Ransomware is a form of malicious software (or malware) that, once it’s taken over your computer, threatens you with harm, usually by denying you access to your data. The attacker demands a ransom from the victim, promising — not always truthfully — to restore access to the data upon payment.
Users are shown instructions for how to pay a fee to get the decryption key. The costs can range from a few hundred dollars to thousands, payable to cybercriminals in Bitcoin.
As previously mentioned, this ransomware’s initial entry into the system involves the use of the PsExec tool, an official Microsoft utility used to run processes on remote systems. It also uses the EternalBlue exploit–previously used in the WannaCry attack–that targets a vulnerability in Server Message Block (SMB) v1. Once on a system, this Petya variant uses the rundll32.exe process to run itself. The actual encryption is then carried out by a file named perfc.dat, located in the Windows folder.
This ransomware then adds a scheduled task, which reboots the system after at least an hour. Meanwhile, the Master Boot Record (MBR) is also modified so that the encryptor will carry out the encryption and the appropriate ransom note will be displayed. A fake CHKDSK notice is initially displayed; this is when the encryption is actually carried out. Unusually for ransomware, it does not change the extensions of any encrypted files. More than 60+ file extensions are targeted for encryption; it is worth noting that the file extensions targeted are focused on file types used in enterprise settings; images and video files (targeted by other ransomware attacks) are notably absent.
Aside from the use of the EternalBlue exploit, there are other similarities to WannaCry. Like that attack, this Petya variant’s ransom process is relatively simple: it also uses a hardcoded Bitcoin address, making decryption a much more labor-intensive process on the part of the attackers. This is in contrast to earlier Petya attacks, which had a more developed UI for this process. Each user is asked to pay US$300. As of this time, approximately US$7,500 had been paid into the Bitcoin address. As in all ransomware attacks, we advice against paying the ransom–this is particularly true in this case, as the email account mentioned in the ransom note is no longer active.
PsExec and Windows Management Information Command-line (WMIC)
Petya cleverly uses legitimate Windows processes PsExec and Windows Management Information Command-line, which is an interface that simplifies the use of Windows Management Instrumentation (WMI).
Once Petya is dropped, it will drop psexec.exe as dllhost.dat on the target machine. The malware also drops a copy of itself to \\remote machine name\admin$\malware filename. It then executes the dropped copy by using dllhost.dat locally (which is the file name of the PSExec tool) with the following parameters:
dllhost.dat \\remote machine name -accepteula -s -d C:\Windows\System32\rundll32 “C:\Windows\malware filename”,#1 random number minimum 10 enumerated credentials
The format of enumerated credentials is as follows:
“un1:pw1” “un2:pw2” “un3:pw3” … “unN:pwN”
If this is unsuccessful, Petya will then use WMIC.EXE to execute the file in the remote machine:
%System%\wbem\wmic.exe /node:”node” /user:”user name” /password:”password” process call create “C:\Windows\System32\rundll32 \”C:\Windows\malware filename\” #1 random number minimum 10enumerated credentials”
Petya will use PSExec or WMIC to spread the malware to other systems within the local network. If this portion of the infection chain does not work, only then will Petya exploit the EternalBlue vulnerability.
Information Extraction Method
We discovered that this Petya variant uses an advanced method to extract information from the infected system. It makes use of a customized Mimikatz—a legitimate security tool—to extract usernames and passwords. The 32-bit and 64-bit Mimikatz executables are encrypted and stored in the resource section of the ransomware. The extraction method runs when the main malware process opens a pipe, which is used by the custom Mimikatz to write its results. These results are then read by the main malware process. As mentioned earlier, Petya is able to spread to other systems within the local network by using this extracted information.
Disk Modification Procedure
Before encryption, Petya will first modify the MBR as part of its process. Initially, the sector after the Volume Boot Record (VBR) is written with code (0xBAADF00D), rendering the system unbootable.
It also accesses the following sectors:
Sectors 0 to 18 (disk offset 0 to 25FFh) are overwritten with its own boot program.
Sector 32 (disk offset 4000h to 41FFh) is written with some structured random data.
Sector 33 (disk offset 4200h to 43FFh) is filled with 07h.
The original MBR is encrypted:
Sector 34 (disk offset 4400h to 45FFh) is written with the XOR-encrypted original MBR.
If the above process fails, it will overwrite sectors 0-9 with code (0xBAADF00D),
How to prevent ransomware
- Keep your operating system patched and up-to-date to ensure you have fewer vulnerabilities to exploit and Patch with MS17-10
- Don’t install software or give it administrative privileges unless you know exactly what it is and what it does.
- Install antivirus software, which detects malicious programs like ransomware as they arrive, and whitelisting software, which prevents unauthorized applications from executing in the first place.
- And, of course, back up your files, frequently and automatically! That won’t stop a malware attack, but it can make the damage caused by one much less significant.
- Disable or Block SMBv1 – this is a temporary measure to stop the propagation, but does not remediate the threat. If is needed to enable SMBv1 than always enable SMBv2.
- Block Port 445 and 139 from Firewall.
- Restrict accounts with administrator group access.
- Disable remote desktop access. If it is needed than select different user which is not easily guess with strong password.
Best Windows 11 antivirus tools
- Avast Antivirus Business 18.6 and 18.8
- Bitdefender Endpoint Security 6.6
- Bitdefender Endpoint Security Elite 6.6
- F-Secure PSB Computer Protection 18.14 and 18.17
- Kaspersky Endpoint Security 11.0
- Kaspersky Small Office Security 6
- McAfee Endpoint Security 10.6
- Microsoft Windows Defender Antivirus 4.18
- Symantec Endpoint Protection 14.2
- Symantec Endpoint Protection Cloud 22.15
- Trend Micro Office Scan 12.0
I needed to create you the tiny remark just to give thanks once again about the precious advice you have featured on this website. It’s quite surprisingly open-handed of you to convey unreservedly all many of us would’ve sold as an ebook in order to make some cash for their own end, specifically now that you could have tried it if you considered necessary. Those tips also served to become easy way to fully grasp someone else have the same fervor similar to my personal own to know the truth a little more on the topic of this matter. I think there are a lot more pleasurable opportunities up front for individuals who check out your website.
I as well as my pals appeared to be checking out the great secrets located on the website then instantly got a horrible feeling I never expressed respect to you for those tips. All the guys were as a consequence thrilled to see all of them and now have unquestionably been taking advantage of them. We appreciate you truly being indeed considerate and for making a decision on this sort of magnificent subject areas millions of individuals are really needing to learn about. Our sincere apologies for not expressing gratitude to you sooner.
I actually wanted to send a remark to be able to thank you for all the marvelous recommendations you are writing on this website. My time-consuming internet search has at the end of the day been compensated with awesome suggestions to talk about with my neighbours. I ‘d admit that most of us site visitors actually are unquestionably endowed to live in a very good network with many special people with very helpful methods. I feel truly privileged to have come across your weblog and look forward to many more fabulous moments reading here. Thanks a lot once again for all the details.
I and my buddies happened to be viewing the best ideas found on the blog and then the sudden came up with an awful feeling I never thanked the web site owner for those strategies. All the young men are already as a result excited to learn them and already have clearly been making the most of those things. Appreciate your really being considerably accommodating as well as for finding some remarkable tips most people are really wanting to be informed on. My very own sincere apologies for not saying thanks to you sooner.
I enjoy you because of each of your effort on this web page. Betty really likes making time for internet research and it’s easy to see why. Almost all learn all of the dynamic tactic you convey good suggestions via your website and therefore increase participation from some other people about this content and my princess is without a doubt studying a lot. Take advantage of the remaining portion of the new year. Your doing a fantastic job.
A lot of thanks for your own labor on this web site. My niece really loves going through investigations and it’s easy to see why. A number of us hear all concerning the lively form you create simple guides via the blog and in addition encourage participation from people about this concept and our favorite girl is always learning a lot of things. Take advantage of the rest of the year. You’re doing a remarkable job.
I just want to say I am just newbie to blogging and really savored your blog. Most likely I’m want to bookmark your site . You actually have beneficial articles. Thank you for sharing your webpage.
http://www.adidasyeezy.us.com/ Adidas Yeezy
etxapvwdx,Hi there, just wanted to say, I liked this article. It was helpful. Keep on posting! I LOve your Blog!
gnrapfl,If you have any struggle to download KineMaster for PC just visit this site.
I must express some thanks to the writer just for bailing me out of this particular dilemma. As a result of searching throughout the the net and getting solutions which are not powerful, I thought my life was gone. Being alive without the strategies to the difficulties you have fixed all through the article content is a serious case, and the kind that could have badly damaged my entire career if I had not discovered your website. Your primary knowledge and kindness in handling the whole thing was vital. I don’t know what I would’ve done if I hadn’t come upon such a step like this. I am able to at this point look ahead to my future. Thanks a lot so much for the professional and amazing guide. I will not be reluctant to recommend the sites to anyone who needs to have care about this topic.
I am writing to let you be aware of of the magnificent experience our daughter had viewing your web site. She mastered such a lot of pieces, most notably how it is like to possess an amazing teaching character to make most people clearly learn specified advanced subject areas. You undoubtedly surpassed my expected results. I appreciate you for coming up with such effective, safe, revealing and unique tips on this topic to Tanya.
Thank you so much for providing individuals with remarkably wonderful opportunity to read in detail from this site. It’s always so amazing and as well , stuffed with a great time for me and my office colleagues to search your website minimum three times weekly to read the newest stuff you will have. Not to mention, I’m so always pleased for the remarkable information served by you. Selected 4 areas in this post are undoubtedly the very best I’ve had.
I wish to convey my love for your kindness in support of people that must have assistance with in this niche. Your personal commitment to passing the solution all around has been quite useful and have surely helped guys like me to achieve their goals. Your entire useful instruction entails a whole lot to me and even more to my office colleagues. With thanks; from each one of us.
I as well as my guys happened to be following the best guides from your web page then before long I got an awful feeling I never expressed respect to the site owner for those strategies. All the guys happened to be for that reason very interested to study all of them and have in effect truly been taking pleasure in them. We appreciate you genuinely really kind and also for making a choice on these kinds of cool areas most people are really needing to be informed on. Our honest regret for not expressing appreciation to you sooner.
I simply wanted to develop a quick word so as to thank you for some of the lovely steps you are showing at this site. My considerable internet lookup has finally been paid with reasonable ideas to exchange with my friends. I would assert that we website visitors are really fortunate to exist in a fantastic place with so many awesome professionals with interesting strategies. I feel extremely lucky to have used your entire weblog and look forward to plenty of more awesome times reading here. Thanks a lot again for all the details.
Thanks for all your efforts on this web site. My mother delights in engaging in investigations and it’s easy to see why. A lot of people know all about the powerful method you produce informative steps through this website and cause participation from others on the topic while my princess is now discovering so much. Have fun with the rest of the year. You are always performing a dazzling job.
I must show appreciation to this writer for rescuing me from this type of crisis. Because of checking throughout the world wide web and obtaining techniques which are not helpful, I was thinking my life was gone. Existing without the presence of solutions to the problems you’ve solved all through this guide is a crucial case, and those which could have in a negative way affected my entire career if I had not discovered your site. Your actual talents and kindness in playing with all the pieces was important. I’m not sure what I would’ve done if I had not encountered such a stuff like this. I am able to at this moment look ahead to my future. Thanks a lot very much for this professional and results-oriented help. I will not think twice to recommend the website to any individual who would need care on this area.
I simply needed to appreciate you yet again. I’m not certain what I would’ve made to happen in the absence of the thoughts shared by you over this subject matter. It has been an absolute frightening situation for me personally, nevertheless coming across a specialized approach you resolved it made me to jump for gladness. Extremely thankful for this help and in addition hope you really know what an amazing job that you’re providing instructing other individuals thru a blog. I’m certain you have never got to know all of us.
I definitely wanted to compose a simple message so as to say thanks to you for all of the nice techniques you are sharing at this website. My considerable internet look up has now been compensated with reputable information to go over with my close friends. I ‘d assert that we website visitors actually are very endowed to exist in a really good community with many marvellous professionals with beneficial techniques. I feel very happy to have used your website and look forward to some more fun moments reading here. Thanks again for everything.
I would like to express some appreciation to you just for rescuing me from such a setting. Because of browsing throughout the world-wide-web and meeting views that were not pleasant, I assumed my entire life was gone. Living without the presence of strategies to the issues you’ve resolved as a result of this post is a crucial case, as well as those that could have badly affected my career if I hadn’t encountered your blog post. Your main competence and kindness in maneuvering every aspect was invaluable. I don’t know what I would’ve done if I hadn’t discovered such a thing like this. It’s possible to now look forward to my future. Thanks for your time so much for your professional and results-oriented guide. I won’t think twice to suggest the website to any individual who would need counselling about this issue.
I really wanted to write a note in order to express gratitude to you for those remarkable ways you are showing on this website. My extended internet look up has now been paid with excellent knowledge to write about with my co-workers. I would assert that many of us readers are undoubtedly endowed to live in a perfect place with very many wonderful people with insightful strategies. I feel quite grateful to have come across your website and look forward to so many more awesome moments reading here. Thanks again for all the details.
I together with my buddies came digesting the best helpful hints found on your web site and so suddenly got a terrible suspicion I had not expressed respect to you for those secrets. These men became for this reason stimulated to learn all of them and have in effect surely been loving these things. I appreciate you for really being very kind and then for getting this form of exceptional topics millions of individuals are really needing to be aware of. My very own honest regret for not expressing gratitude to you earlier.
I and my friends ended up reviewing the excellent tricks from your web site while all of the sudden got an awful feeling I had not thanked the web blog owner for those secrets. The guys were absolutely very interested to study all of them and have pretty much been enjoying them. Thanks for indeed being very accommodating and then for selecting varieties of beneficial resources most people are really wanting to learn about. My very own honest regret for not saying thanks to you earlier.
I want to show some thanks to this writer for bailing me out of this predicament. Because of searching through the world-wide-web and finding things which are not pleasant, I assumed my life was over. Being alive minus the approaches to the difficulties you have solved through your good guide is a crucial case, and the kind that could have in a wrong way damaged my entire career if I had not come across your web page. Your own personal know-how and kindness in maneuvering the whole lot was excellent. I am not sure what I would’ve done if I hadn’t encountered such a thing like this. I can also now look forward to my future. Thank you so much for your skilled and results-oriented help. I will not hesitate to endorse your blog to any individual who desires guidelines on this problem.
I simply had to thank you so much again. I’m not certain the things I might have undertaken in the absence of the entire tactics discussed by you on that situation. It was an absolute fearsome condition in my position, nevertheless witnessing the very expert fashion you managed that forced me to cry for fulfillment. I am just happier for your assistance and in addition expect you recognize what an amazing job that you’re doing teaching people thru your website. More than likely you’ve never met all of us.
Thank you so much for providing individuals with a very pleasant chance to discover important secrets from here. It can be very cool and also packed with a great time for me personally and my office colleagues to search your blog nearly 3 times in one week to read through the fresh issues you have. Not to mention, I am also certainly happy with the astounding points served by you. Some two tips in this post are definitely the best I’ve had.
I want to express some thanks to the writer just for bailing me out of this type of challenge. Right after surfing through the online world and coming across tips that were not powerful, I figured my life was done. Being alive devoid of the strategies to the difficulties you have resolved as a result of the guideline is a critical case, as well as ones that would have in a wrong way damaged my entire career if I hadn’t discovered your web page. Your personal know-how and kindness in taking care of all the details was vital. I’m not sure what I would’ve done if I hadn’t come across such a subject like this. It’s possible to at this moment look forward to my future. Thanks for your time so much for the specialized and results-oriented help. I won’t be reluctant to refer the website to anyone who ought to have guidelines about this area.
I must express my thanks to the writer for bailing me out of this scenario. Because of researching throughout the world-wide-web and obtaining techniques which are not beneficial, I thought my life was done. Existing without the answers to the difficulties you have sorted out all through your entire guide is a serious case, as well as ones which could have negatively damaged my entire career if I had not discovered the website. Your own know-how and kindness in maneuvering every item was helpful. I am not sure what I would have done if I hadn’t come upon such a thing like this. I am able to at this time look ahead to my future. Thanks for your time so much for the skilled and sensible guide. I won’t be reluctant to propose your blog post to anyone who would need recommendations on this subject matter.