PETYA malware
There are several channels of distribution, including phishing e-mails.
For further internal distribution, PETYA uses:
- MS17-10 vulnerability (similar to WannaCry);
- Remote access to WMI (Windows Management Instrumentation) console special commands of the form "wmic.exe /node: "<hostname>" /user: "<username>" /password: "<password>" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\"#1";
- Microsoft utility PSEXEC (account credentials are collected from the infected machine using a utility that is similar in the functionality to Mimikatz utility — clear-text passwords are obtained by reading the lsass.exe process memory).
PETYA clears event logs and the file system log using the command "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" in order to hinder further analysis. Notably, the records in the event logs are not deleted, PETYA only makes a note in the log header saying that the log has been cleared, but the records can be restored.
The system can be encrypted using two different methods:
1. Encryption of the file allocation table $MFT (NotPetya)
The malicious file writes its code into the MBR and the following several sectors (the original MBR value is saved in sector 34 in an encrypted (xor 0×07) form). Then the malware reboots the system (using commands "schtasks" and "at"). When the system turns on again, a message is displayed that CHKDSK utility is working. In fact, at this moment PETYA is encrypting $MFT using a cryptographically resistant cypher Salsa20 (the code is similar to the original Petya). This method is peculiar in that in encrypts records about files rather than file contents. The files can be recovered, there are several ways to do so:
- Manually. Firstly, you can search for the files on the disk by their signatures. However, this method is applicable only to unfragmented files, and the file name cannot be recovered. The second method of manual recovery is to search for file records using the "FILE0" signature and obtain the list of clusters pertaining to the file. This method helps to recover the file name and contents. The third technique implies searching for the cluster containing the beginning of the file (using its signature). Then, the number of this cluster can be used to find the non-residential list of sectors pertaining to the file. All techniques can be used for the recovery of large files which cannot be restored by signature search and automatic tools;
- Automatically: R-Studio, GetDataBack, etc.;
- MBR recovery before the system reboot using the command "bootrec /FixMbr" (in Vista+; for Windows XP, use "fixmbr");
- MBR recovery after the system reboot but before system encryption. This requires the extraction of the original MBR from sector 34 (0×4400 offset on the disk, size 0×200), its decryption and writing it to the beginning of the disk.
2. Files encryption (Misha)
If the malware does not have the privileges to overwrite the MBR, it encrypts files without a system reboot. File extensions subject to encryption are as follows: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip. Decryption techniques remain unknown. The only possibility is to restore the files from back-up copies, for instance, from Volume Shadow Copy, restore points, File History.
It is strongly recommended not to pay the ransom as the mailbox of the adversaries is blocked. At present, we doubt the technical possibility to decrypt the data, and there are still no precedents of successful decryption.
NotPetya encrypts only the file table but not the files, therefore it is possible to recover the files after encryption.
The structure of the file system before encryption:
First goes the main file table (MFT) with files names and locations. Upon the encryption, all links to the files in MFT are encrypted but the contents of these files remain unchanged:
Thus, all recovery techniques based on carving can be used. Moreover, identical MFT records are stored in many parts of the file system (they could be found in hiberfil.sys file, various directory files, MFTmirr, etc.), so it is possible to collect all intact MFT records and recover even fragmented files.
The following files in the Windows directory may indicate the infection of the system through the PSEXEC software:
- C:\Windows\perfc.dat
- C:\Windows\dllhost.dat
Install Windows updates for MS17-10 vulnerability:
technet.microsoft.com/en-us/library/security/ms17-010.aspx
Disable SMB1:
support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and-windows
Block PSEXEC.EXE using local or group security tools on potentially vulnerable machines in order to stop the distribution of malware. If possible, block or disable remote access to WMI.
In the course of the investigation, it was revealed that creation of an empty file "C:\Windows\perfc" may prevent the infection through PsExec and WMI.