Petya - What Really Happened

June 30, 2017

**On Wednesday morning, Ashley was rushing to get a blog on Petya “ransomware” out to help our customers understand and defend against it. Meanwhile, I was in DC about to present at the cyber security for defense summit and watching the CISO from one of the US intelligence agencies talk about that same “ransomware”. Meanwhile, researchers around the globe were still trying to figure out what was really happening. It turns out that ransom was not the motive after all and Wired’s article last week on nation states and cyber war just got a lot more real. That said, I still like Ashley’s advice on how to manage cyber risks like these but for now, we’ll let CoreLabs researcher Willis McDonald explain what really happened. If you have any questions, let us know in the comments or email us at" – Chris Sullivan, CISO & CTO, Core Security

There has been a lot of information shared this week around the Petya “ransomware” virus. I put this in quotes because, just as with most attacks, once you dive in and get more information you find out that everything is not as it seems. The problem is that with the confusion going on around Petya on Tuesday there was a large amount of misinformation just as with WannaCry.  After the dust settled on Thursday, it appears that the infection vector was through the update process of an accounting package specific to Ukraine.  The infection vector was a malicious update delivered from the Ukrainian tax accounting software M.E. Doc. At roughly 10:30 AM EST on Tuesday 06-27-2017 a malicious update was delivered to users of M.E. Doc through the normal automatic update check.  What makes this a particularly devious and disastrous infection vector is that this software is required for tax purposes if you have a business presence in Ukraine.  So, not only were Ukrainian businesses vulnerable but foreign businesses were also impacted.

The update package contained a payload that executed a DLL file which extracted Petya ransomware and other tools depending on the rights of the user.  Once the resources from the DLL were extracted the payload would then execute the Petya ransomware payload which would overwrite the bootloader for the system. The next time the system restarted it would begin the encryption process disguised as a legitimate disk repair scan. To restart the system, Petya schedules a task to restart the system one hour after infection. 

Once the Petya infection has completed on the system, a scan of the local network for other systems is performed. If another Windows system is found it will attempt to login using the credentials from the infected system.  If the credentials for the infected system failed it would then attempt to exploit the remote system using the same EternalBlue exploit used by WannaCry.  If successful, a copy of the Petya payload was transferred and executed on the remote system and the infection chain begins again on the remote system.

What makes this attack so interesting is not that it was so disastrous but that it could have been so much worse. Using the Me-Doc update process specifically targeted businesses operating in Ukraine and only spread through local networks to infect systems outside of Ukraine. If this had been delivered through more traditional means, such as spear-phishing or malicious spam, the fallout would have been much greater and led to global outages.  The same would have been true for WannaCry which only spread through systems with SMB exposed to the internet. This leads to the belief that this was a targeted attack in which no one really expected to get paid. Backing up this belief is the fact that this Petya seems to have no means of actually decrypting the files once they have been lost.  The installation ID that was once used as a means for the attackers to determine the encryption key is now just a randomly generated string.

  • News & Events

Ready for a Demo?

Eliminate identity-related breaches with SecureAuth!