Home / malwarePDF  

Ransom:Win32/Petya.A-joey


First posted on 29 June 2017.
Source: Microsoft

Aliases :

There are no other names known for Ransom:Win32/Petya.A-joey.

Explanation :

Installation

This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.

You might see the following email:

Payload

Encrypts Master Boot Record (MBR)

If the malware is executed with ‘SeShutdownPrivilege' or ‘SeDebugPrivilege' or ‘SeTcbPrivilege' privilege, then it will overwrite the MBR of the victim's machine. It directly access the drive0 ‘\\\\.\\PhysicalDrive0' using DeviceIoControl() APIs.

Encrypts files

This malware encrypts fixed drives using AES-128 and RSA-2048 and encrypts the following file extensions:

.3ds .pdf .7z .php .accdb .pmf .ai .ppt .asp .pptx .aspx .pst .avhd .pv .back .py .bak .pyc .c .rar .cfg .rtf .conf .sln .cpp .sql .cs .tar .ctl .vbox .dbf .vbs .disk .vcb .djvu .vdi .doc .vfd .docx .vmc .dwg .vmd .eml .vmsd .fdb .vmx .gz .vsdx .h .vsv .hdd .work .kdbx .xls .mail .xlsx .mdb .xvd .msg .zip .nrg .ora .ost .ova .ovf

It skips the folder "C:Windows".

It drops the following decryption instructions:

If the file C:\Windows\perfc.dat exists in %SystemRoot% , it stops the Windows Management Instrumentation Command-line (WMCI) and PsExec component from running. The EternalBlue exploit will still be executed. Machines that are patched will not be vulnerable to the exploit.

Last update 29 June 2017

 

TOP