Home > Threat descriptions >

Trojan.Petya

Classification

Category: Malware

Type: Trojan

Aliases: Petya.[variant], Trojan.Ransom.Petya.[variant]

Summary


Petya is ransomware that encrypts the Master Boot Record on a computer and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected machine.

Removal


Automatic action

F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting or renaming it.

Further action

If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.

Knowledge Base

Find the latest advice in our Community Knowledge Base.

About the product

See the manual for your F-Secure product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details


Unlike most other crypto-ransomware, Petya will encrypt the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.

Arrival via email

Users typically first encounter Petya ransomware through email messages. The emails contain legitimate-looking business content, such as an application for a job opening, and a link to a file stored on a legitimate cloud storage service. The link is designed to appear to be for a resumé document, but is actually an executable program. Once the disguised file is downloaded and run, it downloads the actual ransomware and runs it on the user's machine.

At the time of writing, the disguised file has been removed from the cloud storage service. Cases of Petya infection are currently mostly reported targeting companies in Germany.

Encrypting the MBR

Technically speaking, the disguised file is a packer that is compiled in Visual C++. The packer code is obfuscated and uses multiple layers of encryption to hide its malicious payload - a DLL file that is executed in memory-allocated space, so that no files are dropped on the system.

The DLL file is responsible of fetching the machine's MBR, encrypting it using the XOR cipher. The DLL then replaces it with the malware's own MBR and the original, now-encrypted MBR is written on the next sector after the malware's code.

More technical details of how Petya performs the encryption are available at:

Displaying the ransom demand

The ransomware will then trigger an error that causes the system to crash, displaying what is known as a 'blue screen of death' (BSOD). To do this, the DLL file will call NtRaiseHardError to trigger "0xC0000350 Error", leading the system to BSOD and restart. When it tries to start again, the malicious MBR is loaded and executes the malware code written on the "\\.\PhysicalDrive0" sectors.

A red screen (complete with skull illustration) is then displayed, containing the ransom text. From this point onwards, the user's machine is inaccessible without the decryption key.

Petya's ransom demand screen

More

For more about this threat, see: