Petya Ransomware


Systems Affected

Windows Operating Systems

Threat Level



A new Ransomware variant with worm like capabilities has infected many companies in Europe and a couple in the United States. The media is calling it "Petya" but it is not similar to the Petya variants seen before. The malware is distributed via phishing e-mails. The ransomware propagates through two main vectors: - MS17-10 Vulnerability (Eternal Blue). - After infection of a MS17-10 vulnerable machine, user credentials are taken from memory and used to access other computers on the local network and infect them via remote access to WMI(Windows Management Instrumentation).


The malware clears system logs using the following command: "wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:" to make further analysis more difficult. It also writes its code to Hard Drive MBR, initiates system reload and adds reload commands to Windows planner ("schtasks" and "at" commands). After the system is reloaded the malware downloads its code from MBR and encrypts data on the hard drive (File allocation table is encrypted, we are currently investigation what else is being encrypted). If the computer is shut down before the reload, MBR can be reestablished with "bootrec /FixMbr" command. (in Vista+, for Windows XP "fixmbr" can be used). In case the privileges are not high enough to rewrite MBR, the files are encrypted without a system reload. The list of file types that are encrypted: 3ds,7z,accdb,ai,asp,aspx,avhd,back,bak,c,cfg,conf,cpp,cs,ctl,dbf,disk, djvu,doc,docx,dwg,eml,fdb,gz,h,hdd,kdbx,mail,mdb,msg,nrg,ora,ost,ova, ovf,pdf,php,pmf,ppt,pptx,pst,pvi,py,pyc,rar,rtf,sln,sql,tar,vbox,vbs, vcb,vdi,vfd,vmc,vmdk,vmsd,vmx,vsdx,vsv,work,xls,xlsx,xvd,zip."


Solution/ Workarounds

  ✻  Update the latest version of the Mozilla's Firefox on Windows, Linux and Mac.



The information provided herein is on "as is" basis, without warranty of any kind.


© Copyright Sri Lanka CERT|CC. All Rights Reserved.