Deconstructing Petya: how it spreads and how to fight back

Editor’s note: Sophos customers can follow the technical updates in this Knowledge Base Article, which includes a list of the variants we’re detecting and blocking.

Since yesterday’s Petya ransomware outbreak, folks have grappled with questions over how it spread and whether or not it represents a sequel to last month’s WannaCry surge.

Sophos researchers have found similarities in how both spread, along with some key differences. They’ve also pieced together the infection and encryption sequence, and protected customers accordingly.

Differences and similarities with WannaCry

The researchers found no internet-spreading mechanism, though like WannaCry, it uses the EternalBlue/EternalRomance exploits that target vulnerable SMB installations to spread.

But that spread is through internal networks only. Here’s the SMB exploit shellcode for Petya vs the one for WannaCry (click on image to enlarge):

Exploiting command-line tools

In cases where the SMB exploit fails, Petya tries to spread using PsExec under local user accounts. (PsExec is a command-line tool that allows users to run processes on remote systems.) It also runs a modified mimikatz LSAdump tool that finds all available user credentials in memory.

It attempts to run the Windows Management Instrumentation Command-line (WMIC) to deploy and execute the payload on each known host with relevant credentials. (WMIC is a scripting interface that simplifies the use of Windows Management Instrumentation (WMI) and systems managed through it.)

By using the WMIC/PsExec/LSAdump hacking techniques, attackers can infect fully patched PCs found on local networks, including Windows 10.

The attack stage

Once the infection drops, the encryption stage begins. The ransomware scrambles your data files and overwrites the boot sector of your hard disk so that the next time you reboot, the master index of your C: drive will be scrambled too. To add insult to injury – and presumably taking account of the fact that most users only restart occasionally these days – the ransomware automatically forces a reboot after about an hour, thus activating the secondary scrambling process.

The victim knows there’s a problem because the ransom note takes over their screen (click image to enlarge):

Here’s a closer look at the ransom note:

Pain for the victim is made worse because the mailbox listed for the ransom payment has been shut down. So if the decision is made to pay the ransom, there’s no way to reliably confirm that the payment went through and that a decryption key is coming.

Is there a kill switch?

One of the most-asked questions in the security industry is whether there’s a kill switch to shut down the infection. The answer is yes, but only a local one, as outlined here:

Sophos protection

Customers using Sophos Endpoint Protection are protected against all the recent variants of this ransomware. The first protection was released June 27 at 13:50 UTC and several updates have followed since then to protect against possible future variants.

In addition, customers using Sophos Intercept X were proactively protected with no data encrypted from the moment this new ransomware variant appeared.

Further to that, customers may choose to restrict the use of PsExec and other dual-use administrative tools on their network. Sophos Endpoint Protection provides PUA detection for PsExec and other remote administration programs that don’t need to be available on every PC and to every user.

We’ve created a video to demonstrate how Intercept X works against Petya.

Defensive measures

Though Sophos customers are protected, there are several things users can do to further bolster defenses. For example:

Meantime, to gain a better understanding of threats like this one, we recommend you check out the following resources: