28 June 2017

PETYA malware


There are several channels of distribution, including phishing e-mails.
For further internal distribution PETYA uses:

  • MS17-10 vulnerability (like in WannaCry case);
  • Remote access to WMI console (Windows Management Instrumentation), special commands like "wmic.exe /node: "<hostname>" /user: "<username>" /password: "<password>" process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\"#1";
  • Microsoft utility PSEXEC (accounts credentials are collected from the infected machine using the utility with the functionality similar to Mimikatz utility — clear text passwords are gathered through reading of lsass.exe process memory).


PETYA clears event logs and file system log using the command "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" in order to hinder further analysis. Notably, the records in the event logs are not being deleted, PETYA only makes a mark in the name of the log about the clearance. Files recovery is possible.

There are two ways of system encryption:

1. Encryption of the file allocation table $MFT (NotPetya)

Malicious file writes its code in MBR and the following sectors (original MBR saves encrypted in sector 34 (xor 0×07)). Afterwards malware reboots the system (using commands "schtasks" and "at"). When the system turns on again, a message about the work of CHKDSK utility appears on the screen. In fact, at this moment PETYA is encrypting $MFT using cryptographically resistant cypher Salsa20 (the code is similar to the original Petya). The main feature of this technique is that it conducts the encryption of files records instead of the contents. Files recovery is possible. There are several ways to recover the data:

  • Manually. Firstly, you can search for the files on the disk through its signatures. However, this method is applicable only to small files (max 4KB) and the name of the file is not being recovered. Second possible way to recover the files manually is to search for file records using «FILE0» signature and obtain the list of clusters pertaining to the file. This method helps to recover the content and the name of the file. Third technique implies the search for the cluster containing the beginning of the file (through the signature). Further on, the number of this cluster can be used in order to find non-residential list of sectors pertaining to the file. All foregoing techniques can be used for the recovery of large files which cannot be restored by signature search and automatic tools;
  • Automatically: R-Studio, GetDataBack, etc;
  • MBR recovery before system reload through the command "bootrec /FixMbr" (Vista+, relevant command for Windows XP is "fixmbr");
  • MBR recovery after system reload but before system encryption. It requires the extraction of original MBR from sector 34 (0×4400 dislocation on the disk, size 0×200), its decryption and record in the beginning of the disk.

2. Files encryption (Misha)

When the obtainment of privileges for MBR rewrite is impossible, the files are encrypted without system reboot. File extensions subject to encryption are the following: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip. Decryption techniques remain unknown. The only possibility is to restore the files from back-up copies, for instance, from Volume Shadow Copy, restore points, File History.

It is strongly recommended not to pay the ransom as the mailbox of the adversaries is blocked. At present, we doubt the technical possibility to decrypt the data and there are still no precedents of successful decryption.

Why data recovery is possible?

NotPetya encrypts only the file table but not the files, therefore it is possible to recover the files after encryption.

The structure of the file system before encryption:

First goes the main file table (MFT) with files names and locations. Upon the encryption, all links to the files in MFT are encrypted but the contents of these files remain the same:

Thereby all recovery techniques based on carving can be used. Moreover, identical MFT records are stored in many parts of the file system (they could be found in hiberfil.sys file, various directory files, MFTmirr etc), thus it is possible to collect all integral MFT records and recover even fragmented files.


The following files in Windows directory may indicate the infection of the system through PSEXEC software:

  • C:\Windows\perfc.dat
  • C:\Windows\dllhost.dat


Install Windows updates for MS17-10 vulnerability:

Disable SMB1:

Block PSEXEC.EXE software using local or group security tools on potentially vulnerable machines in order to stop the distribution of malware. If possible, block or disable remote access to WMI.

In the course of the investigation it was revealed that the creation of the empty file "C:\Windows\perfc" may prevent the infection through PsExec and WMI.


We use cookies to personalize the services and the convenience of website users. You can prevent cookies from being stored in your browser settings. By using this website, you confirm your consent to the Privacy policy.