Trojan:W32/Petya.F
Summary
This ransomware first came to public notice in an outbreak on 27 June 2017 which affected multiple institutions in various countries, notably Ukraine, Spain, Denmark and Russia.
Removal
Automatic action
F-Secure detects the known variants of this ransomware with multiple signature detections, available in the latest database updates. These include (but are not limited to):
- Trojan.Ransom.GoldenEye.B - released in the 2017-06-27_10 Aquarius database published at 1519hrs UTC on 27 June 2017
- Trojan:W32/Petya.F - released in the 2017-06-27_01 Hydra database published at 1533hrs UTC on 27 June 2017
- Trojan:W32/Petya.G - released in the 2017-06-27_01 Hydra database published at 1533hrs UTC on 27 June 2017
Instructions on how to check if your F-Secure security program is using the latest database update are available in Community: How do I know that I have the latest updates?
Once detected, the F-Secure security product will automatically handle a harmful program or file by either deleting or renaming it.
Further action
Once the ransomware has successfully encrypted the vulnerable machine, the encryption may be sufficient to make it very difficult to decrypt the computer without the necessary decryption key.
In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a backup.
Vulnerability prevention
This variant of the Petya ransomware uses the NSA-linked EternalBlue and EternalRomance exploit tools to target and leverage known vulnerabilities in the Windows Server Message Block. These vulnerabilities have been addressed by Microsoft in a patch released in May 2017. For more information about the vulnerabilities and the relevant patches, please see:
Network protection
We recommend that organizations take additional steps to mitigate against vulnerability exploitation and prevent an attack from spreading in your environment:
- Ensure DeepGuard and real-time protection is turned on in all your corporate endpoints.
- Ensure that F-Secure Real-time Protection Network is turned on.
- Ensure that F-Secure firewall is turned on in its default settings.
- Ensure that F-Secure security program is using the latest database update are available.
- Identify endpoints without the Microsoft issued patches (4013389) with Software Updater or other available tool, and patch them immediately.
- In case you are unable to patch it immediately, we recommend to disable SMBv1 with the steps documented at Microsoft Knowledge Base Article 2696547 in order to reduce attack surface. Alternatively, configure your firewall to properly block 445 in- and outbound traffic within the organization to prevent it from spreading within the environment.
- To protect against Petya spreading using the Windows PSEXEC and WMIC administrative tools:
- Pro-actively create the file C:\windows\perfc and disable read/write rights from it for all Windows machines. Petya should not engage when it sees that file.
- Replace the call to psexec.exe: Create a key called "psexec.exe"in "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options" and then create a REG_SZ value for it called "Debugger" and set it to "svchost.exe". This way the real psexec will not launch
- Disable the use of local AD / GPO accounts for remote logins to disable the psexec/wmic combo
- Disable WMIC where possible in Windows wherever it's not needed
- Firewall incoming requests to 135/tcp (winrpc) for the wmic requests
- Firewall incoming requests to 445/tcp (cifs) for the incoming Eternalblue requests, which should already be the case as a result of WannaCry
Knowledge Base
Find the latest advice in our Community Knowledge Base.
About the product
See the manual for your F-Secure product on the Help Center.
Submit a sample
Submit a file or URL for further analysis.
Technical Details
As with previous variants of the Petya ransomware, this variant encrypts the computer's Master Boot Record, then demands payment of a ransom in return for the decryption key needed to restore the machine to normal use.
Outbreak
This variant was first seen in an outbreak that began on 27 June 2017 and affected a number of commercial organizations. For more information about the outbreak, see:
- F-Secure Labs Weblog: Petya: I want to believe
- F-Secure Safe & Savvy: Petya Ransomware FAQ: Known Knowns and Unknowns
- F-Secure Business Security Insider: 3 Things Companies can do to Beat Petya
- F-Secure Business Security Insider: Petya Ransomware Outbreak Proves WannaCry was Only the Beginning
- Forbes: Another Massive Ransomware Outbreak Is Going Global Fast
- Reuters: Ukraine's Ukrenergo says hit by cyber attack, power supplies unaffected
- El Confidencial: Un nuevo ataque de 'ransomware' paraliza grandes empresas en todo el mundo (in Spanish)
Infection
The ransomware is distributed as a DLL file. At the time of writing, the initial infection vector (that is, how it first gains entry onto a machine or network) for this variant is not yet confirmed.
Once it is executed on a machine, the Petya variant creates a scheduled job to restart the affected computer in an hour. While waiting for the restart, the malware tries to propagate to any susceptible machines in the connected network. The malware uses multiple methods to spread, including:
- Exploiting vulnerabilities in the Windows Server Message Block (SMB) using the EternalBlue and EternalRomance exploit tools (see Exploit section below)
- Using legitimate Windows administrative tools, specifically PSEXEC and Windows Management Instrumentation Command-line (WMIC), to distribute and execute the malware
- Stealing administrative credentials or hijacking existing active sessions
As the malware uses multiple methods to spread, there is no exact sequence of events. The malware steals administrator credentials by first dropping and running a credential dumping tool (which shares similar code to the Mimikatz password-stealing malware). It then scans the network for machines to which it can send a copy of itself using the stolen credentials.
The malware also tries to find machines in the network that it can propagate to by using specific PSEXEC and WMIC commands. It will also try to exploit the SMB vulnerabilities to drop a copy of itself onto any vulnerable machines.
Additional precautions that administrators can take to mitigate the spread of the Petya malware in a network using these methods is given in the Removal section above.
Exploit
The Petya variant from this outbreak is notable for using the EternalBlue and EternalRomance exploit tools, which first gained prominence in the WannaCry outbreak that occurred in May 2017.
The malware uses these tools to exploit known vulnerabilities in the Windows Server Message Block and spread to other vulnerable machines in the same network. There are however notable differences in the implementation of the exploit in the latest samples.
Following the WannaCry outbreak, Microsoft released a patch that closed the vulnerabilities leveraged by the leaked tools. For more information about the vulnerabilities and the relevant patches, please see:
Encryption
While the malware is waiting for the scheduled job to execute, it will scan directories on the machine to find files matching a list of extensions. The first megabyte of these files are encrypted. This encryption occurs offline - that is, the computer does not need to be connected to the Internet for the encryption to take place, as the malware does not communicate with a command and control (C&C) server to perform the encryption.
Once the schedule job executes and restarts the machine, the malware interferes with the normal booting process by encrypting the Master File Tables (MFT) for NTFS partitions and replacing the computer's Master Boot Record (MBR) with a custom bootloader.
During this process, it displays a message that looks similar to a CHKDSK operation to mislead the user into thinking a normal process is taking place:
CHKDSK-like message displayed by the Petya ransomware
Once the encryption is completed, the bootloader displays the ransom demand:
Ransom demand displayed by the Petya ransomware
Once the MBR has been encrypted, normal use of the affected computer is not possible.
Ransom
The ransom demand requires the affected users to send the payment to a specific Bitcoin address, and then send an email with their Bitcoin wallet ID to a designated email address. As of 28 June 2017, a small handful of payments have already been made to the designated Bitcoin address.
According to news reports however, the German email provider hosting the attacker's designated email address have suspended the account, meaning that the attackers are no longer able receive the emails sent by affected users and would have no way of providing the decryption keys to them.
Date Created: 27 June 2017
Date Last Modified: 29 June 2017