New Petya ransomware: everything you wanted to know (but were afraid to ask)

Whenever a new malware story breaks, lots of questions emerge…

…but some of them are hard to ask!

What if the question seems so obvious that you feel embarrassed not to know the answer?

What if something is really bugging you but the question feels too trivial?

What if there are interesting, even important, details that you never even thought to ask about?

Here you go…

Q. What is this new “Petya” ransomware outbreak?

On 2017-06-27, a new strain of ransomware was reported in numerous disparate organisations in many countries.

This malware has been variously, and somewhat confusingly, referred to as Petya, GoldenEye, WannaCry2, NotPetya, PetrWrap and PetyaWrap.

Sophos detects the main file of this malware by the name Troj/Ransom-EOB, but in this article we will refer to it colloquially as PetyaWrap, because it’s easier to say.

Q. Why the name PetyaWrap?

The heart of this new ransomware is almost identical to an existing ransomware strain from 2016 known as Petya.

Unlike most ransomware, which scrambles your data files but leaves your computer able to boot up into Windows and run your regular apps, Petya scrambles your disk down at the sector level, so that it won’t boot normally at all.

But the PetyaWrap variant does much more than the original Petya ransomware.

PetyaWrap includes a number of other concepts and components plundered from other malware strains, including GoldenEye and WannaCry, wrapped up into a new ransomware variant that does much more than the original Petya strain.

Thus, PetyaWrap in this article, for clarity.

Q. What malware techniques does PetyaWrap combine?

Like WannaCry, PetyaWrap is a computer worm, meaning that it can spread by itself.

PetyaWrap can copy itself round your network, and then automatically launch those new copies without waiting for users to read emails, open attachments or download files via web links.

Like the GoldenEye ransomware, PetyaWrap encrypts your data files in such a way that only the attackers know the decryption key, so you can’t unscramble the files without their help.

As if that weren’t enough, after spreading and scrambling your data, PetyaWrap does the same as the original Petya malware – it scrambles your disk down at the sector level, so that you can’t access your C: drive at all, even if you plug the disk into another computer.

Q. How does PetyaWrap spread across my network?

Firstly, it borrows from WannaCry by trying to exploit a pair of critical Windows security holes that were stolen from the US National Security Agency (NSA) and leaked by a hacking crew called Shadow Brokers. (The main vulnerability used is commonly known by its original NSA name: ETERNALBLUE.)

If you are patched against WannaCry – Microsoft issued patches that prevented the attack well before WannaCry came out – then you are patched against this part of PetyaWrap.

Secondly, it tries to spread using a popular Windows remote execution tool called PsExec – PetyaWrap has a copy of the PsExec software embedded inside it, so it doesn’t need to download it first.

PsExec is part of Microsoft’s own Sysinternals suite, commonly misused by cybercriminals as a convenient way of moving around inside a network after they’ve got in from the outside.

Note that the PsExec trick won’t work if the infected computer doesn’t have enough account privilege to run commands on the target it’s attacking – a good reason not to use Administrator accounts all the time, no matter how convenient it might be for IT staff.

Thirdly, PetyaWrap snoops around in memory looking for passwords that will boost its access privileges and give it administrative access to other computers on the network.

This password snooping is done using a modified copy of a password-grabbing tool called LSADUMP from the Mimikatz toolkit – as with PsExec, this hacking tool is embedded into the PetyaWrap program, so it doesn’t need to be downloaded first.

Q. Is patching against WannaCry enough to be safe?


As explained above, PetyaWrap has three spreading tricks, of which the WannaCry technique is the first one it tries.

If the WannaCry hole is closed, PetyaWrap tries PsExec; if that doesn’t work, it tries LSADUMP and the Windows Management Interface to “manage” your network to your considerable disadvantage.

Treat the WannaCry patches as necessary but not sufficient.

Q. Can Sophos products block the components used by PetyaWrap to spread?


The main PetyaWrap program, which contains the WannaCry-style “worming” code, is blocked as malware: Troj/Ransom-EOB.

The PsExec program for the second spreading trick is blocked as a Potentially Unwanted Application (PUA): PsExec of type Hacktool.

The LSADUMP snooping tool for the third spreading trick is blocked as malware: Troj/Mimikatz-A.

Q. Can Sophos products block the ransomware components if they try to scramble your files and disk?


Sophos Intercept X (and Sophos Home Premium Beta) includes proactive malware-blocking tools that detect, block and repair ransomware activity.

The file-scrambling part of PetyaWrap is detected and blocked by CryptoGuard.

The sector-scrambling part of PetyaWrap is detected and blocked by WipeGuard.

Q. Will I get my data back if I pay the ransom?

We doubt it.

In fact, the email address by which you are supposed to contact the crooks has been suspended, so it’s unlikely you’ll be able to do a deal with them even if you wanted to.

Q. Can PetyaWrap spread across the internet, like WannaCry?

No. And yes.

WannaCry had two spreading functions that ran in parallel: one scoured your LAN trying to spread locally; the other went out looking randomly for new victims on the internet.

PetyaWrap doesn’t explicitly try to find new victims out on the internet, but sticks to your LAN, perhaps in the hope of drawing less attention to itself.

Unfortunately, LANs (short for Local Area Networks) often aren’t truly local any more, often including outlying offices and remote workers, including contractors.

Of course, some of those remote computers may be part of more than one LAN, meaning that they can act as a “bridge” between two networks, even if they belong to completely different organisations.

In other words, for all that PetyaWrap isn’t programmed to spread purposefully across the internet, it also isn’t programmed to avoid jumping onto someone else’s network if there’s an interconnection.

Importantly, PetyaWrap uses the networking tools built into Windows for its signposts on where to try next – so if you can browse to a partner company’s servers from your computer, or click through to your home computers from work…

…then PetyaWrap can do the same.

How did the PetyaWrap outbreak get started?

We can’t say for sure.

Early on in the outbreak, fingers were pointed at a Ukrainian software company that produces tax accounting software, suggesting that a hack of the company’s update servers may have given the crooks a window of opportunity to push out an initial wave of infections.

Microsoft now claims to have evidence that a hacked version of the company’s autoupdate program might have been connected to an early PetyaWrap outbreak.

Has PetyaWrap appeared in any phishing emails?

We haven’t yet seen any evidence of any phishing emails spreading this ransomware.

But don’t let your guard down!

Phishing emails are one of the most common conduits for malware, especially ransomware, to make its first appearance inside your organisation.

What should I do next?

Ransomware like PetyaWrap can do plenty of damage even if you limit it to a regular user account, because most users have the right to read, write and modify their own files at will.

But any malware, especially a network worm like PetyaWrap, is much more dangerous if it can get administrator-level privileges instead.

So, even if you weren’t touched by the PetyaWrap outbreak, why not use it as the impetus for looking at who in your own network is allowed to do what, and where they’re allowed to do it?

Here are some things to try:

  • Review all domain and local administrator accounts to get rid of passwords that can easily be cracked. If you don’t test your own password strengths, the crooks will test them for you.
  • Review which staff have, or can acquire, administrator privileges on other users’ computers or the domain. If you realise you have privileges you no longer need, tell IT and get them removed – for your own safety as well as everyone else’s.
  • Don’t let IT staff logon or run any software with admin privileges except when they explicitly need to. Once they have completed an administrative task they should demote themselves back to regular user privileges, even though it’s less convenient.
  • Check to see if you have any network shares that are supposed to be limited to your LAN but which show up on the internet. If you don’t check up on your own network, the crooks will check for you.

Never assume that security choices you made last year, or settings you enforced last month, are still in play today.

Got more questions? Please ask below and we’ll do our best to answer them too.