CIB-062017: Petya – MBR Ransomware

What is it?

June 27, 2017 – Petya Ransomware was detected infecting multiple organizations, government assets and core infrastructure operators across Europe, Asia & certain US based companies. The ransomware is suspected of using the ETERNALBLUE exploit (CVE-2017-0144) tool to traverse the network via Microsoft Windows SMB  protocol similar to WannaCrypt that caused widespread outages in May 2017.

Petya also known as Petwrap (suspected to spread through petwrap.dll) is a different breed of Ransomware, unlike other known ransomware infections that target encrypting files within the confines of the operating system; Petya targets MBR (Master boot record) to trigger MFT (Master file table) corruption by replacing specific MBR sectors. It does so after the system is rebooted.

Additionally, apart from the SMB infection, Petya appears to spread internally in the network using WMIC (Windows Management Instrumentation Command-line) and PSEXEC if the victim has elevated or write privileges on network shares.

Once infected, Petya displays a similar message to the one below –

The victim is asked to send US $300 in Bitcoin to a specific Bitcoin address and then send an e-mail with the victim’s bitcoin wallet ID to wowsmith123456@posteo[.]net to retrieve their individual decryption key.

NOTE: The German email service provider has since disabled the email address and it’s not recommended to transfer bitcoins (as with any ransomware infection)

What do you need to do?

  1. If your end point is not managed by your enterprise network administrator, ensure Microsoft Automatic updates are configured and active. More information here
  2. Apply security updates in MS17-010
  3. Ensure your end point protection solution is active and is up to date.
  4. Create and maintain an effective Back-up and ensure the back-up solution works by performing periodic restoration. The best defense against ransomware is a good, functional back-up.
  5. If you suspect infection, learn how to identify the symptoms and contact us for additional support.

Additional details

Petya ransomware on infection sets a flag to reboot the device, the actual infection occurs after the reboot. So, if you suspect infection and you’re able to prevent the system from restarting there is a plausible recovery option that is being tested. Please contact us for further details.

Cybercriminals prefer anonymity but Petya creators have been very open, sharing the team name—”Janus Cybercrime Solutions”—and the project release date—12th December 2015. They also appear to offer a news feed with updates, including press references about them:






image source: Malwarebytes

NOTE: The impact of Petya is still unclear on GPT (GUID Partition table) disks, our labs have confirmed the infection on MBR (Master boot record) disk at this time.

source: Peer network, GoDarkLabs, PaloAlto, US-CERT, Malwarebytes