[email protected] (04) 3795 8282 - (04) 3795 8228 - 1800 556 864
.08 Nov


Ransomware Petya

Rising from the wannacry's ashes, a new peril began: Petya. In 2016 and 2017, Petya ransomware and its variants affected thousands of computers worldwide. Immediately after the Wannacry ransomware showed signs of subsiding, Petya emerged as a perfect replacement.

The special feature of this malware is that it does not encrypt the user's data files, but changes the Master Boot Record (MBR) and the Master File Table (MFT) encryption so that users cannot even boot into the system. operating.

How Petya works - Source: Microsoft.com

According to sources, the Petya ransomware attack originated from MEDoc, a Ukrainian-based audit company, through MEDoc's software containing Petya in an update. In addition, Petya is also inserted in the text file intentionally sent to the organization when the user opens it, the ransomware will trick the user into activating the marco available in versions of Office.

Stage 1: High level

There are many variations of Petya ransomware on the cyber network, but in this article we will focus on sample analysis:

SHA-256: 26b4699a7b9eeb16e76305d843d4ab05e94d43f3201436927e13b3ebafa90739

It's easy to recognize that ransomware samples need to be unpacked before executing real commands. In the debug ransomware process, there are calls to functions like VirtualProtect and VirtualAlloc to allocate and change the rights of a new device. The guess is that this will be the actual memory area of the ransomware after unpacking. So we just need to set a breakpoint at the beginning of the newly created memory and this is the result:

As we can see in the picture above, in the hexdump window is the header of a pe file. Dump the entire section and get a Setup.dll file with full import table that is easy to read.

Go through the functions performed in the Setup.dll file in turn when launched. First, Petya ransomware retrieves victim's hard drive information with DeviceIoControl function to retrieve the physical location of a volume on the hard drive, information about the type, size, and volume of the hard drive partition (by IOCTL_DISK_GET_PARTITION_INFO_EX, PARTITION_INFORMATION_EX) ,). Here is the pseudocode function that takes the physical position of a volume on one or more hard drives:

v1 = this;
  BytesReturned = 0;
  v2 = GetSystemDirectoryA(0, 0);
  v3 = v2;
  if ( !v2 )
    return 0;
  v5 = (CHAR *)sub_239090(v2);
  if ( !GetSystemDirectoryA(v5, v3) )
    return 0;
  *(_DWORD *)FileName = 1546542172;
  v9 = *v5;
  v10 = 58;
  v6 = CreateFileA(FileName, 0, 3u, 0, 3u, 0, 0);
  if ( v6 == (HANDLE)-1 )
    return 0;
  DeviceIoControl(v6, 0x560000u, 0, 0, &OutBuffer, 0x20u, &BytesReturned, 0);
  // In because 0x560000 is IoControlCode, it was changed to 0x70048, 0x70000 in the future to remove information in dia  
  qmemcpy(v1, "\\\\.\\PhysicalDrive", 17);
  v1[17] = v12 + 48;
  v1[18] = 0;
  return 1;

Ransomware then creates a buffer containing the ransom link "hxxp: // petya5koahtsf7sv [.] Onion / [Random]", "hxxp: // petya37h5tbhyvki [.] Onion / [Random]" Ransom Note. And call the CryptGenRandom function to generate the victim's private key.

  v4 = (_DWORD *)phProv;
  *(_DWORD *)phProv = 0;
  if ( !CryptAcquireContextA(&phProv, 0, 0, 1u, 0xF0000000) )
    return -60;
  if ( !CryptGenRandom(phProv, dwLen, pbBuffer) )
    return -60;
  CryptReleaseContext(phProv, 0);
  *v4 = dwLen;
  return 0;

After the payload, ransomware uses NtRaiseHardError to force the computer to reboot

v0 = GetCurrentProcess();
  if ( !OpenProcessToken(v0, 0x28u, &TokenHandle) )
    return 0;
  LookupPrivilegeValueA(0, "SeShutdownPrivilege", (PLUID)Newstate.Privileges);
  Newstate.PrivilegeCount = 1;
  Newstate.Privileges[0].Attributes = 2;
  AdjustTokenPrivileges(TokenHandle, 0, &Newstate, 0, 0, 0);
  if ( GetLastError() )
    return 0;
  v2 = GetModuleHandleA("NTDLL.DLL");
  v3 = GetProcAddress(v2, "NtRaiseHardError");
  ((void (__cdecl *)(signed int, _DWORD, _DWORD, _DWORD, signed int, char *))v3)(-1073740976, 0, 0, 0, 6, &v5);
  return 1;

Stage 2: Low level

Now we analyze the malicious code inserted into the MBR of the drive:

From the dump result from \. \ PhysicalDrive0 we have:

  • Sector 0: The first bootloader's unique score
  • Sector 1-33: This is all 0x37
  • Sector 34-49: The kernel segment of ransomware
  • Sector 50-53: Blank
  • Sector 54: Nonce, CNC and Personal Key
  • Sector 55-56: Data is encrypted

When the machine starts, the ransomware code will be executed:

To read the drive sector, it uses interrupt 13

Next, Ransomware will check if the MBR is encrypted?

If not encrypted, Petya uses Salsa20 algorithm to lock MFT.

MFT (Master File Table) is the most important component in the NTFS system. MFT contains information about all files and directories in the logical drive.

After the encryption is complete, the main screen will be displayed

When the user enters the Petya key, he will check the format of the key:

  • Has a length of 16 bytes
  • Only the following characters are accepted 123456789abcdefghijkmnopqrstuvwxABCDEFGHJKLMNPQRSTUVWX

Although, it is possible to bypass check_key by changing the address of some jump functions but that does not decode MFT. However, due to the size limitations of the sectors, Petya ransomware does not fully implement the Salsa 20 algorithm, so we can brute force the decryption key.

In Petya's decoding process we see:

  • Petya loads up the 512-byte memory of the 55th sector (this is the data to be decoded)
  • Petya loads 8 byte memory at offset 0x6c21 right before CNC in the 54th sector (this is nonce)

We have the code and the nonce. You can read salsa's algorithm and write brute force script yourself or use a golang script written by a very nice guy leo-stone.


Creating a ransomware launched in boot sector, MBR and MFT encryption is a very interesting direction. However, deploying ransomware under the kernel layer has created several vulnerabilities while implementing the encryption algorithm so that we can decode without a key. This has made Petya the first version of the body non-contagious. However, malicious code such as Petya, such as Goldeneye, has inspired hackers to develop ransomware to attack the kernel layer, posing a challenge for the security house.

Write a post