Back to Home

PETYA malware. Recovery is possible / BI.ZONE Blog

bizone · petya · ransomware

PETYA malware. Recovery is possible


    On June 27, messages began to appear on the network about the rapid spread of malware, the Petya ransomware, which encrypts data on the victim’s computer. The attack was attacked by large corporations in Russia, Ukraine, the EU, the USA and several other countries. BiZone specialists conducted a detailed analysis of the malware. Below are the results of the study, as well as recommendations for its removal from the victim's computer and data recovery.

    Spread


    It is distributed initially in several ways, including as an email attachment (phishing mailing).

    For subsequent distribution within the network uses:
    • Vulnerability MS17-10, as well as WannaCry;
    • Remote access to the WMI console (Windows Management Instrumentation), commands of the form
      wmic.exe /node:"" /user:"" /password:" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1
    • Microsoft's PSEXEC utility (account names and passwords are collected on the infected machine using a utility similar in functionality to the Mimikatz utility; passwords in plain text are obtained by reading the memory of the lsass.exe process.

    Encryption


    To make further analysis difficult, Petya clears the system event logs and the file system log using the command:
    wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:

    The entries in the event logs themselves are not deleted, only a note is made in the header of the journal that it is cleared, records can be restored.

    The system can be encrypted in two different ways:

    1. Encryption of the $ MFT file allocation table (NotPetya)
    The malicious file writes its code in the MBR and the subsequent several sectors (the original MBR is then stored in 34 sectors in encrypted form (xor 0x07)). Next, a system reboot is called (using the “schtasks” and “at” commands) and the next time you turn it on, a screen about the operation of the CHKDSK utility is displayed. Actually, at this moment, $ MFT encryption takes place using the cryptographically strong Salsa20 cipher (the code c is similar to the original Petya). The peculiarity of this method is that the records about files are encrypted, and not the contents of the files themselves. Data recovery is possible.

    Data recovery methods:
    • Manually. You can search for files on a disk by signature, but this method only works for unfragmented files, and the file name is not restored. The next applicable method is to search for file records by the “FILE” signature, obtain a list of clusters belonging to the file, thus restoring the contents and file name. Also, in the course of our research, a method was developed to restore selected files by restoring a non-resident list of sectors belonging to a file (Data Runs). This method is based on the following concept: a cluster is searched containing the beginning of the file (the search is performed by signature), then the number of this cluster is used to search for a non-resident list of sectors belonging to the file. Using the methods described, you can restore large files,
    • Automatic: R-Studio , GetDataBack , etc.
    • MBR recovery is possible with the “bootrec / FixMbr” command before rebooting the system (Vista +, in the case of Windows XP you can use the “fixmbr” command).
    • MBR recovery after reboot, but before encryption. It is necessary to extract the original MBR from 34 sectors (0x4400 offset on the disk, size 0x200) decrypt (xor 0x07) and write to the beginning of the disk.

    2. File Encryption (Misha)
    If it is not possible to obtain privileges in the system for rewriting MBR, files are encrypted without rebooting. List of encrypted file extensions:

    3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip. 

    Decryption methods are currently unknown, it is only possible to restore from backups, for example, from Volume Shadow Copy, Restore points, File History.

    Paying a ransom is not recommended because the mailbox of the attackers was blocked. Currently, the technical feasibility of decrypting data is in doubt, and there are no confirmed cases of successful decryption.

    Why is data recovery possible?


    NotPetya encrypts only the file table, but not the files themselves, so it is possible to recover files after this encryptor. Before encryption, the structure of the file system is as follows:



    At the beginning of the section is the main file table (MFT), which indicates the names of the files and their location. After encryption, all file links in the MFT are encrypted, but the contents of the files remain unchanged:



    Thus, all methods of data recovery based on carving (Carving) continue to work. Also identical MFT records are stored in different parts of the file system. They can fall into the hiberfil.sys file, into the files of directories and MFTmirr, etc. Therefore, having collected all the integral MFT records, it is possible to recover even fragmented files.

    Indicators


    When a system is infected using the PSEXEC software, the following files may be present in the Windows directory:

    «C:\Windows\perfc.dat»
    «C:\Windows\dllhost.dat»

    Recommendations


    1. Install the necessary updates to fix the vulnerability MS17-10 Windows Update
    2. Disable SMB1

    Also, to stop the spread of this malware, it is necessary to block the launch of the PSEXEC.EXE software using local or group security policies on potentially vulnerable machines, and also, if possible, block or disable remote access to WMI.

    The study revealed a feature that allows you to prevent infection through PsExec and WMI. To do this, just create an empty file “C: \ Windows \ perfc”.

    UPD: NotPetya and Misha can act together; starting Misha does not depend on the success of MBR infection. However, in many cases, Misha does not have time to encrypt all files with the listed extensions on the disk.

    When using GPT on the infected computer instead of MBR, NotPetya writes arbitrary data to the place of the first ten sectors, and in this case the partition table will be lost forever. However, in this case, the main file table is not encrypted, and the partition offset can be found by the signature of the NTFS partition (R-Studio automatically performs this task).

    Creating a perfc file prevents infection only if the original Petya executable was called "perfc.dat". In the cases we have studied, this is true, but changing this name is not very difficult, so in the next wave of phishing messages this method may lose effectiveness.

    Read Next