What is Petya Ransomware & How to Protect Against It?

Petya and its adaptation NotPetya wreaked havoc in targeted attacks through 2016 and 2017. The Petya ransomware hit the headlines because it represented a new development in malware

Cybersecurity businesses, such as McAfee, Malwarebytes, and Check Point, operate research labs where analysts investigate new viruses and deduce their creators. National governments also have their cyber defense agencies that perform similar research. These security experts came to the same conclusion about Petya that it was an act of state-sponsored terrorism. However, they weren’t correct.

What is distinctive about Petya?

The most noteworthy attribute of Petya is that its creators didn’t seem too interested in collecting ransoms. Another interesting fact about Petya is that its most famous version was a hijacked copy and not the property of the original developer.

That version of Petya that was regarded as a tool of hybrid warfare wasn’t, in fact, Petya, but a system built by a hacker group linked to the Russian government that borrowed code from Petya. That pirated version of the ransomware is called NotPetya.

The original Petya was not so well known. However, the name of this ransomware became world-famous once the pirated version ripped across the world in 2017.

Where does Petya ransomware come from?

The creator of Petya was called Janus Cybercrime Solutions. No one knows where this group is based, but its logo includes the Soviet Union’s hammer and sickle icon, and it identifies with a fictional Russian crime syndicate. The group aimed to provide a ransomware template that others could use for a fee. This was a Ransomware-as-a-Service concept, similar to the “stress testing” services that creators DDoS botnets provide to monetize their assets.

So, with the original Petya, the attackers that targeted businesses with ransomware were using a tool. Each user set up an account and acted as an affiliate, using the toolkit for attacks and then paying the Janus group a percentage of their earnings. The Beta phase of the original Petya was open to applicants by invitation only.

A big problem for the hackers was that the original Petya needed administrator privileges. The holders of those accounts in businesses are not so easy to trick into handing over their credentials. Without administrator status for installation, the Petya software couldn’t run. So, Janus added on a second system called Mischa. This encrypts files on the current user account and doesn’t need high-level privileges. The RaaS platform opened fully in July 2016.

What does Petya mean?

The James Bond film, GoldenEye, inspired the Petya name. The hackers who created it adopted names and images from that film, which had a plot centered around a Russian hacker group hijacking satellite-based weapon launchers.

The group had a Twitter account called Janus Secretary and had an avatar showing a picture of the Scottish actor Alan Cumming in Boris Grishenko, a hacker in the group, Janus Syndicate.

In the film, set shortly after the dissolution of the Soviet Union, the Janus Syndicate uses malware to take control of two Soviet-era satellites. These carry GoldenEye weapons, which are electromagnetic pulse (EMP) systems. One of these satellites was called Petya. The RaaS website that accesses the Petya system is labeled “Janus Cybercrime.” When Janus added its second infection system to the Petya service, it used the name of the other GoldenEye satellite – Mischa.

Versions of Petya

Janus Cybercrime Solutions created four releases of Petya. These are:

• Version 1.0, known as Red Petya because its ransom demands were on a red background, and the service’s logo was a skull and crossbones on a red background. This was live during the Beta phase of the RaaS.
• Version 2.0, called Green Petya because its color palette had green text on a black background. This is the version that partnered with Mischa.
• Version 2.5, same themes as Green Petya but with bug fixes.
• Version 3.0, known as Goldeneye, used yellow text on a black background for its communications and black text on a yellow background for its skull and crossbones logo. This added a User Access Control (UAC) bypass to get at Administrator privileges.

Goldeneye was the last official version of Petya, and it was active up to December 2016. Versions after that were pirated copies created by other hacker teams that appropriated the Petya code and adapted it. Those are not, strictly speaking, new versions of Petya but new viruses that incorporate some of the principles of Petya. These are:

• PetrWrap, which is based on Green Petya but has its loading mechanism.
• Santana, which is a copy of Mischa rather than Petya.
• Petya+, written in the .NET framework, this virus doesn’t encrypt files but puts up a lock screen with a demand for payment.
• NotPetya, also known as EternalPetya and ExPetr, is based on Goldeneye and is the copy that drew the most attention to the Petya family. The Sandworm hacker group developed this for the Russian military intelligence agency, the GRU.

The real Petya isn’t circulating anymore. So, you don’t need to worry about it. However, NotPetya is a more persistent problem.

How does Petya Ransomware work?

Petya only runs on Windows. It overwrites the Master Boot Record (MBR) of an infected computer, encrypting its Master File Table (MFT). It also disables the Safe Mode. The result of this action is that both files and the operating system become blocked, so there isn’t any way to continue to use the computer unless the ransom is paid. This action requires Administrator access. If that is not possible, the installer runs the Mischa ransomware system instead. That encrypts files, making it possible to access the computer still.

A Petya attack begins with a spam email that purports to contain important information in an attachment. Users who download that attachment and open it triggers the virus. Green Petya masqueraded as a job application with a link to a profile. The profile included a downloadable PDF, which included the virus. Goldeneye was initially aimed at Germany with a German language email that had an infected attachment.

The dropper (installer) copies the Petya executable into the %APPDATA% directory under the name of a randomly encountered program on the computer. Goldeneye will run the Mischa routine before the Petya attack.

If Administrator access is allowed, the computer will crash and then restart with a fake CHKDSK display. In truth, while you watch the progress of this operation, you are watching the progress of the encryption of the MFT, which is performed with the Salsa20 cipher. The computer then displays a skull and crossbones logo. The colors used in this screen tell you which version of Petya you are dealing with.

If the Petya version is Goldeneye, the Administrator’s permission is not needed to get to the MFT. Red Petya won’t harm if the user account it downloads onto doesn’t have Administrator privileges. Green Petya will implement Mischa if it can’t get to the MFT to run its Petya routine. Mischa encrypts files in the account with a combination of asymmetric RSA encryption and the AES cipher.

Annoyingly, while other ransomware focuses on personal files that contain documents, images, video, and audio, Mischa also encrypts .EXE files. An encrypted file has its original name but with an extra extension on the end, a random string of characters. Renaming the file to remove that different extension won’t decrypt the contents.

The skull and crossbones logo is animated, and when the initial run-through completes, the screen shows a ransom demand. It asks for a payment in Bitcoin. By Green Petya, the ransom was 1.93 Bitcoin, which, at the time, was worth $875. Today, that amount would be worth $71,975.

The demand gives the user instructions to download the tor browser and go to a specific site. This page has the price in Bitcoin on it. The user has to enter a unique ID, which is shown on the ransom demand screen. The result of the payment process is a decryption key for Petya and a decryptor utility for Mischa.

Once NotPetya started to circulate, Janus Cybercrime Solutions shut down Petya and published its master key to decrypt all previous attacks. In addition, Malwarebytes Labs produces an automated decryptor based on this key to assist victims.

How to deal with a Petya ransomware attack

The best way to deal with any malware is to be prepared. As email phishing scans, tempting illegal video downloads, and infected websites are the most frequently used channels for infection; you particularly need to watch over the security of your endpoints.

Follow these four points to prevent system susceptibility to Petya ransomware:

1. Educate users about virus access and explain to them how to avoid infections.
2. Use an automated Patch manager and software updater
3. Backup all systems with a strategy to keep separate backups for each device
4. Install an endpoint detection and response service

Using the right tools for the system, you can prevent infections from Petya ransomware and other malware and be in a good position to recover from any ransomware attacks that foil your defenses.

The best tools to protect against Petya ransomware

The story of the Petya ransomware family shows how quickly malware can change. All of the eight versions and adaptations of Petya emerged in a little over a year. So, getting a defense tool that works well right now doesn’t necessarily mean that you will be protected against future attacks from new malware.

Fortunately, some excellent systems can detect malicious activity even if it is caused by malware that has never been encountered before. Here are two tools that you could try that watch over endpoints and protect files from tampering.

1. ManageEngine Endpoint Central (FREE TRIAL)

ManageEngine Endpoint Central is a tool remote management and monitoring package for use by IT departments. The system has a number of editions and the top plan deals with endpoint security. However, if you are specifically worried about Petya, Endpoint Central has a solution for you in its Patch Management unit, which is included in every plan.

Key Features:

• Patching for PCs and Macs
• Prevents Petya
• Free edition with Petya protection
• Vulnerability scanning 
• Automated configuration management

Why do we recommend it?

ManageEngine Endpoint Central is able to manage all of the major operating systems, even for mobile devices. However, it provides more functionality for Windows PCs than any other device type. Petya only attacks Windows, so if you are looking for Petya protection you will get a great deal of value out of this package. 

Prevention is better than cure and the Endpoint Central system blocks Petya infections by ensuring that those Windows executables that provide Peta a way in are fully updated. This is because the suppliers of those packages already know how Petya operates and they have fixed their security loopholes. So, just as long as you have your Windows software up to date, Petya doesn’t get a look in. 

The Endpoint Central package includes a vulnerability scanner that looks at all of the software installed on each endpoint. You will be able to see unauthorized software, which users might have installed. You will also see unknown packages that you will need to be removed. All of the rest will be automatically updated by the Patch Management module.

The tool identifies configuration weaknesses in the settings of operating systems and services such as browsers and Web servers. The system will automatically adjust some of those., but not everyone wants software to interfere with their systems unattended, so the package will produce a list of fixes that your administrator needs to make in order to tighten security. Rescans will let you know when security has been improved.

All of these vulnerability resolution actions are necessary for data protection standards compliance and you will need to document all of the steps that you have taken to secure your system. Endpoint Central logs all of its findings and threat remediation actions and this will form part of your compliance reporting.

Who is it recommended for?

Companies that run Windows PCs need protection against ransomware, including Petya. While many other types of ransomware need higher levels of security services, dealing with Petya is pretty straightforward and the Free Edition of Endpoint Central provides that. This is a suitable package for small businesses and it will protect 25 endpoints. Larger companies have the choice of four paid plans.

Endpoint Central is offered as a cloud-based SaaS platform or as a software package for Windows Server. This system’s Free edition is suitable for small businesses and the four paid packages go right up to the Security Edition, which provides data loss prevention. You can get a 30-day free trial of the top edition and then switch to the Free Edition after that if you decide not to buy.

2. CrowdStrike Falcon Insight

CrowdStrike Falcon Insight combines endpoint software with a cloud platform. This is a combination of the CrowdStrike Falcon Prevent next-generation antivirus package with a cloud-based coordinator that acts as a SIEM.

Key Features:

• Spots malware
• Scans processes for unauthorized activities
• Quarantining
• Warnings to all devices
• Central threat hunting

Why do we recommend it?

CrowdStrike Falcon Insight is an XDR, which means it provides an antivirus on each endpoint and then a coordinating unit on the cloud. This combination is necessary to combat systems such as Petya that try to infect multiple endpoints on a network. An infected device can be isolated from the network.

The advantage of this configuration is that endpoint protection continues even if the device is disconnected from the network and the Internet. In addition, the cloud module is updated immediately with the latest threat intelligence and coordinates instructions to all endpoint agents.

Falcon Insight updates endpoints when available, and in return, the endpoint agents upload activity intelligence. The Insight system scans through the logs that Prevent sends it to look for indicators of compromise. A significant advantage of using the CrowdStrike system is that it maintains a research team that constantly looks for new viruses and ransomware and works out how to combat them. The data uploaded from the Falcon Prevent systems provides the source data for these investigations.

Who is it recommended for?

While MFT encryption is difficult to deal with, it is not impossible. Ransomware that attacks system processes and files need to start up and implement preliminary actions and a good AV like Falcon Insight’s endpoint agent, called Prevent, can spot those movements. However, having a full AV unit on each endpoint makes this package expensive.

CrowdStrike Falcon Insight can manage threat response. This module includes isolating a machine if ransomware is detected. The service also runs a blacklist of infected sites and known hacker IP addresses. Falcon Insight is also helpful for defending against network intrusion. You can get a 15-day free trial of Falcon Prevent.