Petya

Petya began as a individual ransomware variant but recently evolved into a trojan, as it now delivers an additional ransomware payload upon infection. Petya spreads via cloud storage as well as through spam emails containing links leading to downloadable ZIP archives that contain an executable file and a JPEG image. The malicious files are disguised as job applications aimed at recruiters and human resources departments. Although Germany has historically been the primary target of Petya, it has begun impacting US victims. When the malicious executable file is launched, Windows displays a User Account Control (UAC) request for privilege escalation. If a system is configured properly by a system administrator, Petya should not be able to run. However, if the system is not configured to prevent privilege escalation and the UAC is accepted, a malicious DLL file named setup.dll is unpacked into a new RAM area. When setup.dll receives control, it decrypts the data contained in section ‘.xxxx’ and infects the victim's device. Setup.dll then rewrites the boot record on the hard drive with a malicious loader, and generates a key and infection ID and saves them to the hard drive. It also causes the system to abort and reboot, passing controls to the malicious loader. The Master Boot Record (MBR) and the GUID Partition Table (GPT) then become infected and the Master File Table (MFT) becomes encrypted. The MFT, a data structure containing information about every file and directory on a system, is the critical area impacted by Petya. When the MFT is encrypted, the system reboots and an image is displayed for victims demanding a ransom. Petya provides a countdown clock on its Tor payment page displaying the time remaining to pay the ransom, or the cost will double.

Alternatively, Petya unpacks and deploys the malicious Mischa.dll file to encrypt the victims' data and encourages them to join a ransomware affiliate program.

Reporting

  • March 2016: Petya was seen targeting human resources divisions at companies in Germany. (Graham Cluley)
  • March 2016: Petya leveraged Dropbox to push an executable file that releases the trojan. (SC Magazine)
  • April 2016: Researchers reportedly discovered a method to restore the password without paying the ransom. (GitHub)
  • May 2016: Petya began delivering an additional ransomware variant, Mischa. (MalwareBytes)

Technical Details

  • Petya is also detailed in the NJCCIC Ransomware Threat Profile page, available here.
     
  • SecureList provides technical details on the Petya trojan, available here.

One example of the Petya trojan. Image Source: Malwarebytes