Petya 2017 Ransomware

Posted: June 29, 2017

Threat Metric

The Threat Meter is a malware assessment that SpywareRemove.com's research team is able to give every identifiable malware threat. Our Threat Meter includes several criteria based off of specific malware threats to value their severity, reach and volume. The Threat Meter is able to give you a numerical breakdown of each threat's initial Threat Level, Detection Count, Volume Count, Trend Path and Percentage Impact. The overall ranking of each threat in the Threat Meter is a basic breakdown of how all threats are ranked within our own extensive malware database. The scoring for each specific malware threat can be easily compared to other emerging threats to draw a contrast in its particular severity. The Threat Meter is a useful tool in the endeavor of seeking a solution to remove a threat or pursue additional analytical research for all types of computer users.

The following fields listed on the Threat Meter containing a specific value, are explained in detail below:

Threat Level: The threat level scale goes from 1 to 10 where 10 is the highest level of severity and 1 is the lowest level of severity. Each specific level is relative to the threat's consistent assessed behaviors collected from SpyHunter's risk assessment model.

Detection Count: The collective number of confirmed and suspected cases of a particular malware threat. The detection count is calculated from infected PCs retrieved from diagnostic and scan log reports generated by SpyHunter.

Volume Count: Similar to the detection count, the Volume Count is specifically based on the number of confirmed and suspected threats infecting systems on a daily basis. High volume counts usually represent a popular threat but may or may not have infected a large number of systems. High detection count threats could lay dormant and have a low volume count. Criteria for Volume Count is relative to a daily detection count.

Trend Path: The Trend Path, utilizing an up arrow, down arrow or equal symbol, represents the level of recent movement of a particular threat. Up arrows represent an increase, down arrows represent a decline and the equal symbol represent no change to a threat's recent movement.

% Impact (Last 7 Days): This demonstrates a 7-day period change in the frequency of a malware threat infecting PCs. The percentage impact correlates directly to the current Trend Path to determine a rise or decline in the percentage.

Threat Level:	10/10
Infected PCs:	405

First Seen:	March 25, 2016
Last Seen:	August 17, 2022
OS(es) Affected:	Windows

The Petya 2017 Ransomware is a worm that encrypts files across multiple drives and network-accessible systems and reboots the PC to display a ransom note. This threat's campaign is focusing on government and critical entities in private infrastructures, such as companies in the power sector, throughout the world. While this worm is more sophisticated than most file-encoding threats, victims still can use the same defenses: updating their software, backing up their files, and letting their anti-malware solutions remove the Petya 2017 Ransomware automatically.

Petya Making a Name for Itself Once Again

A wave of file-encrypting attacks against a range of diverse organizations is being carried out with the help of what's either an update or a near-clone of the old Petya Ransomwar. The new variant, being dubbed as the Petya 2017 Ransomware currently, was earlier assumed to be the byproduct of Russian-sponsored cyber-terrorism, although recent attacks including Russian targets (such as Rosneft) are raising doubts about that assumption. Along with locking files, the Petya 2017 Ransomware uses multiple and advanced methods of compromising networks and locking the user out of Windows.

The Petya 2017 Ransomware's infection methods are as sophisticated as its payload, with the first attacks using update-hijacking exploits for the tax accounting program MEDoc. Access to a single machine also allows the Petya 2017 Ransomware, which has full-fledged worm features, to compromise the rest of the network (for example, by collecting login credentials, reusing any active sessions or abusing file-sharing settings).

Besides its system-compromising capabilities, malware experts are confirming that the core of the Petya 2017 Ransomware's payload consists of the following:

The Petya 2017 Ransomware uses a variable encryption routine across all accessible systems (as per above details) and creates a separate decryption key for each drive thus affected. It locks files of over sixty formats, including DOC, DOCX, PHP, XLS and others.
The Petya 2017 Ransomware hijacks the MBR to subvert the loading of the OS and sets a scheduled task forcing the PC to reboot ten minutes after its attack's completion. Although at first, the Petya 2017 Ransomware uses this feature for displaying a fake disk-repair message, it transitions into a ransom note asking for hundreds of dollars in Bitcoins to be paid to the provided address quickly.

Keeping Global Threat Actors from Turning Power into Money

The Petya 2017 Ransomware is a well-coordinated campaign, with victims in various industries reporting of as many as thousands of compromises in the course of single days. Ukraine has been a target of especial interest to the worm's threat actors, but infections elsewhere are being verified, including in Europe and the United States. Since this worm boasts of significant lateral movement-based features, malware experts recommend taking any steps necessary to isolate a compromised machine from others operating on the same network immediately.

Microsoft has responded promptly to this series of attacks and is offering a variety of recommendations for self-defense, in addition to the standard recommendation of updating all potentially vulnerable software. Surprisingly, for such an advanced worm, the Petya 2017 Ransomware also includes a remarkable limitation: it self-terminates, without encrypting media, whenever the file 'perfc' (without an extension) exists within the Windows directory. Users can create this file preemptively as a form of makeshift inoculation against current versions of the threat. While most anti-malware programs should remove the Petya 2017 Ransomware appropriately, undoing its boot-up modifications will require repairing the operating system.

The Petya 2017 Ransomware is a well-planned, file-ransoming campaign that's collected thousands of dollars in Bitcoins already. Even more worryingly, this worm is responsible for forcing nuclear plants and similar entities to shut down all systems and revert to manual operating methods, raising the question of just how high in stakes this group of threat actors is willing to gamble.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:

%SYSTEMDRIVE%\Users\<username>\Downloads\Nueva carpeta\MalwareDatabase-master\ransomwares\Endermanch@Petya.A.exe

File name: Endermanch@Petya.A.exe
Size: 230.91 KB (230912 bytes)
MD5: af2379cc4d607a45ac44d62135fb7015
Detection count: 178
File type: Executable File
Mime Type: unknown/exe
Path: %SYSTEMDRIVE%\Users\<username>\Downloads\Nueva carpeta\MalwareDatabase-master\ransomwares\Endermanch@Petya.A.exe
Group: Malware file
Last Updated: August 27, 2023

dir\Order-20062017.doc

File name: Order-20062017.doc
Size: 6.21 KB (6215 bytes)
MD5: 415fe69bf32634ca98fa07633f4118e1
Detection count: 31
Mime Type: unknown/doc
Path: dir
Group: Malware file
Last Updated: June 29, 2017

8baa0535ff2f2f3b0f2c0b45b537b4f8

File name: 8baa0535ff2f2f3b0f2c0b45b537b4f8
Size: 68.09 KB (68096 bytes)
MD5: 8baa0535ff2f2f3b0f2c0b45b537b4f8
Detection count: 24
Group: Malware file