Petya Ransomware


Systems Affected

Windows Operating Systems

Threat Level



A new Ransomware variant with worm like capabilities has infected many companies in Europe and a couple in the United States. The media is calling it "Petya" but it is not similar to the Petya variants seen before. The malware is distributed via phishing e-mails. The ransomware propagates through two main vectors: - MS17-10 Vulnerability (Eternal Blue). - After infection of a MS17-10 vulnerable machine, user credentials are taken from memory and used to access other computers on the local network and infect them via remote access to WMI(Windows Management Instrumentation).


The malware clears system logs using the following command: "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" to make further analysis more difficult. It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner ("schtasks" and "at" commands). After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted). If the computer is shut down before the reload, MBR can be reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows XP "fixmbr" can be used). In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk, djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova, ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs, vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip."


Solution/ Workarounds

Most Anti-Virus vendors now have signatures for this ransomware sample but other samples with similar characteristics may not have proper detection rates We recommend patching for the MS17-010(CVE-2017-0144) vulnerability of all your Windows machines if it has not be done yet. Microsoft has also advised on how to disable smbv1 which can be an additional mitigation We would like to stress that paying the ransom will not result in the decryption key being handed over.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.