Deconstructing Petya: how it spreads and how to fight back

Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking.

Since yesterday’s Petya ransomware outbreak, folks have grappled with questions over how it spread and whether or not it represents a sequel to last month’s WannaCry surge.

Sophos researchers have found similarities in how both spread, along with some key differences. They’ve also pieced together the infection and encryption sequence, and protected customers accordingly.

Differences and similarities with WannaCry

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/EternalRomance exploits that target vulnerable SMB installations to spread.

But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry (click on image to enlarge):

Exploiting command-line tools

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.)

By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.

The attack stage

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. To add insult to injury – and presumably taking account of the fact that most users only restart occasionally these days – the ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen (click image to enlarge):

Here’s a closer look at the ransom note:

Pain for the victim is made worse because the mailbox listed for the ransom payment has been shut down. So if the decision is made to pay the ransom, there’s no way to reliably confirm that the payment went through and that a decryption key is coming.

Is there a kill switch?

One of the most-asked questions in the security industry is whether there’s a kill switch to shut down the infection. The answer is yes, but only a local one, as outlined here:

Sophos protection

Customers using Sophos Endpoint Protection are protected against all the recent variants of this ransomware. The first protection was released June 27 at 13:50 UTC and several updates have followed since then to protect against possible future variants.

In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.

Further to that, customers may choose to restrict the use of PsExec and other dual-use administrative tools on their network. Sophos Endpoint Protection provides PUA detection for PsExec and other remote administration programs that don’t need to be available on every PC and to every user.

We’ve created a video to demonstrate how Intercept X works against Petya.

Defensive measures

Though Sophos customers are protected, there are several things users can do to further bolster defenses. For example:

  • Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
  • Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is used as part of another technique used by Petya to spread automatically. You can block it using a product such as Sophos Endpoint Protection.
  • Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
  • Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
  • Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.

Meantime, to gain a better understanding of threats like this one, we recommend you check out the following resources: