Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking.
Since yesterday’s Petya ransomware outbreak, folks have grappled with questions over how it spread and whether or not it represents a sequel to last month’s WannaCry surge.
Sophos researchers have found similarities in how both spread, along with some key differences. They’ve also pieced together the infection and encryption sequence, and protected customers accordingly.
Differences and similarities with WannaCry
The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/EternalRomance exploits that target vulnerable SMB installations to spread.
But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry (click on image to enlarge):
Exploiting command-line tools
In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.
It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.)
By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.
The attack stage
Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. To add insult to injury – and presumably taking account of the fact that most users only restart occasionally these days – the ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.
The victim knows there’s a problem because the ransom note takes over their screen (click image to enlarge):
Here’s a closer look at the ransom note:
Pain for the victim is made worse because the mailbox listed for the ransom payment has been shut down. So if the decision is made to pay the ransom, there’s no way to reliably confirm that the payment went through and that a decryption key is coming.
Is there a kill switch?
One of the most-asked questions in the security industry is whether there’s a kill switch to shut down the infection. The answer is yes, but only a local one, as outlined here:
Customers using Sophos Endpoint Protection are protected against all the recent variants of this ransomware. The first protection was released June 27 at 13:50 UTC and several updates have followed since then to protect against possible future variants.
In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.
Further to that, customers may choose to restrict the use of PsExec and other dual-use administrative tools on their network. Sophos Endpoint Protection provides PUA detection for PsExec and other remote administration programs that don’t need to be available on every PC and to every user.
We’ve created a video to demonstrate how Intercept X works against Petya.
Though Sophos customers are protected, there are several things users can do to further bolster defenses. For example:
- Ensure systems have the latest patches, including the one in Microsoft’s MS17-010 bulletin.
- Consider blocking the Microsoft PsExec tool from running on users’ computers. A version of this tool is used as part of another technique used by Petya to spread automatically. You can block it using a product such as Sophos Endpoint Protection.
- Back up regularly and keep a recent backup copy off-site. There are dozens of ways other than ransomware that files can suddenly vanish, such as fire, flood, theft, a dropped laptop or even an accidental delete. Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands.
- Avoid opening attachments in emails from recipients you don’t know, even if you work in HR or accounts and you use attachments a lot in your job.
- Download the free trial of Sophos Intercept X and, for home (non-business) users, register for the free Sophos Home Premium Beta, which prevents ransomware by blocking the unauthorized encryption of files and sectors on your hard disk.
Meantime, to gain a better understanding of threats like this one, we recommend you check out the following resources:
- To defend against ransomware in general, see our article How to stay protected against ransomware
- To get a better understanding of phishing, read our explainer article
- To protect against misleading filenames, tell Explorer to show file extensions
- To learn more about ransomware, listen to our Techknow podcast
- To protect your friends and family against ransomware, try our free Sophos Home for Windows and Mac
6 comments on “Deconstructing Petya: how it spreads and how to fight back”
Do we know any more about the initial attack vector(s)?
Is it by opening a malicious email attachment?
Is it by clicking on a malicious link in an email?
Is it a browser exploit?
I understand the mechanisms and actions involved AFTER it lands on a victim’s machine. I’m just not sure what to tell my users who are getting sick to death of me constantly warning them of threats without more specific information. They’re burning out on this.
We touched on this, so far as one can, in this article:
In short – we’re not sure, but a hacked company download server (or a hacked software update on a company download server) has had fingers pointed at it, all I’m saying.
Thanks… this is getting more frightening by the moment.
C:\Windows\perfc – is perfc a file or a folder? If it’s a folder, “Creating any file under C:\Windows\perfc should prevent the encryption” implies it’s a folder, so we should create a perfc folder and put a random file in it to stop it? It’s confusing.
IIRC the malware checks for a file of the relevant name, so just create a file, e.g. using
Thank you Paul!