Petya Ransomware Recap

Home / Malware / Petya Ransomware Recap

Twitter, news media, and malware researchers were busy the past 30 hours as news of a ransomware variant being identified as Petya (NotPetya) was leveraging ETERNALBLUE to spread similar to how WannaCry ransomware had spread back in May 2017.  While variants of Petya have been seen going back a few months to include code similarities shared with Petrwrap and GoldenEye/Mischa ransomware strains, this quickly spreading variant leveraged a different attack than WannaCry in that it didn’t just attack files based on their extension, but rather attacked the Master File Table (MFT) of the infected system.  Petya works by rebooting the system after its infected it and then encrypts the MFT and overwrites the Master Boot Record (MBR) causing a static ransom message to be displayed against a black backdrop starting with the words “Oops your important files are encrypted.”  The email address that is to be used for communication is was wowsmith123456@posteo.net, but after the ransomware gained some press, posteo made a press release via their blog that they had terminated the account.  The security and malware researcher industry needs to be careful IMHO of hyping this up as similar to WannaCry, organizations likely (largely) haven’t yet patched their systems (ATMs, Point of Sale registers, Kiosks, etc) which largely protects against SMBv1 and ETERNALBLUE’s exploit.  One other interesting thing is that research is pointing to lateral movement of Petya via the Windows Management Instrumentation Command-line (WMIC) as well as PsExec.  While neither is surprising necessarily as a lot of other pieces of malware and ransomware over the years have taken advantage of native tools found within Windows’ based network environments, it is interesting from a security operations and end point monitoring perspective for purposes of creating rules to watch for the particular lateral movements of Petya in combination with its file creation and DLL dropping.