Petya targets Windows OS and is distributed via email campaigns designed to look like the sender is seeking a job within the recipient’s company. The emails contain a link that leads the recipient to a self-extracting ransomware executable file named Bewerbungsmappe-gepackt.exe. Once this file is executed, Petya overwrites the hard drive’s Master Boot Record (MBR) which prevents the OS from loading and displays a blue screen. It will then reboot the infected machine, appear to run CHKDSK, encrypt the Master File Table (MFT), and flash a red lock screen with an ASCII image of a skull and crossbones followed by a screen outlining a ransom demand. The modified MBR eliminates both the infected machine’s ability to start the OS normally or in “Safe Mode.” Petya can only successfully infect a machine if the executable is launched via an account with administrator privileges. The latest version of Petya comes bundled with a second ransomware program, called Mischa, that begins to encrypts victims’ files in the event that Petya is unable to encrypt the MFT.
UPDATE 7/28/2016: The developers of Petya and Mischa have begun enticing new distributors as they now offer their malware as an affiliate program, or Ransomware-as-a-Service (RaaS).
UPDATE 12/6/2016: A new version of the Petya-Mischa variant, dubbed “GoldenEye,” is now being distributed via spam emails containing a fake PDF resume and an Excel file containing a malicious macro. Like its predecessor, GoldenEye encrypts victims’ files and modifies the system’s MBR to prevent the OS from loading. It appends a random eight-character extension to the names of the encrypted files and drops a ransom note text file named YOUR_FILES_ARE_ENCRYPTED.TXT. This file is briefly displayed before the infected system reboots and GoldenEye proceeds to encrypt the system’s MFT. To counteract ransomware variants that modify the MBR and encrypt the MFT, Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.
UPDATE 3/15/2017: Researchers discovered PetrWrap, a modified version of the Petya variant, believed to be “unauthorized” by the Petya developer and deployed by an separate threat actor. PetWrap uses a modified version of Petya’s binaries but has replaced the embedded public key found in Petya with its own so that its operators would be able to manage file decryption and payments outside of Petya’s Ransomware-as-a-Service (RaaS) platform. The ransom payment demand for PetrWrap is currently unknown. To protect systems and servers against this targeted attack, the NJCCIC recommends blocking access to ports 135 and 445.
UPDATE 6/27/2017: Organizations around the globe are reporting a widespread ransomware attack distributing Petya. Initial reports suggest that the UK and Ukraine, in particular, are being impacted. Those currently reporting problems include: the Ukrainian central bank, Kiev's main airport, and the state power distributor, among others. Initial reports indicate that the hacker or hacking group behind this campaign are gaining access to systems through the exploitation of a critical Windows SMB vulnerability for which Microsoft released a patch on March 14, 2017.
UPDATE 6/27/2017 Part Two: Security researchers now believe that the global ransomware attack involved a new strain that borrowed code from Petya, and they have dubbed it "NotPetya," "Petna," and "SortaPetya." In addition, they have determined that this variant does not contain a "killswitch" like the domain name that stopped the spread of WannaCry but, instead, they managed to develop a "vaccine" for vulnerable systems. The vaccine involves creating a read-only file named perfc under the C:\Windows folder. The presence of this file on a system will prevent infection as this variant is programmed to terminate its encryption process if perfc is detected. Lawrence Abrams of Bleeping Computer has created a free batch file that automates this process, available for download here. Instructions on how to use this tool are available on the Bleeping Computer website.
UPDATE 6/28/2017: Additional research and reporting suggest that the initial attack vector was the breach of an update server operated by M.E.Doc, a Ukrainian company that develops accounting software. When the server was breached, the unknown hacker was able to push out a malicious update to M.E.Doc software users, initially starting the infection. Once systems were infected, the ransomware propagated through LANs using the ETERNALBLUE and ETERNALROMANCE exploits over TCP port 445. After each successful infection, the ransomware waits 10 to 60 minutes and then reboots the system. As the system reboots, it encrypts the MFT in NTFS partitions and overwrites the MBR with a custom loader to display its ransom note. Other capabilities include: stealing login credentials residing in system memory, scanning local networks for administrative shares to locate additional files to encrypt, and evading antivirus detection by using an executable signed with a fake Microsoft certificate. It also uses the Windows Instrument Command-Line (WMIC) to locate remote shares and utilizes the PsExec tool to execute itself on uninfected systems. G Data malware analyst, Karsten Hahn, provides a detailed breakdown of the infection on GitHub here.
UPDATE 6/29/2017: After additional analysis was conducted on Petya/NotPetya (also known as "ExPetr") samples, researchers determined that the variant could be placed in the category of "cyber-weapon" as its primary function appears to be the destruction of data, rather than generating profit for the attacker. This variant does not establish a connection to a C2 server so no infection or system information is ever transmitted back to the attacker. Additionally, the encryption scheme used to lock the MFT is irreversible, making all of the data on the affected drive completely unrecoverable.
UPDATE 7/3/2017: FBI Flash Released (TLP: White)
UPDATE 7/6/2017: The developer of the earlier versions of Petya has released the private key. Researchers are currently working to develop a decryption tool to help previously impacted victims.
This profile will be updated as more information becomes available.
Reported Indicators of Compromise (IoCs) associated with the June 27, 2017 Petya Attack:
MD5 Hash: 71b6a493388e7d0b40c83ce903bc6b04
SHA 256 Hashes:
Associated Email Address:
***This email address is no longer active, which means victims who pay are unlikely to receive a decryption key. Bleeping Computer has more information regarding this issue.***
Associated Bitcoin Address:
$300 worth of Bitcoin
Recommendations to Prevent Infection:
Apply patches to all out-of-date software and discontinue the use of unsupported/EoL software or hosts.
Update antivirus software with the latest definitions and, if possible, set it to automatically update.
Blacklist the execution of perfc.dat as well as the PsExec utility from the Sysinternals Suite.
Block ingress and egress traffic to TCP and UDP ports 139, 445, and 3389 at your demarcation point.
Disable SMBv1 on all systems and utilize SMBv2 or SMBv3 after appropriate testing.
Run all software as a non-privileged user to diminish the effects of a successful attack.
Apply the Principle of Least Privilege to all systems and services.
- Trend Micro has more information about Petya here.
- Bleeping Computer has more information about the combination of Petya and Mischa here.
- Bleeping Computer provides more information about PetrWrap here.
- Crowdstrike provides a technical analysis of NotPetya. Please see Part I and Part II for more information.
- A decryption tool for Petya is available for download on Github and more information about it can be found on the Bleeping Computer website. This tool may not be able to decrypt all versions.
- The NJCCIC is currently unaware of any decryption tools available for PetrWrap.
- Lawrence Abrams of Bleeping Computer created a batch file that automatically adds a "vaccine" file to systems to prevent infection from NotPetya. This free tool can be downloaded here. Instructions on how to use the tool are available on the Bleeping Computer website.
- To counteract ransomware variants that modify the Master Boot Record (MBR) and encrypt the Master File Table (MFT), Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.The NJCCIC makes no claim as to the effectiveness of these tools and users are advised to exercise caution when downloading and installing any software from the internet.