in underground marketplaces, it has undergone several alterations and rehashes since it was first discovered—PetrWrap and GoldenEye, to name a few—and even joined forces with another ransomware family, Mischa. During this time, the Petya-Mischa ransomware combo featured a modular approach—Petya overwrote the MBR while Mischa encrypted the files.
This version of Petya combines these two capabilities: after successfully infecting the system, Petya modifies the victim system's MBR, after which the files are encrypted.
Differences in Petya (left, based on current sample) and GoldenEye’s (right) ransom notes shown after system reboot
Yes. Both WannaCry and Petya exploit EternalBlue (MS17-010), a vulnerability in Windows’ Server Message Block, to infect endpoints and encrypt their files.
However, this Petya varianthas other attack vectors that can be run independently from each other. Petya uses a modified version of PsExec, a legitimate system administration utility, to install the ransomware. If unsuccessful, it abuses Windows Management Instrumentation Command-line (WMIC), another legitimate scripting interface, to execute the ransomware in the machine. Petya is also coded to exploit the EternalRomance vulnerability, an SMB security flaw in Windows XP and Windows 2003 servers.
Petya checking for EternalBlue (left, highlighted), and Petya successfully exploiting the vulnerability (left)
Again, it’s both yes and no. WannaCry’s kill switch involved a domain that prevents the ransomware from executing when checked/triggered. This played a vital role in mitigating its pervasive impact.
Petya doesn’t have a kill switch per se, but in order to proceed with its encryption routine, it will search for a specific file in the infected system, which is actually spawned by Petya. Note though that Petya checks for its current filename in the Windows folder. This means that the filename being checked by Petya may change. Petya’s encryption uses a modified PsExec embedded in the ransomware renamed as DLLHOST.DAT.
Petya’s attack chain involves using PsExec, a Windows command-line utility that lets system administrators execute commands or run executable files on remote systems. Note that for this version of Petya, it abuses two components/executables—PSEXEC.exe, renamed within the ransomware as dllhost.exe, is used to access the remote machine, while PSEXESVC.exe will be executed in the system once a connection/request from PSEXEC.exe is established.
Petya takes steps to evade traditional security solutions and abuses legitimate tools to succeed. The Petya sample we analyzed is a dynamic-link library (DLL) loaded by another legitimate executable, rundll32.exe, which normally runs and loads code in DLLs containing the routines/features of a number of programs or applications.
So why does PsExec matter? Along with rundll32, this executable is legitimate and thus, often whitelisted. PsExec is a system administration tool, while rundll32 maintains the features of programs; unfortunately their very nature is also what makes them viable for cybercriminals to abuse.
It’s complicated. There’s a very narrow window of opportunity: if perfc.dat is directly executed without admin rights, the MBR won’t be overwritten. Given Petya’s attack vectors, however, system user rights will be inherited, which means more often than not it may still be overwritten. And even if the MBR is recovered, the files stored on them will still be encrypted.
Petya also encrypts the system’s Master Table File ($MFT), a database containing metadata that provides attributes about files and directories in an NTFS volume. More importantly, the ransomware deletes the encryption key used to scramble $MFT, making it impossible to be decrypted.
This version of Petya employs remote code execution to propagate within the local network using PSEXEC.exe (renamed as DLLHOST.DAT). This Petya variant can also propagate by exploiting EternalBlue.
Petya will drop a copy of itself in the affected machine by using DLLHOST.DAT with certain parameters and enumerated credentials. If unsuccessful, Petya will use WMIC.exe to execute the ransomware.
Petya has a customized version of Mimikatz, a penetration testing tool, embedded within the ransomware that extracts usernames and passwords from the affected system. These stolen credentials are also used to spread Petya to other machines within the local network.
Petya’s use of multilayered attack vectors also requires a defense-in-depth approach. Some of the best practices and countermeasures IT/system administrators and information security professionals can adopt are:
Update your systems with the latest patches, or consider using virtual patching in their absence
Apply the principle of least privilege for all workstations
For small businesses, Trend Micro Worry-Free Services Advanced offers cloud-based email gateway security through Hosted Email Security. Its endpoint protection also delivers several capabilities such as behavior monitoring and real-time web reputation in order detect and block ransomware.
For home users, Trend Micro Security 10 provides strong protection against ransomware by blocking malicious websites, emails, and files associated with this threat.