Petya: The poison behind the latest ransomware attack

Unpatched Windows machines are getting hammered again by a new ransomware attacker.
Written by Steven Vaughan-Nichols, Senior Contributing Editor

First thing is first: If you're running Windows, patch your systems! The latest variant of Petya, GoldenEye, can attack if, and only if, one of your Windows PCs still hasn't been patched with Microsoft's March MS17-010. Microsoft thought patching this bug was important enough that it even patched it on its unsupported Windows XP operating system.

But, despite that, and despite all the news WannaCry got for it assaults, people still haven't patched all of their systems, and now we get to deal with Petya-infected PCs and their completely encrypted hard drives.

As Maya Horowitz, Check Point's threat intelligence group manager, said in the aftermath of WannaCry, "That's something that will keep happening in the future where people can copy and paste malware, copy the NSA code and that's what you get -- worldwide catastrophe. More and more things like that will happen."

As Rafe Pilling, senior security researcher at SecureWorks Counter Threat Unit, added before this latest mess, "It's quite common for ... systems to run older versions of operating systems which go unpatched, run old applications, use shared logins, that sort of stuff, all of which creates an environment which is more susceptible to this sort of thing."

And, here we are. Lucky us.

Here's how it works.

First, a vulnerable system was infected with Petya. Cisco's Talos security arm believes it infected its first victims through "software update systems for a Ukrainian tax accounting package called MeDoc."

Once inside, it uses EternalBlue (the security hole MS17-07 fixed), Psexec (a legitimate Windows administration tool), and Windows Management Instrumentation (WMI) to spread itself to other systems. Because this happens inside the trusted local-area network, even-patched Windows systems can fall over like dominoes.

EternalBlue is a leaked National Security Agency (NSA) hacker tool. This uses the long-outdated Windows' Server Message Block (SMB)-1 networking protocol. SMB-1 is completely insecure and should be turned off even on patched systems.

Psexec is a light-weight Windows specific telnet program, which is used to execute programs on remote systems. If a user has administrator privileges, it will install the malware on other systems over the local network.

WMI automates administrative tasks on remote computers. It also supplies management data to other management programs such as System Center Operations Manager, formerly Microsoft Operations Manager (MOM), and Windows Remote Management. WMI runs the same fatal commands as Psexec but it uses current users' user names and passwords.

It appears the malware package extracts these from Windows' Security Account Managers (SAM) database, which contains user names and passwords. To do this, the Petya package uses the program LSADump.

It's these last two, as David Kennedy, TrustedSec CEO, tweeted, which enabled "Lateral movement / lsadump was the killer here - lesser EternalBlue."

This is bad. As Kaspersky notes, "A single infected system on the network possessing administrative credentials is capable of spreading this infection to all the other computers through WMI or PSEXEC."

Only after this is done is the Petya payload planted on vulnerable systems. Once there, it will wait from 10 to 60 minutes and then reboot your system.

Next, a screen appears which looks like the system disk check program (CHKDSK) and runs a 'scan.' What it's actually doing is encrypting your drive's Master File Table (MFT) and replacing your Master Boot Record (MBR) with a customized loader, which includes a ransom note.

At this point, you're hosed. If you stop before the fake CHKDSK scan is completed, you may be able to save your files. You cannot, however, reboot the system. You must clean the malware out from all the affected computers by booting them from a USB or DVD drive and running an up-to-date anti-virus program. Note that on this particular list, green check marks mean the file is not detected by that AV vendor.

If your MFT and files are encrypted, they're locked up tight with an Advanced Encryption Standard (AES)-128 key. This key, in turn, is encrypted with the attacker's public RSA-2048 key. This means you're not getting your files back in this lifetime.

You do have a current backup, right? Right!?

Besides patching your systems and updating your AV software, you can immunize your systems to Petya by making the file C:\Windows\perfc.* read only. You can do this by following the instructions on BleepingComputer. This is a manual method and not suited for enterprises, but it gives enough information that experienced sysadmins should have no trouble automating it.

In the meantime, for the love of your job, patch your systems -- all of them -- now. Otherwise you'll soon be on an unemployment line. This is one nasty bug, and it's already wrecked several thousand businesses. You don't want your company to be the next one.

Related stories:

Editorial standards