|Type||Ransomware (December 2015), Wiper (June 27th, 2017)|
|Creator||Janus Cybercrime Solutions (2015), GRU military spy agency AKA Fancy Bear (2017)|
|Date||December 2015 (Petya.A), June 27th, 2017 (NotPetya)|
|Origin||Russia, Germany (speculated)|
|Programming Language||C++, Assembly|
|File Type||Win32 PE executable (.EXE) Dynamic Link Library (.DLL)|
|Impact||Over 64 countries affected|
|Damage costs||$10 billion (according to the White House)|
Petya is a ransomware family that affects Microsoft Windows, with MBR-infection capabilities, created by a maldev group called Janus Cybercrime Solutions. It mostly infects computers in Europe (especially Germany, the United Kingdom, Belgium, and Denmark), but has begun to spread into Asia, Australia, and South America. Some companies are still currently struggling replacing computers infected with the NotPetya variant.
There are many variants of Petya: the original 2016 variant (standard Petya or Petya Red), Mischa (or as its commonly known as Green Petya), and finally GoldenEye (Petya Yellow). There are two 2017 variants, which many security researchers have called NotPetya and PetrWrap. NotPetya is actually a wiper and it completely destroys the computer's MFT, while PetrWrap is fully fledged.
NotPetya is now considered to be a destructive malware. The user's data is gone unless a backup if present, because the ransomware's ID key is fake (meaning theres no way to derive a decryption key). Computers affected by the 2016 variants of Petya, however, can be recovered, as the master key used for encryption was released.
The name Petya is a reference to the 1995 James Bond film GoldenEye, wherein Petya is one of the two Soviet weapon satellites which carry a Goldeneye – an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse.
A Twitter account that Heise suggested may have belonged to the author of the malware, named Janus Cybercrime Solutions after Alec Trevelyan's crime group in GoldenEye, had an avatar with an image of GoldenEye character Boris Grishenko, a Russian hacker and antagonist in the film played by Scottish actor Alan Cumming.
Affected businesses include:
- Rosneft (Russia)
- A.P. Moller-Maersk (Denmark)
- WPP (United Kingdom)
- Merck & Co.
- Russian banks (Russia)
- Ukraine central bank and power grid
- Boryspil Airport (Ukraine)
- Saint Gobain (France)
- Duetsche Post (Germany)
- Metro (Germany)
- Mondelez International (United States)
- Everaz (Russia)
- Unnamed Norwegian international company
- Mars Inc. (United States)
- Beiersdorf AG (India)
- Reckitt Benckiser (United Kingdom)
- Odessa airport (Ukraine)
- Kiev Metro (Ukraine)
- Interfax (Russia)
Petya ransomware is usually distributed through spam emails, which contain a Dropbox download link to a file that poses as a resume.
Petya's core is a DLL file, it can be run by system processes, but mostly it is run by a EXE file, that is created by the virus authors. It appears in spam messages containing links that download a ZIP archive.
The archive contains the trojan's executable file and a JPEG image. The file names are in German language (ES: Bewerbungsunterlagen.PDF.exe), and are made to look like resumes for job candidates, and target HR staff in German-speaking countries. These EXE files appair with a PDF icon, and with an Administrator manifest; they are also packed and encrypted in a hard-to-analyze way, that makes the code difficult to detect even by heuristic means.
If these files are run with Administrator privileges, they will decrypt, they will adjust their privileges (by enabling the SeTcbPrivilege, the SeDebugPrivilege and the SeShutdownPrivilege by using AdjustTokenPrivileges) and they will run from the memory (the RAM) the setup.dll file, the Petya DLL (and its core), by executing its only function, _ZuWQdweafdsg345312@0. The DLL is written in C and created in Visual Studio. When the DLL will run, it will decrypt its .xxxx section, embedded in the DLL file as readable section, and it will run the code present in it. The code present in the section will run the DeviceIoControl Microsoft Windows API against the primary hard drive.
It will then get the partition style by parsing the PARTITION_INFORMATION_EX structure and the PartitionStyle value present in it. If the partition style is MBR, Petya .xxxx code will encrypt the boot sector (sector 0), with a XOR operation, and with the 0x37 key. The result is then written to the sector 56 of the primary hard drive. Every sector, from the first one to the sector 33, is encrypted with the same operation. Petya code will generate a configuration script, written to the sector 54, that will be used by the malware at the next boot.
Petya will then create the verification sector 55 populated with the repeating byte 0x37, will copy the disk's NT signature and the partition table saved from the original Master Boot Record into its own first-level loader; it will write its first-level malicious code to the boot sector, and it will write its second-level code to sectors 34 to 50 (referred to here as the malicious loader, the Petya's boot kernel).
Then, it will call the function NtRaiseHardError, which causes the operating system to generate a BSOD. This routine is not triggered if the SeShutdownPrivilege was never enabled; in that case Petya will do nothing. Petya kernel is not encrypted, and Petya's strings are viewable. The function CreateFile will be used all of the time, as raw disk access function against the hard disk.
When setup.dll detects a GPT disk, it will get the address of the GPT header, it will encrypt the GPT header with the 0x37 key and it will do the same behavior that happens to MBR-style hard disks. In the configuration sector (the sector 54) there will be a config.state field, a config.mal_urls field (that will contain some Tor URLs to show), a config.ec_data (a decryption ID for the user, generated from the Salsa20 key) and a key (config.salsa_key) for the Salsa20 encryption system that will be used in the encryption process of the Master Boot Record.
ADVAPI32.DLL APIs will be used, especially the CryptGenRandom and the CryptAcquireContextA APIs, cryptographic APIs: the first one will generated a cryptographically secure amount of random bytes, and the second one will initialize a context object that will be used in later cryptation functions.
When the system is booted again, the Master Boot Record (sector 0) will run the Petya kernel code that will be present in the sector 34 to the sector 50. Then, the kernel code will scan for every hard disk present in the machine and it will check the config.state field present in the sector 54. If it is set to 1, the Petya's skull payload screen will be shown. If it is 0, the encryption process will begin.
A fake CHKDSK dialog is displayed on the screen. The Salsa20 key (config.salsa_key) will be extracted from the sector 54, the config.state field will be set to 1, and the sector 55 will be encrypted with the Salsa20 key. Then, Petya's kernel code searches for the MFT table on every connected hard disk. When a MFT table is found, it will be encrypted with the Salsa20 key. The sector 57 will be used as mark. Then, the key present in the sector 54 will be erased and the system will be rebooted (using the BIOS interrupt INT 19).
The Petya payload screen is displayed, the config.mal_urls with the config.ec_data field is used. The trojan then will ask for a key, that will be verified: if it is 16-bytes long, it will be turned into a Salsa20 key, and used against the sector 55. If it turns to be populated by 0x37 bytes, the key will be used for the decryption process (the MFT of every encrypted disk will be restored, and the Please, reboot your computer! dialog will be shown). C&C comunication is not needed by Petya, since the ID can be easily turned into a key by having the master keys of the encryption process (something that was released by the author, after).
The variants are Mischa (green-on-black) and GoldenEye.
On August 30th, 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty for helping Ukrainian companies commit tax fraud with the ransomware.
NotPetya (initially called PetrWrap) is a dangerous wiper variant of Petya that uses EternalBlue | EternalRomance exploit to spread, unlike Petya, that used fake job mails to spread, its main point of entry was from the ukrianian ME-DOC software. NotPetya also encrypts files with a AES-256 algorithm, but it has a bug that renders some encrypted files destroyed. NotPetya's DLL is called perfc.dat, and is loaded in memory using a trick called RunPE.
Also, a randomly named TMP file will be created in the Windows folder, that will be the Mimikatz credential theft module, that will be used for spreading: it will be run and heavily piped to the NotPetya process.
If the OS is a 32-bit version, a 32-bit version of Mimikatz will be dropped, otherwise, a 64-bit version will be dropped. The Mimikatz module will become a CNG cryptographic trusted provider, then use the API OpenProcess on lsass.exe, and it will look for two DLLs, wdisgest.dll and lsasrv.dll. Then, it will get every password that LSASS stored, by reading these two DLLs. Passwords will be also obtained by the user of the CredEnumerateW function. The result will be piped.
After, the dllhost.dat file will be created and executed, as PsExec utility, and used on every connected computer to spread; the perfc.dat file will be deployed as rundll32.exe process. Then, the malware searches for random IPs and for 445 and 139 ports, for spreading by using the EternalBlue exploit; also, WMI will be used against every connected-to-LAN computer, to run into them as DLL in the rundll32.exe process.
NotPetya's kernel is stored right after the Master Boot Record, instead of being stored after the sector 34. NotPetya doesn't use the NtRaiseHardError function, instead, uses the shutdown /r /f command, with the CreateProcess API. This command will be also run:
cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:"
That will clear setup logs, system logs, security logs, application logs, and the USN journal of the disk.
NotPetya doesn't generate the user ID out of the Salsa20 key, it generates a random one that doesn't work (by using the CryptGenRandom API). The skull image is absent (it was patched out), and the ransomware note has been changed. Just like the original GoldenEye, sector 33 will be used as verification sector, and it will be populated by 0x07 bytes. The sector 32 is used as configuration sector, while the sector 34 will be populated by the 0x07 XOR encrypted MBR.
These files will be encrypted, in every folder, except the WINDOWS, Program Files and %APPDATA%, by using ADVAPI32.DLL:
.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx., .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv .work, .xls, .xlsx, .xvd, .zip
If NotPetya finds Kaspersky Antivirus processes; or, if the Master Boot Record infection was unsuccessful (caused also due to Secure Boot setting), NotPetya will destroy 10 sectors of first hard disk connected to the machine.
Contrary to popular belief, NotPetya was not recompiled from the source code, but rather a pirated variant akin to PetrWrap, but instead of using the Green Petya v2 dll, GoldenEye's kernel was used.
PetrWrap is a variant of Petya. PetrWrap does not belong to Janus Cybercrime Solutions and it is considered as a Pirated Petya variant. When PetrWrap is run, it sleeps for 5400 seconds (1.5 hours). After, it decrypts a modified version of the setup.dll from the original Petya ransomware, the version 2 (Green Petya, also called Mischa). The DLL will be loaded in memory.
Its entry point is erased with NOPs (0x90 opcode) and two functions of the DLL .xxxx section will be hooked (called petya_infect and petya_generate_config) by the malware. Then, its function ZuWQdweafdsg345312 will be called, same .xxxx section will be decrypted and run. The DLL's encryption method is replaced with a new one, with routines taken from OpenSSL, with different master keys, that only the authors of PetrWrap own.
The petya_infect routine will be modified by the hooking PetrWrap EXE. This function will inject the Petya kernel into the disk, and it will generate the Salsa20 key that's used by the kernel. The Salsa20 key that this function generates for the Petya kernel part will be saved for later, the kernel code will be altered in a manner that will make it skip the flashing skull part and that will make the Petya ransom note change into a new one, PetrWrap defined, that will not contain any Petya reference.
The petya_generate_config function will be modified by the DLL-hooking PetrWrap EXE too. This function will generate configuration data for the Petya kernel, that will be used in the ransom note, such as the user ID, or the Tor Petya links list. PetrWrap changes the function in a way that will make the function generate an ID, it will generate a new ID using a PetrWrap-only cryptographic algorithm and then, PetrWrap will replace the previous ID with a new one. Only these changes make this version of Petya different. It's undecryptable, but it is not a wiper, making it a strong ransomware.
While PetrWrap shares actual code with Petya, the ransomware also shares its modus operandi with another ransomware family called SamSam / Kazi, an iranian family of file-encrypting ransomware.
GoldenEye (or commonly known as Yellow Petya) is a variant of Petya. It has its own entry.
Mischa (or commonly known as Green Petya) is a variant of Petya. It has its own entry.
Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not begun encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files.
Petya is very difficult to remove without also reinstalling Windows, unless the user intercepts the fake CHKDSK with a life CD.
A decryptor for Petya have been released, but it requires a live CD and a Windows executable to decrypt Petya. The decryptor can be found here It is recommended to make a dump of the full disk. Instructions can be found here.