Petya - What Really Happened

There has been a lot of information shared this week around the Petya “ransomware” virus. I put this in quotes because, just as with most attacks, once you dive in and get more information you find out that everything is not as it seems. The problem is that with the confusion going on around Petya on Tuesday there was a large amount of misinformation just as with WannaCry.  After the dust settled on Thursday, it appears that the infection vector was through the update process of an accounting package specific to Ukraine.  The infection vector was a malicious update delivered from the Ukrainian tax accounting software M.E. Doc. At roughly 10:30 AM EST on Tuesday 06-27-2017 a malicious update was delivered to users of M.E. Doc through the normal automatic update check.  What makes this a particularly devious and disastrous infection vector is that this software is required for tax purposes if you have a business presence in Ukraine.  So, not only were Ukrainian businesses vulnerable but foreign businesses were also impacted.

The update package contained a payload that executed a DLL file which extracted Petya ransomware and other tools depending on the rights of the user.  Once the resources from the DLL were extracted the payload would then execute the Petya ransomware payload which would overwrite the bootloader for the system. The next time the system restarted it would begin the encryption process disguised as a legitimate disk repair scan. To restart the system, Petya schedules a task to restart the system one hour after infection. 

Once the Petya infection has completed on the system, a scan of the local network for other systems is performed. If another Windows system is found it will attempt to login using the credentials from the infected system.  If the credentials for the infected system failed it would then attempt to exploit the remote system using the same EternalBlue exploit used by WannaCry.  If successful, a copy of the Petya payload was transferred and executed on the remote system and the infection chain begins again on the remote system.

What makes this attack so interesting is not that it was so disastrous but that it could have been so much worse. Using the Me-Doc update process specifically targeted businesses operating in Ukraine and only spread through local networks to infect systems outside of Ukraine. If this had been delivered through more traditional means, such as spear-phishing or malicious spam, the fallout would have been much greater and led to global outages.  The same would have been true for WannaCry which only spread through systems with SMB exposed to the internet. This leads to the belief that this was a targeted attack in which no one really expected to get paid. Backing up this belief is the fact that this Petya seems to have no means of actually decrypting the files once they have been lost.  The installation ID that was once used as a means for the attackers to determine the encryption key is now just a randomly generated string.