Petya Ransomware Analysis
MEDoc, a tax and accounting applications package, is used for the preliminary implementation of Petya into company networks. MEDoc is extensively used in Ukraine, implying that companies in that country have been the primary focus. After achieving an initial foothold, Petya uses several techniques to propagate through corporate networks.
Petya employs the EternalBlue exploit as one of the ways of propagating itself. This also utilizes traditional SMB network spreading methods, which implies it will propagate within organizations, even though they have patched toward EternalBlue.
Not only does it encrypt user data, but it also encrypts the master file table (MFT) and overwrites the Master boot record (MBR) as well. Let’s look at the specifics of this attack.
Petya is a worm, which means it has the potential to spread itself. It achieves so by compiling a list of target computers and spreading to those computers through two different methods.
Step 1: IP address & Credential Collection
Petya develops a list of IP addresses to be distributed to, which comprises mainly local area network (LAN) addresses and also remote IP addresses. The full list is compiled as follows:
• The IP addresses and DHCP servers of all network adapters;
• All DHCP server clients, if port 445/139 are accessible
• If ports 445/139 are accessible, all IP addresses within the subnet as specified by the subnet mask
• All machines that you already have an open network connection with
• All ARP-cache computers
• All Active Directory Resources
• All the Network Neighborhood server and workstation resources
• All Windows Credential Manager resources
When the target computers’ list is established, Petya will compile a list of user names and passwords that it will use to propagate to those targets. The memory will store the list of usernames and passwords. To collect credentials, it employs two methods:
• Drops and runs a 32-bit or 64-bit credential dumper
• obtain username/passwords from Windows Credential Manager
Step 2: Lateral Movement
Petya uses two main approaches for propagating through the networks:
• Execution over network shares: It attempts to distribute to the target machines by duplicating itself to [COMPUTER NAME]\admin$ utilizing the collected credentials. This is then remotely executed either using PsExec or the Windows Management Instrumentation Command-line (WMIC) method. These both are legitimate methods.
• SMB exploits: it aims to propagate through variations of the EternalBlue and EternalRomance exploits.
Airgap Defense: Airgap’s Zero Trust Isolation technology blocks unauthorized lateral movement and presents the responses as if none of the members are present on the network.
Petya tests the existence of the following processes used by Norton products and Symantec endpoint security:
If discovered, Petya does not use the EternalBlue or EternalRomance exploits to propagate.
Step 3: Preliminary Infection & Installation
Initially, Petya is executed via rundll32.exe. When the DLL is loaded, it will attempt to delete itself from the infected system first. It is done by opening the file and overwriting the contents with null bytes before the file is eventually removed from the disk. Overwriting a file using null bytes is used in an attempt to prevent retrieval of a file through forensic methods.
Next, it tries to build the following file to use as a sign indicating that the machine has been infected:
Step 4: Master Boot Record Infection & Encryption
When installed, Petya will continue to change the Master Boot Record (MBR). This causes the normal loading process of the compromised machine to be hijacked over the next system reboot. The changed MBR is being used to encrypt the hard disk when simulating the CHKDSK screen. It will then show a ransom note to the victim.
MBR modification is not effective if the threat is implemented as a normal user, but the threat would still attempt to propagate through the network.
A reboot of the system is scheduled at this stage. Through scheduling and not forcing a reboot, it would give time for Petya to propagate to other machines on the network before user-mode encryption happens.
Step 5: File Encryption Process
Petya implements encryption in two different ways:
• After Petya propagates to other machines, user-mode encryption happens when files with a particular extension are encrypted on the disk.
• The Master Boot Record (MBR) is updated to include a custom loader that would be used to load a CHKDSK simulator. This simulator is being used to mask the fact that disk encryption is taking place. It is accomplished after user-mode encryption happens, and therefore the encryption is twofold: user mode and full disk.
Wiper vs. ransomware
As stated above, Petya’s encryption is twofold; first, different file types are encrypted in user mode after propagation, and the key is encrypted with an embedded public key, encoded by Base64, and further appended to the README.TXT file.
When a system reboot happens, the compromised MBR is loaded, disk encryption starts, and the victim is given the ransom note. The “installation key” mentioned in the ransom note is a string that is generated randomly and shown to the victim. A Salsa20 key generated at random would then be employed for disk encryption. Because there is no connection between the “installation key” and the Salsa20 file, it is difficult to decrypt the disc. This shows that instead of ransomware, Petya is more precisely a wiper.
About Airgap Networks
Airgap helps implement comprehensive Zero Trust in minutes without the need for agents, APIs, or forklift upgrades. The patent-pending Zero Trust Isolation platform assures threat propagation protection. Airgap’s solution can be deployed in minutes, not months. Visit airgap.io to learn more or to schedule a demo.