Trojan.Petya

Classification

Category :

Malware

Type :

Trojan

Aliases :

Petya.[variant], Trojan.Ransom.Petya.[variant]

Summary

Petya is ransomware that encrypts the Master Boot Record on a computer and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected machine.

Removal

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically remove the file.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Unlike most other crypto-ransomware, Petya will encrypt the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.

Arrival via email

Users typically first encounter Petya ransomware through email messages. The emails contain legitimate-looking business content, such as an application for a job opening, and a link to a file stored on a legitimate cloud storage service. The link is designed to appear to be for a resumé document, but is actually an executable program. Once the disguised file is downloaded and run, it downloads the actual ransomware and runs it on the user's machine.

At the time of writing, the disguised file has been removed from the cloud storage service. Cases of Petya infection are currently mostly reported targeting companies in Germany.

Encrypting the MBR

Technically speaking, the disguised file is a packer that is compiled in Visual C++. The packer code is obfuscated and uses multiple layers of encryption to hide its malicious payload - a DLL file that is executed in memory-allocated space, so that no files are dropped on the system.

The DLL file is responsible of fetching the machine's MBR, encrypting it using the XOR cipher. The DLL then replaces it with the malware's own MBR and the original, now-encrypted MBR is written on the next sector after the malware's code.

More technical details of how Petya performs the encryption are available at:

Displaying the ransom demand

The ransomware will then trigger an error that causes the system to crash, displaying what is known as a 'blue screen of death' (BSOD). To do this, the DLL file will call NtRaiseHardError to trigger "0xC0000350 Error", leading the system to BSOD and restart. When it tries to start again, the malicious MBR is loaded and executes the malware code written on the "\\.\PhysicalDrive0" sectors.

A red screen (complete with skull illustration) is then displayed, containing the ransom text. From this point onwards, the user's machine is inaccessible without the decryption key.

More

For more about this threat, see: