Petya or NotPetya – How It Spreads And What To Do About It

Petya or NotPetya That Is The Question

Actually, this latest ransomware outbreak is not Petya. The malware appears to share a significant amount of code with an older piece of ransomware that really was called Petya, but after the outbreak started, security researchers noticed that “the superficial resemblance is only skin deep”.
Researchers at Russia’s Kaspersky Lab redubbed the malware NotPetya, and then folks played the name game and variation like Petna, Pneytna began to spread as a result. As if that didn’t complicate matters, other researchers gave it other names like Goldeneye (dubbed so by Bitdefender).

How does the Petya/NotPetya ransomware work?

The ransomware takes over computers and demands $300, paid in Bitcoin. However, the mechanisms put in place to collect the ransom quickly fell apart (and we all know payment was never a real option anyway). The initial infection vector while not 100% confirmed it is currently speculated to have come from an Ukrainian software product called MeDoc which is believed to have been compromised. The malicious software spreads rapidly across an organization once a computer is infected using multiple techniques. The first was utilizing the EternalBlue exploit which leverages a Windows vulnerability (MS17-010) that has been previously fixed by Microsoft in March of this year. It then utilizes a stripped down version of Mimikatz and lsadump to extract clear-text credentials from the infected machine. These credentials in combination with a custom version of PSEXEC and WMIC is then how it move laterally and infects other mahcines on the network. “It has a better mechanism for spreading itself than WannaCry”, said Ryan Kalember, of cybersecurity company Proofpoint.

In a nutshell:

NotPetya attempts to capture credentials for spreading, the ransomware uses custom tools, a la Mimikatz. These tools extract credentials from the lsass.exe process. After extraction, credentials are passed to PsExec tools or WMIC for distribution inside a network.

Other observed infection vectors include:

  • A modified EternalBlue exploit, also used by WannaCry.
  • The EternalRomance exploit – a remote code execution exploit targeting Windows XP to Windows 2008 systems over TCP port 445 (Note: patched with MS17-010).
  • Custom stripped down versions of Mimikatz to dump clear text credentials.
  • It drops v1.98 of PSEXEC on the system at C:\Windows\dllhost.dat
  • An attack against the update mechanism of a third-party Ukrainian software product called MeDoc.

Should I be worried?

Computers running the most recent update of Microsoft’s software should be safe from the attack. Users are advised to check they have installed the latest version of Windows and refrain from clicking on malicious links.

Should you pay the ransom?

TBG Security advises our clients to never pay the ransom as it only encourages the attackers (and most times you’ll not get the files recovered anyway).
Instead, power off your machine, format your drive and restore from backup. We know it sounds harsh but the other option is to stay online and spread the ransomware throughout the network.

What to do if NotPetya is on your system (It’s a vaccine, not a killswitch)

  • Create a file called perfc with no extension in C:\Windows. This file should be non-executable and non-writeable. For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.  The batch file will also create two addition vaccination files called perfc.dat and perfc.dll, which may not be needed, but were added for completeness.This batch file can be found at: appears to prevent the malware from spreading to systems on the network that contain the MS17-010 patch, but may be susceptible to the other network-based attacks. If you haven’t applied the MS17-010 patch, this step will not help you but it may help prevent lateral movement.
  • Leverage GPO to block access to the ADMIN$ share to prevent the credential passing propagation that occurs via WMI / psexec.
  • The Petya malware creates a scheduled task which reboots up to one hour after infection. If the task is removed before execution, it does not reschedule, buying you some time.
  • If a machine reboots and you see this message, power off immediately. This interrupts the encryption process. Use a LiveCD or external machine to recover files.

How can I protect myself against attack?

Patching makes Perfect.  First, if you have not already patched your Windows machines and servers against the Microsoft vulnerability exploit (MS17-010), do it right now.  Microsoft’s Windows Defender AV detects and removes this threat. as well.

To reduce the possibility of becoming infected with ANY ransomware infection, do not open uninvited emails, emails from people or businesses you do not recognize and NEVER click on any attachments unless you know what you are opening.  And as a best practice you should always backup your files to some type of external device that is not connected to your PC or your network.

If you don’t have an AntiVirus software package running on your PC (what are you thinking) then install one ASAP and keep the definitions up to date.  Most, if not all Av packages will automatically update the virus definitions but it’s up to you to set up an effective scanning solution.

Previous ArticleEU GDPR demystified: a straightforward reference guide for US firms (PART TWO) Next ArticleEU GDPR demystified: a straightforward checklist for US firms (PART THREE)