Update 6/28/17 19:21 CST: After further analysis of the encryption used by Petya/ExPetr/NotPetya, Kaspersky concludes that “malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.”
On the morning of June 27th, a ransomware variant called Petya started spreading like wildfire globally. Currently, there are reports of infections in Russia, Ukraine, India and Europe. It has even infected the Chernobyl nuclear power plant who has since switched over to manual emergency protocols. Even though we have not yet seen a high infection rate in the US, it is only a matter of time. Petya was originally developed by Janus Cybercrime Solutions in 2015 and sold as RaaS (Ransomware as a Service) via Tor. However, Kaspersky Labs believes that this a new ransomwnere that has not been seen before, and the firm has dubbed it NotPetya. Today’s variant has adopted the use the NSA exploit EthernalBlue, which utilizes SMBv1 (CVE-2017-0144 – patched March 14th) and WMI for lateral movement within a network. This may sound familiar to you because that is exactly how WannaCry ransomware spread just over a month ago. Unlike WannaCry, Petya does not come with a kill-switch domain. The initial vector seems to have came as a software update form a Ukranian financial company called MeDoc.
Petya doesn’t encrypt each of your files like other ransomware we have seen, it encrypts your Master File Table (MFT) denying you access to your computer. Once this encryption process is completed (very fast) Petya will then cause a blue screen (BSOD), forcing the machine to reboot. At this point you will then see a message stating the following:
“If you see this text, then your files are no longer accessible, because they are encrypted. Perhaps you are busy looking for a way to recover your files, but don’t waste your time. Nobody can recover your files without our decryption service.”
The attackers state that to decrypt your files you will need to pay $300 via Bitcoin. However, a German independent email provider, Posteo has blacklisted the email address, and so there’s essentially no way of getting a decryption key. In other words, DO NOT PAY! According to @HackerFantastic, your machine is encrypted post reboot. If you are infected, DO NOT power you machine back on. Turn off as soon as possible. If your machine reboots, and if you see CHKDSK process, power off and use another machine or a LiveCD to transfer your files.
For any questions or assistance please contact us.
[.] Petya Email:
[.] Petya Bitcoin Addresses:
[.] Targeted File Types:
[.] Petya Sample Hashes:
[.] Petya IoC IPs:
[.] What to do to avoid getting infected?
- Apply MS17-010 patches
- Disable SMBv1
- Disable WMIC
- Ensure all critical systems are fully backed up
- Network Segmentation
- Limit user privileges