Acalvio Threat Research Labs
Petya is the most recent ransomware strain. It originated in Ukraine  and is spreading across Europe. This blog summarizes our technical analysis of Petya.
In addition to the encryption and ransomware functionality, the Petya malware has very aggressive spreading capabilities. The dropper analyzed was a VB6 packed binary which contains the malicious DLL. All of the functionality is executed from the DLL’s unnamed and only exported function.
All of the file encryption is located in the MBR code. The MBR is overwritten and the old MBR is saved on the physical disk at location 0x4400 (xor’ed with 0x07).
Figure 1.0 Code showing writing of MBR
A fixtool could easily clean up the overwritten MBR on any Petya infected machine.
The ransomware’s aggressive spreading behavior is performed via the ETERNALBLUE smb exploit. The binary uses a global object containing dynamically populated entries for attackable targets. This global object is populated by several methods and is used by a thread which enumerates the object attacking each entry in the object/array synchronously.
Figure 2.0 Target enumeration – WMI network path spread attempt
The malware also attempts to propagate via WMI (presumably network share copy/execute remote task) to adjacent network hosts.
Figure 3.0 Credential harvesting, enumeration of CredEnumerate() function
Credentials for spreading via WMI are obtained via CredEnumerate calls which are stored in a global object, accessed by the spreading WMI function
The targets are chosen exhaustively:
- All IP addresses in the current system’s subnet are checked for Smb (port 139, 445)
- If the system is a domain controller, then for every DHCP subnet in the DC, every current DHCP client from the subnet is target for spreading.
Figure 4.0 Enumeration of DHCP
Every 3 minutes, the network is enumerated for additional targets:
- All connected TCP endpoints in the Windows extended TCP table
- All entries in the Address Resolution Protocol (ARP) mapping table
- All network adjacent workstations, servers, and primary domain servers visible to the current host becomes target for spreading.
Figure 5.0 Code scheduling task to shut down machine
The malware sets a shutdown task with a timer counting down and after an interval, shutting down the system after attempting to spread, encrypting filtered files in the filesystem, and overwriting the MBR.
The malware cleans up the event log via a CLI command
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c
The severity of the infection gets multiplied due to the lateral movement techniques. Petya is not a new ransomware. However, it could increase the damage caused by using spreading techniques. Deception based detection are designed for timely, accurate and cost-effective detection of ransomware like Petya. To prevent worms like Petya, we would recommend not only to keep machines updated with the latest patches but also to deploy deception based detection solutions so that effective remediation steps can be taken in a timely fashion.
 Petya Cyber attack: Ransomware spreads across Europe with firms in Ukraine, Britain and Spain shutdown. http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/
IOC of the Analyzed Samples