Petya ransomware variant attacks computers worldwide

Hot on the heels of last month’s Wannacry attack that caught global media attention arrives the latest outbreak of ransomware that is spreading rapidly across Europe and other continents. The culprit? A new variant of the Petya ransomware family, also known as Petna in IT security circles. For the remainder of the article we will refer to the ransomware simply as Petya.

Spotted earlier this morning, the ransomware hit the Ukraine particularly badly, affecting government branches, Kiev airport, the metro system, the state energy provider Ukrenergo, the central bank and even the defunct Chernobyl nuclear power plant.

Further infections have been confirmed by businesses in other parts of Europe, including British ad agency WPP, French construction company Saint-Gobain, Russian oil company Rosneft and Danish shipping giant AP Moller-Maersk. Until now, the ransomware infection has been confirmed in more than 14 countries including the US, Mexico, Iran and Brazil; yet we expect a lot more countries to be affected.

Perhaps most surprising is the fact that this latest Petya ransomware variant uses the same NSA exploits that allowed Wannacry to infect more than 200,000 computers in May this year. Despite security patches and advice that followed, it appears many companies did not heed the advice from security experts.

Will this latest ransomware attack be even worse than Wannacry? And what can be done to secure your computer and networks?

Meet Petya Ransomware

In a way, the latest Petya variant seems to be closely related to the existing Petya ransomware family. Petya was first seen spreading at the end of March 2016. What made Petya unique was the implementation of its own little operating system that it installed and booted instead of Windows, so it could encrypt various critical file system structures on the boot disk during the next restart. The new Petya variant copied this method and even the code of the Petya operating system almost completely but implements its own methods to spread, encrypt files and infect the system.

Following the successful infection of a system, Petya presents a ransom screen, available in English only, asking to pay $300 worth of bitcoins to a wallet connected with a posteo.net address:

Petya ransom note is displayed once the encryption is complete.

At the time of writing, 4 bitcoins have been paid through 45 transactions, netting the ransomware author more than US$ 10,200. While this amount is comparatively small, it is still early and given the rapid spread, we may see more victim’s paying up to free their files.

How do you get infected with the Petya ransomware?

The initial wave of Petya infections can be traced back to a hack of the popular Ukrainian accounting software vendor MeDoc. Unknown attackers gained access to the software’s update servers and delivered Petya ransomware as a software update to the company’s clients. Similar methods have been used in the past by ransomware families like XData to start off the initial wave of attacks.

Once a number of systems were infected, Petya was able to spread rapidly from there through the same NSA exploit that was leaked by the Shadow Brokers group that was also used by WannaCry. The exploit, known as ETERNALBLUE, exploits a vulnerability in the Microsoft SMBv1 protocol, allowing an attacker to take control over systems which:

If the ETERNALBLUE exploit is successful, it will install a backdoor on the system which is codenamed DOUBLEPULSAR. DOUBLEPULSAR is used by the malware to send itself to the exploited system and then execute itself.

In addition, Petya also uses various administrative features integrated into Windows to spread within a compromised network. This means that a single unpatched machine can be enough to get a whole network infected, even if the other machines are fully patched. Petya uses Windows Management Instrumentation (WMI) and the popular tool PsExec in combination with administrative network shares in order to facilitate the lateral spreading of the ransomware within the local network.

How does Petya ransomware encrypt your files?

Petya consists of two different ransomware modules. The first module is very similar to classical ransomware families. It encrypts up to the first 1 MB of files with one of the following extensions:

.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip

To encrypt the files, it uses the AES algorithm with a 128 bit key. That key is then encrypted using an RSA public key embedded within the ransomware executable. More details of how ransomware utilizes RSA and AES to securely encrypt files, can be found in our spotlight article about encryption.

The second module was ripped out straight out of the Petya ransomware family. It consists of a custom little operating system that is installed to the system’s Master Boot Record (MBR), provided that the system is able to boot via MBR and the ransomware managed to gain the required rights. Once the Petya OS boots, it will locate and encrypt the Master File Table of the boot drive using the Salsa20 stream cipher.

The Master File Table is an internal data structure of the NTFS Windows file system. It essentially keeps track of where exactly on the disk the data is located for each file. In addition, the Petya ransomware OS will also encrypt the first sectors of each file, to prevent any file recovery tools from working properly. Without the Master File Table, Windows can’t make sense of the data on the disk, essentially locking the user out from their system completely.

How can I protect myself from Petya ransomware?

Our advice given during the WannaCry attack still holds true in the case of Petya: As an immediate measure, make sure to have the latest security updates installed on your Windows computers and servers. Following the previous ransomware outbreak, Microsoft had taken the unusual step to release security patches for “unsupported systems” such as Windows XP and Windows Server 2003, so even those systems can be patched.

As explained in our ransomware article, the best protection still remains a reliable and proven backup strategy, especially since the encryption used by the Petya ransomware is secure. The only way to get the data back is through the help of the ransomware author or via restoring from backups. Making sure to install critical Windows updates is also a very important step in protecting a system, as Petya’s main infection vector so far is the ETERNALBLUE SMBv1 exploit currently, which has been patched for several months already.

Apart from regular backups, you will be glad to hear that Emsisoft’s Anti-Ransomware module, part of our Behavior Blocker technology and used by Emsisoft Anti-Malware, has proven to be the next best defense.

Watch the video to see Emsisoft Anti-Malware in action against Petya ransomware:

It catches the ransomware’s attempt to infect the system through the use of the DOUBLEPULSAR backdoor before it can execute and thus once again keeps our users protected from this and hundreds of other ransomware families without the need for signatures.

Emsisoft Anti-Malware users are protected from Petya ransomware.

We consider ransomware one of the biggest threats of the past year and plan to do our best to continue our excellent track record in the next year, to keep our users as protected as possible.


Categories: Alerts & Outbreaks
Holger :

View Comments (14)

  • A few days ago, I tried to update my personal computer (Win10). Sadly, the patch failed, and worse I lost all my personal data. However, I have cloud-based backups, as well as Atavi Bookmarks and LastPass (which also holds software keys). I keep backups of my Feedbro RSS feeds and Email via XN Notifier in the cloud as well.

    I am actually loathe to attempt to do another Windows update with this in mind. I am sure not everyone will run into this, but there may be reasons companies haven't updated yet. It almost makes sense for them to change over to Linux, with all the ransomware attacks as of late.

    If I didn't have all the backups of various things, it would have been a complete scrub. I highly recommend others invest time to backup, backup, and backup to Dropbox, Mega, OneDrive, and anything else they can imagine.

    • If all massively switch to Linux, then it will appear there too! And if with windows there is an experience of struggle against it. Then there it is not! It is much more reasonable to upgrade to the latest version of Windows. And do not turn off the updates! And do not sit on XP, like those who suffer from this ((

    • Dropbox, Mega, and OneDrive are not backup solutions. If your files get encrypted or deleted, it's only a matter of time when the cloud accounts get the changes as well.

  • I always back-up my files on external hdd. That's the safest thing to do, I have 0 trust in clouds! I highly recommend others to make a back-up on an external hard drive. Or if you make in the clouds, make one at least on hdd ;-)
    And thank you Emsisoft for being there for us! I am more than happy since I made the decision to rely on you in terms of security :)
    Of course I do run things like adwcleaner once every 2-3 months, but I haven't got any serious virus problem ever since I run Emsisoft Internet Security <3

    • I love these sort of comments. I trust all of my backup data to a single spinning media device which will be infected if any machine I connect it to is, will be destroyed if I accidentally drop it, and if I leave connected (as most users do, otherwise they forget to do their backups) will be damaged by the same infection as the PC.
      I distrust 'Clouds', with their high-security storage premises, triple redundancy, dozens (if not hundreds) of dedicated operators monitoring it for security attacks and applying latest patches, because...
      I'd like to understand peoples' *reasons* for distrust of cloud backup systems. What exactly are you concerned about? Data theft? The cloud supplier browsing your backed-up data? The cloud supplier going bust? The NSA seeing your emails?

    • We're happy to have you as a loyal customer bialdza.

      And good call regarding the external HDD backup. It's still the best way to prohibit outside access as long as it's disconnected from the computer.

      • another happy customer here to..every since i got emsisoft internet security my computer is back to running lighting fast,compared to when i had bitdefender installed. it totally screwed up my computer and was annoying as hell with the pop ups all time..i actually still have a suscription of it for like 185 days but i said heck with that and switched..im a lifelong customer for sure..i feel totally secure with your protection and also zemana...thanks Emsisoft

  • I have the portable Emsisoft Emergency Scan Kit and I love it! I use it monthly as a double-check of my existing A/V software. If they both come back clean, then I breathe a sigh of relief. If I weren't poor, I would buy their AV software in an eyeblink.

    • Glad you like our Emsisoft Emergency Kit software. But be aware that it does not have real-time and proactive protection, which is critical to prevent ransomware. Once your files are encrypted, no scan will be able to bring the files back (unless we get lucky and are able to create a decrypter).

      You can try Emsisoft Anti-Malware for 30 days free, and remember that we have a progressive loyalty discount, so you safe up to 50% on your annual license. The longer you stay, the less you pay :)

      • Actually I already have anti ransomware software on my PC. That said, if I could afford it, I would buy it in an eyeblink.

  • I have several external backup drives and I "leapfrog" my backups. However, they are always on and connected. Would this make them vulnerable to the encryption? In other words, should I keep them turned off except when I am actually performing a backup?

  • I was a devoted Webroot SA user for over 5 years. But then I tried to take some test on Stackhackr and Zscaler. It showed me that Webroot dont protect me good enough, so the first name I was thinking off, was Emsisoft. Because I know its some of the best protection, and its more light than I had thought. It was a toss between Kaspersky and Emsi, and I know Kaspersky and wanted to try something new, so Emsi won. I think I have found my new antimalware brand. Great software.
    I´m not so afraid of ransomware. I use Gmail, and I have not had one infected mail yet. But if something came I should click on, I would delete right there, but its nice to know I have some reasonable protection.