How does Petya Ransomware Encryption works and does a recovery is possible?
On June 27, messages began to appear on the network about the rapid spread of the malicious program – the encryptor Petya, who performs data encryption on the victim’s computer.
- Attacks were large corporations in Russia, Ukraine, the EU, the US and several other countries. Specialists of the company BiZone conducted a detailed analysis of the work of malware.
- Below are the results of the study, as well as recommendations for its removal from the victim’s computer and data recovery.
Distribution of several initiatives, including in the form of mail attachments (phishing mailing).
For later distribution within the network uses:
- The vulnerability of MS17-10, as well as WannaCry;
- Remote access to the Windows Management Instrumentation (WMI) console, commands of the form
wmic.exe /node:"<hostname>" /user:"<username>" /password:"<password> process call create "C:\Windows\System32\rundll32.exe \"C:\Windows\perfc.dat\" #1
- The PSEXEC utility from Microsoft (account names and passwords are collected on the infected machine using a utility similar in functionality to the “Mimikatz” utility, passwords in the clear are obtained by reading the lsass.exe process memory.
To make the subsequent analysis difficult, Petya clears the system event logs and the file system log using the command:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
- The entries in the event logs are not deleted, only a note is made in the header of the log that it has been cleared, and records can be restored.
The system can be encrypted in two different ways:
1. Encryption of the file allocation table $ MFT (NotPetya)
- The malicious file writes its code to the MBR and the next few sectors (the original MBR is then stored in the 34 sectors in encrypted form (xor 0x07)). Then the system is rebooted (using the “schtasks“ and “at” commands) and the next time you turn on the screen, the operation of the CHKDSK utility is displayed. In fact, at this point, $ MFT is encrypted using the cryptographically persistent cipher Salsa20 (code is similar to the original Petya). The peculiarity of this method is that the records about files are encrypted, and not the contents of the files themselves. Data recovery is possible.
Methods of data recovery:
- Manually. It is possible to search for files on the disk by the signature, but this method works only for unfragmented files, and the file name is not restored. The next applicable method is to search for file records with the signature “FILE”, get a list of clusters belonging to the file, thus restoring the contents and file name. Also, during our research, we developed a method for recovering sample files by restoring a non-resident list of sectors belonging to the file (Data Runs). This method is based on the following concept: the cluster containing the beginning of the file is searched (the search is performed by the signature), then the number of this cluster is used to search for the non-resident list of sectors belonging to the file. With the help of the described methods, you can restore large files that can not be recovered by signature search and automatic means.
- Automatic: R-Studio, GetDataBack, and others.
- MBR recovery is possible with the “bootrec/FixMbr” command before rebooting the system (Vista +, in the case of Windows XP you can use the “fix MBR“ command).
- Recover the MBR after reboot but before encryption. It is necessary to extract the original MBR from the 34 sector (0x4400 offset on the disk, size 0x200) to decrypt (xor 0x07) and write to the beginning of the disk.
2. Encryption of files (Misha)
If you can not obtain privileges in the system to overwrite the MBR, files are encrypted without rebooting. List of encrypted file extensions:
3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip.
- The methods of decryption are currently unknown, it is possible to restore only from backup copies, for example, from Volume Shadow Copy, Restore points, File History.
It is not recommended to pay the ransom, as the mailbox of the attackers was blocked. At present, the technical possibility of decrypting data is questionable, and there are no confirmed cases of successful decoding.
Why is data recovery possible?
- NotPetya encrypts only the file table, but not the files themselves, therefore it is possible to recover files after this encryptor. Prior to encryption, the file system structure looks like this:
- At the beginning of the section is the main file table (MFT), which shows the file names and their location. After encryption, all references to files in MFT are encrypted, but the contents of the files remain unchanged:
- Thus, all data recovery methods based on Carving continue to work. Also, identical MFT records are stored in different parts of the file system. They can fall into the hiberfil.sys file, into the directory files and MFTmirr, etc. Therefore, by collecting all the complete MFT records, it is possible to recover even fragmented files.
When a system is infected using the PSEXEC software, the following files may be present in the Windows directory:
- Install the necessary patch’s to fix the MS17-10 Windows Update vulnerability
- Also, to stop the spread of this malicious software, you must block the launch of PSEXEC.EXE by using local or group security policies on potentially vulnerable machines, and, if possible, block or disable remote access to WMI.
- In the course of the study, a feature was identified that could prevent infection through PsExec and WMI. To do this, it is enough to create an empty file “C: \ Windows \ perfc“.
NotPetya and Misha can act together, launching Misha does not depend on the success of the MBR infection. However, in many cases, Misha does not have time to encrypt all the files with the listed extensions on the disk.
If you use GPT instead of MBR on an infected computer, NotPetya writes arbitrary data to the first ten sectors, and the partition table in this case will be lost forever. However, in this case, the main file table is not encrypted, and the partition offset can be found by the signature of the NTFS partition (R-Studio automatically performs this task).
Creating a perfc file prevents infection only if the original Petya executable was called “perfc.dat”.