Petya Ransomware – After the Smoke Clears

Nixu CDC

Nixu CDC

June 28, 2017 at 10:30
Originally published at 8:30 EET on June 28, 2017
Note that this article discusses current on-going events and some information may have changed since publishing.

Like with many current cybersecurity incidents today, discussion around Petya (or NotPetya as some have dubbed the case) has the entire global security community involved in the discussion. Our initial thoughts on the matter were already posted earlier:

Nixu blog, Petya Ransomware - The Second Coming of WannaCry on June 27.

Now that closer to 12 hours has passed, we are starting to get a better picture of what is happening and which reports are credible. Out of the thousands of messages posted to forum such as Twitter under the tag #petya, some turned out to be more credible than others.

Based on the information available and Nixu Cyber Defense Center analysis the following seems certain:

  • The malware follows the usual pattern of recent ransomware cases – systems are infected, files are encrypted and money in form of Bitcoins is requested to get the files back
  • Ukraine appears to be the location of patient zero in this incident, although the malware has since spread globally using several strategies and exploits
  • Many sources indicate that specific applications have been compromised initially and used to spread the malware, resulting in pockets of infections especially in Ukraine
  • E-mail address of the perpetrator that was used to collect the ransoms was closed down early on, making it impossible to obtain the unlock code even if ransom is paid
  • While the malware is similar to the original Petya which has been around for a while, it has been altered enough that many use the term NotPetya instead to raise awareness on these differences
  • The malware uses same EternalBlue exploit as WannaCry earlier to spread but it also has other options available for infecting additional machines in the environment which might not be vulnerable to EternalBlue
    • We’ve seen cases of systems getting compromised even when relevant patches were installed due to this aspect


Once the malware gains access to a system, it will attempt to extract all credentials from the Windows-based machine using tool called LsaDump. Using such credentials, the malware will then attempt to locate other systems within the local network and access these using the discovered credentials. It appears to have the ability to use normal methods such as PSEXEC, WMIC and SMB to log in, allowing it to access wide range of machines as long as credentials can be found. There doesn’t appear to be any technical exploitation happening at this stage beyond just using credentials in typical manner.

Based on this information, it appears that steps taken to secure systems against WannaCry – mainly patching and ensuring that adequate anti-virus capabilities are in place – are effective also against the Petya outbreak. Without initial access to a running system and its credentials within the network, the malware behaves in similar manner to WannaCry.

Beyond the usual recommendations laid out earlier such as patching and using anti-virus, there are several technical steps which can be taken to protect systems.

Reports state that in the current version of the malware, creating the file:

c:\windows\perfc

And setting it to read-only from file properties will stop the malware from installing. This possibly won’t work if the malware is modified by someone at a later point but it can be used to guard individual critical machines from the current evolution.

Anti-virus systems have been picking up speed and the detection rate is getting much better. If your organization has not yet installed signature updates to all machines, now is a good time to do this. Beyond just patching the systems, this helps to ensure that the malware is detected before it can find a host to spread from within the local network.

Nixu’s Cyber Defense Center continues to follow up on new developments on this case. New information will be released as the case develops further.

If you suspect that your network and systems may have been compromised, please contact us for help on resolving the issue. Read more>> 

Related blogs