Petya is a ransomware on Microsoft Windows, with MBR-infection capabilities, created by a malware group called "Janus Cybercrime Solutions". It mostly infects computers in Europe (especially Germany), but has began to spread into Asia. Some companies are still currently struggling replacing computers infected with Petya. There are many variants of Petya: the original 2016 variant (standard Petya), with another one, Mischa, with another one, Mamba, with another one, GoldenEye. There is a 2017 variant, which many security researchers have called NotPetya, with another one, BadRabbit, and another one, PetrWrap, with another one, RedEye. NotPetya is actually a wiper and it completely destroys the computer.
NotPetya is now considered to be a destructive malware. The user's data is gone unless a backup if present, because the encryption keys are randomly generated and then destroyed. Petya (the 2016 variant), however, can be recovered and the master key used for encryption was released.
Petya virus is usually distributed through spam emails, which contain a Dropbox download link to a file called “application folder-gepackt.exe” attached to them.
Petya's core is a DLL file, it can be run by system processes, but mostly it's run by a EXE file, that is created by the virus authors. It appears in spam messages containing links that download a ZIP archive. The archive contains the trojan’s executable file and a JPEG image. The file names are in German language (ES: Bewerbungsunterlagen.PDF.exe), and are made to look like resumes for job candidates, and target HR staff in German-speaking countries. These EXE files appair with a PDF icon, and with an Administrator manifest; they are also packed and encrypted in a hard-to-analyze way, that makes the code difficult to detect even by heuristic means.
If these files are run with Administrator privileges, they will decrypt, they will adjust their privileges (by enabling the SeTcbPrivilege, the SeDebugPrivilege and the SeShutdownPrivilege by using "AdjustTokenPrivileges") and they will run from the memory (the RAM) the "setup.dll" file, the Petya DLL (and it's core), by executing it's only function, "_ZuWQdweafdsg345312@0". The DLL is written in C and created in Visual Studio. When the DLL will run, it will decrypt it's ".xxxx" section, embedded in the DLL file as readable section, and it will run the code present in it. The code present in the section will run the "DeviceIoControl" Microsoft Windows API against the primary hard drive, and it will get the partition style, by parsing the "PARTITION_INFORMATION_EX" structure and the "PartitionStyle" value present in it. If the partition style is MBR, Petya ".xxxx" code will encrypt the boot sector (sector 0), with a XOR operation, and with the "0x37" key. The result is then written to the sector 56 of the primary hard drive. Every sector, from the first one to the sector 33 will be encrypted with the same operation. Petya code will generate a configuration script, that will be written to the sector 54, that will be used by the malware at the next boot.
Petya will then create the verification sector 55 populated with the repeating byte 0x37, will copy the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; it will write it's first-level malicious code to the boot sector, and it will write it's second-level code to sectors 34 to 50 (referred to here as the malicious loader, the Petya's boot kernel). Then, it will call the function "NtRaiseHardError", which causes the operating system to generate a BSOD. This routine is not triggered if the SeShutdownPrivilege was never enabled; in that case Petya will do nothing. Petya kernel is not encrypted, and Petya's strings will be viewable. The function "CreateFile" will be used all of the time, as raw disk access function against the hard disk.
When "setup.dll" detects a GPT disk, it will get the address of the GPT header, it will encrypt the GPT header with the "0x37" key and it will do the same behavior that happens to MBR-style hard disks. In the configuration sector (the sector 54) there will be a "config.state" field, a "config.mal_urls" field (that will contain some Tor URLs to show), a "config.ec_data" (a decryption ID for the user, generated from the Salsa20 key) and a key ("config.salsa_key") for the Salsa20 encryption system that will be used in the encryption process of the MBR. ADVAPI32.DLL APIs will be used, especially the "CryptGenRandom" and the "CryptAcquireContextA" APIs, cryptographic APIs: the first one will generated a cryptographically secure amount of random bytes, and the second one will initialize a context object that will be used in later cryptation functions.
When the system is booted again, the MBR (sector 0) will run the Petya kernel code that will be present in the sector 34 to the sector 50. Then, the kernel code will scan for every hard disk present in the machine and it will check the "config.state" field present in the sector 54. If it is set to 1, the Petya's skull payload screen will be shown. If it's 0, the encryption process will begin. A fake CHKDSK dialog will be displayed on the screen. The Salsa20 key ("config.salsa_key") will be extracted from the sector 54, the "config.state" field will be set to 1, and the sector 55 will be encrypted with the Salsa20 key. Then, Petya's kernel code will search for the MFT table on every connected hard disk. When a MFT table is found, it will be encrypted with the Salsa20 key. The sector 57 will be used as mark. Then, the key present in the sector 54 will be erased and the system will be rebooted (using the BIOS interrupt INT 19).
The Petya payload screen is displayed, the "config.mal_urls" with the "config.ec_data" field is used. The trojan then will ask for a key, that will be verificated: if it's 16-bytes long, it will be turned into a Salsa20 key, and used against the sector 55. If it turns to be populated by 0x37 bytes, the key will be used for the decryption process (the MFT of every encrypted disk will be restored, and the "Please, reboot your computer!" dialog will be shown). C&C comunication is not needed by Petya, since the ID can be easily turned into a key by having the master keys of the encryption process (something that was released by the author, after).
The variants are Mischa (green-on-black) and Goldeneye.
On 30 August 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty to having spread a version of Petya online.
NotPetya (also called Petna) is a dangerous wiper variant of Petya, that uses EternalBlue \ EternalRomance exploit to spread, unlike Petya, that used fake job mails to spread. NotPetya also encrypts files with a AES-256 algorithm, with a randomly generated key that is never stored. NotPetya's DLL is called "perfc.dat", and isn't loaded in memory, it's written and created to the WINDOWS folder, instead, and run with the "rundll32.exe" command, with the ordinal "#0" as parameter. Also, a randomly named TMP file will be created in the Temporary folder, that will be the Mimikatz credential theft module, that will be used for spreading: it will be run and heavily piped to the NotPetya process. If the OS is a 32-bit version, a 32-bit version of Mimikatz will be dropped, otherwise, a 64-bit version will be dropped. The Mimikatz module will become a CNG cryptographic trusted provider, then use the API "OpenProcess" on "lsass.exe", and it will look for two DLLs, "wdisgest.dll" and "lsasrv.dll". Then, it will get every password that LSASS stored, by reading these two DLLs. Passwords will be also obtained by the user of the "CredEnumerateW" function. The result will be piped.
After, the "dllhost.dat" file will be created and executed, as "PsExec" utility, and used on every connected computer to spread; the "perfc.dat" file will be deployed as "rundll32.exe" process. Then, the malware will search for random IPs and for 445 and 139 ports, for spreading by using the EternalBlue exploit; also, WMI will be used against every connected-to-LAN computer, to run into them as DLL in the "rundll32.exe" process. After being run, and, after every task was completed, the DLL "deletes" itself, by overwriting itself with zeroes. NotPetya's kernel is stored right after the MBR, instead of being stored after the sector 34. NotPetya doesn't use the "NtRaiseHardError" function, instead, uses the "shutdown /r /f" command, with the "CreateProcess" API. This command will be also run:
cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:”
That will destroy setup logs, system logs, security logs, application logs, and the USN journal of the disk.
NotPetya doesn't generate the user ID out of the Salsa20 key, it generates a random one that doesn't work (by using the "CryptGenRandom" API). The skull image is absent (it was patched, turned into empty lines), and the ransomware note "You became victim of the Petya ransomware" is changed to "Oops, your important files are encrypted", with other changes to the ransomware note; also, NotPetya doesn't have a proper decryption routine, instead of Petya. It's also called "Petya.EOB!". There are even more differences: the sector 33 will be used as verification sector, and it will be populated by 0x7 bytes. The sector 32 is used as configuration sector, while the sector 34 will be populated by the 0x7 XOR encrypted MBR.
These files will be encrypted, in every folder, except the WINDOWS, Program Files and AppData one, by using ADVAPI32.DLL:
.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx., .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv .work, .xls, .xlsx, .xvd, .zip
If NotPetya finds Kaspersky Antivirus processes; or, if the MBR infection was unsuccessful (caused also due to Secure Boot setting), NotPetya will destroy 10 sectors of every hard disk connected to the machine.
BadRabbit (also known as Diskcoder.D) is a Petya variant, with EternalRomance spreading capabilities, similar to NotPetya (by 27% of it's code). It pretends to be a Adobe Flash update, and it requests Administrator privileges. The main BadRabbit executable is signed with a Symantec certificate, and has "Adobe Systems Incorporated" as Publisher, with "Adobe® Flash® Player Installer/Uninstaller 27.0 r0" as Program, as description.
If the malware gets wanted privileges, it will adjust it's own privileges (by using the "AdjustTokenPrivileges" function) and it will check for debugging (by using the "IsDebuggerPresent" function,also will check for debugging flags on the PEB of the current process). If the malware detects a common user typical environment, it will launch a spreading thread (that will search for vulnerable computers to the EternalBlue exploit, on 445 and 139 LSASS ports; it will search also for connected computers to bruteforce by SMB means, with a list of hard-coded passwords and users; it will use also calls to "CredEnumerateW" function, in a manner that will help the virus to spread), and it creates the "infpub.dat" file in the WINDOWS folder, the BadRabbit main DLL. The "rundll32.exe" file it's run against the BadRabbit DLL, with the "#1 15" string as parameter.
WMI will be also used to spread. It also creates the files "cscc.dat" and "dispci.exe". "dispci.exe" is scheduled by the DLL using "chtasks", as SYSTEM privileged task, called "rhaegal", and with a "-id" command passed to it as argument. Is a EXE file that will send precise IOCTL commands to "cscc.dat" (by using "DeviceIoControl" function), and that will encrypt the disk. "dispci.exe" will have "Microsoft Display Class Installer" as description, "http://diskcryptor.com" as Legal Copyright and "GrayWorm" as Product Name.
"cscc.dat" is then launched as SYSTEM-privileged service, by using the function "CreateServiceW", as "Windows Client Side Caching DDriver"; if the function fails, Registry editing will be used instead. It's the disk encryption component of the malware, it's legitimate and part of the utility "DiskCryptor", like part of the "dispci.exe" file. Another two tasks will be created, "viserion", that will shutdown the machine (created by "dispci.exe"), and the task "drogon", that will shutdown the machine as well. The "viserion" task is actually a sequence of tasks (like "viserion_0", "viserion_1"), created for unknown reasons by the malware, that contain istructions that will shutdown the PC, and created after the another in a sequential manner ("viserion_0", "viserion_1", "viserion_2"...).
The DLL will then run the "fsutil" command and the "wevutil" command in a manner that will erase the USN journal of the disk, will clear security and application logs and will clear Setup logs (the "cmd /c wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D C:" command will be run). "drogon", "viserion" and "rhaegal" are Game Of Thrones references.
The file "xxxx.tmp" will be also created, a Mimikatz module that will be used to steal credentials from the machine and to spread into the network, used as NotPetya uses it's Mimikatz module. "dispci.exe" will then send some IOCTL commands, that will make DiskCryptor encrypt the hard disk, thus the bootloader willl not be a Petya one, will be a DiskCryptor legitimate but, modified one, that will run the BadRabbit kernel (a Petya modified kernel, with a different message, and different Tor C&C links; also, different encryption master keys).
"dispci.exe" will then restart the system, after a while. The malware, then, will encrypt every file present on every disk connected to the machine, probably AES in CBC mode (128 used), with RSA-2048, making them undecryptable. The file "Readme.txt" will be present in every encrypted disk and folder, and it will contain the same message that will be displayed on the screen after, in the MBR payload. The malware will skip the "Windows" folder, the "Program Files" folder, the "Program Data" folder and the "AppData" folder. The key will be randomly generated, using the ADVAPI32.DLL API "CryptGenRandom".
The following extensions will be encrypted and turned into encrypted files (the ".encrypted" extension will be added to encrypted files):
.3ds, .7z, .accdb, .ai, .asmm, .asp, .aspx, .avhd, .back, .bak, .bmp, .brw, .c, .cab, .cc, .cer, .cfg, .conf, .cpp, .crt, .cs, .ctl, .cxx, .dbf, .der, .dib, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .hpp, .hxx, .iso, .java, .jfif, .jpe, .jpeg, .jpg, .js, .kdbx, .key, .mail, .mdb, .msg, .nrg, .odc, .odf, .odg, .odi, .odm, .odpm, .ods, .odt, .ora, .ost, .ova, .ovf, .p12, .p7b, .p7c, .pdf, .pem, .pfx, .php, .pmf, .png, .ppt, .pptx, .ps1, .pst, .pvi, .py, .pyc, .pyw, .qcow, .qcow2, .rar, .rb, .rtf, .scm, .sln, .sql, .tar, .tib, .tif, .tiff, .vb, .vbox, .vbs, .vcb, .vdi, .vfd, .vhd, .vhdx, .vmc, .vmdk, .vmsd, .vmtm, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .x, .ml, .xvd, .zipThere will not be any fake CHKDSK screen, no skull payload (like NotPetya) and a message similar to the NotPetya one will be displayed on the screen. The "shutdown" command will be used, in the same way as NotPetya uses it, instead of the "NtRaiseHardError" function.
PetrWrap (also called Nyeta) is a variant of Petya. PetrWrap does not belong to Janus Cybercrime Solutions and it is considered as a Petya offspring. When PetrWrap it's run, it sleeps for 5400 seconds (1,5 hours). After, it decrypts a modified version of the "setup.dll" from the original Petya ransomware, the version 3 (Green Petya, also called Mischa). The DLL will be loaded in memory, it's entry point will be erased with NOPs (0x90 opcode) and two functions of the DLL ".xxxx" section will be hooked (called "petya_infect" and "petya_generate_config") by the malware. Then, it's function "ZuWQdweafdsg345312" will be called, same ".xxxx" section will be decrypted and run. The DLL's encryption method will be replaced with a new one, with routines taken from OpenSSL, with different master keys, that only the authors of PetrWrap own.
The "petya_infect" routine will be modified by the hooking PetrWrap EXE. This function will inject the Petya kernel into the disk, and it will generate the Salsa20 key that's used by the kernel. The Salsa20 key that this function generates for the Petya kernel part will be saved for later, the kernel code will be altered in a manner that will make it skip the flashing skull part and that will make the Petya ransom note change into a new one, PetrWrap defined, that will not contain any Petya reference. The "petya_generate_config" function will be modified by the DLL-hooking PetrWrap EXE too. This function will generate configuration data for the Petya kernel, that will be used in the ransom note, such as the user ID, or the Tor Petya links list. PetrWrap will alter the function in a way that will make the function generate an ID, it will generate a new ID using a PetrWrap-only cryptographic algorithm and then, PetrWrap will replace the previous ID with a new one. Only these changes make this version of Petya different. It's undecryptable, but it's not a wiper, making it a strong ransomware.
While PetrWrap shares actual code with Petya, the ransomware also shares its modus operandi with another ransomware family. This ransomware family is Samas, also known as SamSam, Kazi, or RDN/Ransom, a family of file-encrypting ransomware.
GoldenEye is a variant of Petya. It has its own entry.
Mischa is a variant of Petya. It has its own entry.
Mamba (also known as HDDCryptor) is a Brazilian variant of Petya. It attacked San Francisco’s Municipal Transportation Agency in November 2016 and asked to pay an $73,000 ransom. In August 2017, this ransomware came back and attacked several corporations in Brazil and Saudi Arabia. Mamba deviates from Phobos, which incorporates a lot of similarities with Dharma/CrySiS ransomware.
Mamba ransomware targets data taking advantage of the DiskCryptor software, like BadRabbit. Mamba is the only variant that does not deviate from its ancestors.
Mamba drops 152.exe or 141.exe files on the computer, which are responsible for carrying out the encryption process. It's relevant strings are encrypted with Base64, making the detection and the analysis more difficult. These files create, on the C: drive, the "DC22" folder, or the "xampp" one, and these files create 6 files (with some more files, in the case of the "DC22" variant, 10; some files, "dcrypt.exe", "netpass.exe" and "netpass.txt" are created as well; "netpass.exe" is a network password stealer, "netpass.txt" contains settings for it to work in a hidden manner; "dcrypt.exe" is an additional DiskCryptor file; "DC22" is an folder created by the DiskCryptor utility, "xampp" is a folder that mimicks an HTML server), for the encryption process: "dcapi.dll", "dccon.exe", "dcinst.exe", "dcrypt.sys", "log.txt". "log.txt" contains a log, that is generated by the malware, created probably in the process of creation of the ransomware. "dccon.exe" is the DiskCryptor console, that is used to the last stage of encryption and has a function that shows the encryption process, if an argument is passed to it ("–info pt0"), probably used for debugging by the malware author; "dcrypt.sys" is the DiskCryptor driver, "dcinst.exe" is used by the malware to launch the DiskCryptor program against the hard drive, and is the setup component of the DiskCryptor program; "dcapi.dll" is another DiskCryptor file (is a legitimate DLL used by DiskCryptor to encrypt the HDD, it contains most DiskCryptor functions). Mamba contains them as not-encrypted resources, and contains as resources even the x64 version (with the "64" prefix at the beginning of the file name). The malware will create the "mythbusters" user, with the password "12345", for unknown purposes, and will launch the "dcinst.exe" program, with the "setup" argument; the file will launch the "dcrypt.sys", as "FltMgr" kernel boot service, with "DiskCryptor driver" as Description, thus, installing the DiskCryptor software in the machine. The "DefragmentService" service will be also created, with same driver file as before, but with different options (it restarts every second; probably, to avoid failures of the DiskCryptor software). After, the system is rebooted, the malware will run and the "dccon.exe" file is used to encrypt the file system, by using "DeviceIoControl" function against the DiskCryptor system driver; "dcapi.dll" will be also used by this part of the software. The AES algorithm will be used against the MFT, making the HDD undecryptable. When the driver has completely encrypted the HDD, the DiskCryptor drivers will be deleted from the disk, the "mythbusters" user will be deleted from the system and the system will be forcefully rebooted, using the "shutdown /f /r /t 0" command. A new MBR will be added to the hard disk, a custom Mamba one, that displays a message; the entire MFT will be completely encrypted. After encrypting victim’s disk, the virus reboots the computer and displays the following message on the boot screen, via MBR modification (the original one will be stored in the disk):
You are Hacked ! H.D.D. Encrypted , Contact Us For Decryption Key (email@example.com) YOURID: [Victim’s ID]”
The victim can enter the decryption password on the boot screen; however, he or she needs to get one first. Victims have to get in touch with malware authors and get information on how to decrypt data and get access to the computer again. This virus asks to pay a ransom of 1BTC per 1 host. The money should be transferred to a provided Bitcoin wallet. After several months of a break, Mamba returned at the end of 2018 and is being actively distributed since. Hackers use a variety of contact addresses and ask for a different amount of ransom inside ransom notes.
The latest variant of Mamba uses ".id[XXXXXX-1130].[firstname.lastname@example.org].mamba" file extension and demands an unknown amount of payment in Bitcoin, which is declared once the victim contacts crooks via "email@example.com" or "firstname.lastname@example.org" email addresses. Additionally, hackers also offer a free decryption service for 5 files that cannot contain important information.
FakeCry is a variant that was came together with Petya. It pretends to be WannaCry. It has its own entry.
Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not begun encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files.
The name "Petya" is a reference to the 1995 James Bond film GoldenEye, wherein Petya is one of the two Soviet weapon satellites which carry a "Goldeneye" – an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse. A Twitter account that Heise suggested may have belonged to the author of the malware, named "Janus Cybercrime Solutions" after Alec Trevelyan's crime group in GoldenEye, had an avatar with an image of GoldenEye character Boris Grishenko, a Russian hacker and antagonist in the film played by Scottish actor Alan Cumming.
Affected companies and organizations
- Rosneft (Russia)
- A.P. Moller-Maersk (Danish)
- WPP (United Kingdom)
- Merck & Co.
- Russian banks (Russia)
- Ukraine central bank and power grid (Ukraine)
- Boryspil Airport (Ukraine)
- Saint Gobain (France)
- Duetsche Post (Germany)
- Metro (Germany)
- Mondelez International (United States)
- Everaz (Russia)
- Norwegian unnamed international company (Norway)
- Mars Inc. (United States)
- Beiersdorf AG (India)
- Reckitt Benckiser (United Kingdom)
- Odessa airport (Ukraine)
- Kiev Metro (Ukraine)
- Interfax (Russia)