Petya Blackmailer Epidemic: What You Need to Know

Original author: Rob Sobers
Following the massive WannaCry attacks last month, a major incident is being developed with a blackmail program called NotPetya. In the morning, the researchers suggested that this program is a variant of the Petya blackmail virus, but Kaspersky Labs and other companies reported that despite their similarities, this is actually #NotPetya. Regardless of his name, here's what you should know.

This malicious program not only encrypts data for a ransom request, but also hijacks computers and completely blocks access to them by encrypting the master boot record.

Petya uses another fast-spreading attack, which, like WannaCry, exploits the NSN classification of the ENTERNALBLUE vulnerability. Unlike WannaCry, the Petya virus can also spread through Windows Management Instrumentation (WMI) and PsExec (more on this below). Some frightening facts about this new malware:

  • it does not have a remote emergency switch, as in WannaCry;
  • it is much more complex and has a variety of automatic distribution methods;
  • it makes computers completely unusable.

Several well-known organizations and companies have already been seriously affected, including the Ukrainian government, which has shown a healthy sense of humor.

Infection was reported all over the world: metro systems, national utilities, banks and international corporations were attacked: the scope is still unknown, but messages continue to be received about infected computers and blocked IT systems in various industries around the world.

How is Petya virus spread?


At first, it was believed that the Petya virus should use a clue in corporate networks obtained through e-mail messages with an infected attachment in the form of a Word document that uses the CVE-2017-0199 vulnerability. (If you installed patches for Microsoft Office, you should be protected from this attack direction.)

Although phishing is often used for attacks, in this case, MeDoc, a financial software company based in Ukraine, became one of the main sources. The MeDoc software update function was hacked, and attackers used it to distribute the Petya blackmail program (source). This explains why Ukraine has suffered the most.

After the infection of one computer, the Petya virus spread through a peer-to-peer network to other computers and servers running Windows with the MS17-010 vulnerability closed (this is an SMB vulnerability that everyone was recommended to eliminate during a WannaCry attack). It can also be distributed through the PsExec mechanism to admin $ resources, even on computers with patches installed. We recently wrote a detailed tutorial about PsExec and how to disable PowerShell. This will be useful here.

The positive thing, at least in this situation, is that peer-to-peer infection does not seem to go beyond the local network. Petya virus can quite efficiently move across the local network, it is unlikely to go to other networks. According to @MalwareTechBlog, a pizza-loving Internet user who has become famous for discovering a WannaCry emergency switch:

The current Petya attack differs in that it exploits vulnerability tools only for distribution on the local network and not on the Internet (that is, it is very unlikely that it will become infected if your computer is not on the same network as the infected computer). Based on the fact that the size of the networks is limited, and they can be checked quickly enough, the distribution of malicious software will stop after checking the local network. Therefore, there is no danger, as in the case of the WannaCry virus, which is still spreading (although I have already prevented its activation using the "emergency switch").

PsExec Detection Order Using DatAlert

If you have DatAlert version 6.3.150 or later, you can find the PsExec.exe file on Windows file servers as follows:

1. Select Tools -> DatAlert -> DatAlert



2. Search for the system admin line



3. For each of the selected rules (expand the groups to view), click Edit Rule and select the Enabled checkbox.



If PsExec is detected, DatAlert will generate system administrator alerts in the Reconnaissance alert category, for example, System administration tool created or modified or An operation on a tool commonly us ed by system administrators failed (Operation failed in a tool commonly used by system administrators).

This should help detect if the Petya virus uses the PsExec engine to spread to file servers. Continue reading this article because there is more to it that will help prevent the initial infection and stop the spread of Petya virus to your endpoints.

What is the Petya virus doing?


After the NotPetya virus appears on the computer, it waits for an hour and a half before the attack starts, most likely this time is allocated to infect other machines and make it difficult to detect the entry point.

At the end of the wait time, the following occurs.

1. It encrypts the main file table on local NTFS media.
2. It copies itself to the master boot record of an infected workstation or server.
3. Forces a computer restart to block users.
4. Displays a lock screen with a ransom demand at boot (shown below).
All computers in the office are not working. Global attack #Ransomware. I heard that several other companies were also attacked. Make backups and take care of yourself. pic.twitter.com/YNctmvdW2I

- Migir (Mihir, @mihirmodi) June 27, 2017.


By encrypting the main file table, the computer is disconnected from the network until the required amount is paid. Potentially, this can harm the organization far more than encrypting some files on the server. In most cases, IT department employees have to individually work with each computer; the standard reaction to blackmail programs “We just restore these files from the backup” turned out to be ineffective.

If there are no remote boot or image creation processes, and it is impossible to recover infected computers, then to correct the situation it may be necessary to manually restore workstations. While this is possible in most cases, it will be very difficult and time-consuming for companies with many remote installations. For transport companies with 600 or more cargo ships on board at any given time, this is practically impossible.

As Microsoft noted: “Only if there are maximum rights (for example, when the SeDebugPrivilege parameter is enabled) does the virus try to overwrite the master boot record code” - if the infected user does not have administrator rights on the computer, the virus will try to encrypt user data with the following permissions.



It does not add a unique extension to encrypted files (e.g. .locky) - it encrypts the contents and retains the original file name and extension.

What to do?


Preventing Petya virus infection is very similar to the steps you might have taken earlier with respect to the WannaCry attack:

  • Disabling SMBv1 during patch installation
  • blocking the TCP 445 port from external connections (or connections between segments, if possible);
  • installing fixes!

Local emergency switch


There is also some semblance of a local emergency switch. If the file% WINDIR% \ perfc (without the extension) exists on this computer, the blackmail program will not be executed. You can be creative in deploying this file to all workstations in your environment.

In addition, you can see which antivirus products for endpoints the Petya virus can detect in the VirusTotal scan results.

The Petya virus sample obtained by the researchers was compiled on June 18.



Should I pay?


The blackmail program indicated the account of Posteo (the email service provider). Posteo Complaints and Security has posted the next update .

They did the following.

1. Blocked this account.
2. They confirmed that the keys for decryption were not sent from the account.
3. Contacted the authorities with a proposal of assistance by all available means.

All this leads us to the conclusion that you should not pay the required amount, since you will not receive the necessary decryption keys.

The story continues to evolve, and we will update this note as new information becomes available.

Also popular now: