• News
  • Security
  • Products
  • About Seqrite
Seqrite Blog Blog
  • News
  • Security
  • Products
  • About Seqrite
Home  /  Ransomware • Security  /  A technical analysis of the recent Petya ransomware attack
Fig 9. Petya ransom screen
30 June 2017

A technical analysis of the recent Petya ransomware attack

Written by Pradeep Kulkarni
Pradeep Kulkarni
Ransomware, Security
Estimated reading time: 4 minutes

Earlier this week, a new variant of Petya Ransomware was spotted which was creating havoc all over Europe as well as major parts of Asia including India. The major target for Petya has been Ukraine as its major banks and also the power services were hit by the attack.

It’s a new version of the old Petya ransomware which was spotted back in 2016. The new variant seems to have hit the world with a bang and is following the Wannacry propagation technique.

This new version of Petya is more dangerous than other ransomware in a way that it doesn’t just encrypt user’s data, it also encrypts master file table (MFT) & overwrites the Master boot record (MBR). Let’s take a look at the details of this attack.

Petya Ransomware

The ransomware upon execution drops two components. Both the components are present in the resource section of the ransomware binary in a compressed form.

Dropped components

Component Description
c:\windows\dllhost.dat PSEXEC utility from Sysinternals toolkit
%TEMP%\<random name>.tmp Custom built password dumper tool similar as Mimikatz

Fig 1. Dropped components of Petya ransomware

The ransomware acquires required privileges and steals the credentials of active sessions using a custom built password dumper tool similar to Mimikatz.

Fig 2. Acquires required privileges
Fig 2. Acquires required privileges

The first method used for spreading is exploiting the vulnerability reported in MS17-010 security bulletin. The exploit ’ETERNALBLUE’ is fired on unpatched machines. If SMB vulnerability is patched then it uses PSEXEC and WMIC technique as described below for the propagation on the network. It scans the local network for ‘admin$’, shares and copies itself across the network. It also executes the newly copied malware binary remotely using PSEXEC as shown below.

Fig 3. Ransomware propagation using PSEXEC
Fig 3. Ransomware propagation using PSEXEC

One more method for remote process execution used by the ransomware is using Windows Management Instrumentation Command-line (WMIC) for executing the ransomware remotely with stolen credentials. The command used for WMIC is shown in the below code snippet.

Fig 4. Ransomware propagation using WMIC
Fig 4. Ransomware propagation using WMIC

Where “%ws” is wide string for the current machine name and the user credentials.

Encryption

The ransomware writes its own malicious code to the master boot record (MBR) and encrypts MFT. Below code snippet shows how it writes to MBR.

Fig 5. Ransomware writes to MBR and encrypts MFT
Fig 5. Ransomware writes to MBR and encrypts MFT

Once MBR is infected, it schedules a restart of the computer after 10 to 60 minutes from current time. For restarting, it uses ‘shutdown.exe’ in combination with service creation or ‘at’ command.

Fig 6. The ransomware schedules a restart of affected system
Fig 6. The ransomware schedules a restart of affected system

Once the affected system restarts, the ransomware displays a CHKDSK message and continues encryption in the background as shown below.

Fig 7. CHKDSK message after restart
Fig 7. CHKDSK message after restart

The ransomware encrypts following types of files present on the system

.3ds .7z .accdb .ai .asp .a spx .avhd .back .bak
.c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc
.docx .dwg .eml .fdb .gz .h .hdd. dbx .mail .mdb
.msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt
.pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar
.vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx
.vsv .work .xls .xlsx .xvd .zip

Fig 8. File extension list

The files are encrypted with AES-128 algorithm. One AES key is used to encrypt files of one drive only. The AES-128 key used for file encryption is further encrypted with RSA-2048 encryption algorithm. The public key used for RSA is present in binary itself in base64 encoded form.

Upon the complete execution, the below ransom screen is displayed.

Fig 9. Petya ransom screen
Fig 9. Petya ransom screen

Seqrite Detections

Fig 10. Prompt by Quick Heal Virus Protection
Fig 10. Prompt by Quick Heal Virus Protection

 

Fig 11. Prompt by Quick Heal Behavior Detection System
Fig 11. Prompt by Quick Heal Behavior Detection System

Quick Heal users are protected from the Petya ransomware attack.

Indicators of compromise:

71B6A493388E7D0B40C83CE903BC6B04
E285B6CE047015943E685E6638BD837E
c:\windows\dllhost.dat
c:\windows\perfc.dat

Also Read

http://www.seqrite.com/blog/petya-ransomware-is-affecting-users-globally-here-are-things-you-can-do/
http://www.seqrite.com/blog/wannacrys-never-say-die-attitude-keeps-it-going/
http://www.seqrite.com/blog/ms17-010-windows-smb-server-exploitation-leads-to-ransomware-outbreak/
http://www.seqrite.com/blog/wannacry-ransomware-creating-havoc-worldwide-by-exploiting-patched-windows-exploit/

Acknowledgement

Subject Matter Expert:

  • Prakash Galande
  • Tejas Girme
  • Shriram G. Munde
  • Shantanu A. Vichare.

– Quick Heal Security Labs

 Previous PostGeneral Data Protection Regulation
Next Post  Impact of WannaCry and Petya ransomware attack
Pradeep Kulkarni
About Pradeep Kulkarni

Pradeep Kulkarni is leading the IPS team in Quick Heal Technologies Limited. Having worked in the IT security industry for over 11 years, he has worked on various...

Articles by Pradeep Kulkarni »

Related Posts

  • BEC and Ransomware attacks unsettle businesses globally.

    BEC and Ransomware attacks increase during the pandemic

    January 22, 2021
  • Thanos Ransomware adopts hyper-weaponized RIPlace tactics — collects huge pay-offs.

    Thanos Ransomware Evading Anti-ransomware Protection With RIPlace Tactic

    November 18, 2020
  • Hackers ransack businesses by riding on the modern-day Trojan Horse.

    PonyFinal Ransomware dubbed by many as the modern-day Trojan horse.

    August 26, 2020

No Comments

Leave a Reply.Your email address will not be published.

Cancel reply

CAPTCHA Image
Refresh Image

Popular Posts

  • The Data breach inferno burning big-ticket businesses The Data breach inferno burning big-ticket businesses February 5, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks Pharma Sector needs to streamline its insides to avoid cyberattacks February 12, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond Turn the Page: Cybersecurity Predictions for 2021 & beyond February 18, 2021

Featured Authors

  • Seqrite
    Seqrite

    Follow us for the latest updates and insights related to security for...

    Read more..
  • Viraj Talikotkar
    Viraj Talikotkar

    Viraj is a Lead Technical Writer at Quick Heal Technologies. He is always on...

    Read more..
  • Sanjay Katkar
    Sanjay Katkar

    Sanjay Katkar is the Joint Managing Director and Chief Technology Officer of...

    Read more..

Latest Posts

  • Businesses now worried about the surge in COVID-19 infodemic

    Businesses now worried about the surge in COVID-19 infodemic

    February 26, 2021
  • Turn the Page: Cybersecurity Predictions for 2021 & beyond

    Turn the Page: Cybersecurity Predictions for 2021 & beyond

    February 18, 2021
  • Pharma Sector needs to streamline its insides to avoid cyberattacks

    Pharma Sector needs to streamline its insides to avoid cyberattacks

    February 12, 2021

Stay Updated!

Topics

Antivirus For Linux (10) apt (9) BYOD (9) COVID-19 (10) Cyber-attack (31) cyber-attacks (56) cyberattacks (12) Cybersecurity (279) cyber security (25) Cyber threat (29) cyber threats (44) Data (11) data breach (50) data breaches (27) data loss (28) data loss prevention (33) data protection (21) data security (13) DLP (49) Encryption (16) endpoint security (102) Enterprise security (14) EPS (9) Exploit (12) firewall (11) hackers (9) IoT (10) malware (58) malware attack (22) malware attacks (12) MDM (25) mobile device management (9) Network security (18) Patch Management (12) phishing (16) Ransomware (56) ransomware attack (29) ransomware attacks (30) ransomware protection (12) Seqrite (24) Seqrite Encryption (27) Seqrite EPS (33) Seqrite Services (16) UTM (34) Vulnerability (10)

Products

  • Endpoint Security (EPS)
  • Seqrite Encryption Manager
  • Seqrite Endpoint Security Cloud
  • Cloud Security
  • Seqrite mSuite
  • Seqrite MobiSMART
  • Unified Threat Management
  • Seqrite Secure Web Gateway
  • Antivirus for Server
  • Antivirus for Linux

Resources

  • White Papers
  • Datasheets
  • Threat Reports
  • Manuals
  • Case Studies

About Us

  • Company Overview
  • Leadership
  • Why choose SEQRITE?
  • Awards & Certifications
  • Newsroom

Archives

  • By Date
  • By Category

© 2020 Quick Heal Technologies Ltd. (Formerly Known as Quick Heal Technologies Pvt. Ltd.) Cookie Policies Privacy Policies

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website.
By browsing this website, you agree to our cookie policy.