Ransomware stories – Petya, the odd one out

petya_figure1What is Petya and how is it different from other ransomware?

Petya ransomware is meant to prevent users from accessing their data and force them to pay ransom in order to recover it. However, unlike other types of ransomware, it does not use encryption to compromise the files one by one, which may take time – time in which malicious activity may be detected. Instead, it developed a more efficient way of compromising a lot of information over a very short period of time, by replacing the computer operating system loader with its own code.

This allows the malware to take control over the entire PC, preventing the original OS from running, which means nothing OS-related runs anymore. And that includes AV engines or other security tools.

Delivery and infection stages

Petya is delivered through social engineering techniques based on fake email campaigns, leading users into believing they are downloading a document of relative significance.

During the first stage, the obfuscated payload is executed, protected by advanced anti-detection techniques simulating harmless behavior and preventing anti malware solutions from accessing the payload itself. It copies necessary information to the disk and then compromises the master boot record, thus preparing for the next stage, that of taking complete control over the PC. In order to trigger the next stage, it causes a forced reboot of the computer.

After the reboot, the second stage begins, where a malicious kernel is booted up instead of the original OS. During this stage, Petya encrypts the master file table, thus preventing access to the files themselves, if the disk is plugged in other machines for recovery purposes. Once the job is done, it will display a UI that instructs the victim how to proceed in order to recover the files.

Recovery options

We are now at the third version of Petya that features improved cryptography, new keys and better hiding techniques. Thanks to a handful of people who studied the malware closely, for the first two versions of Petya, some recovery options and advice are available (and an ongoing effort to crack the latest version), either by preventing the trigger of the second phase, or by using tools that are able to crack the malware’s cryptography. Read more information on recovery from the first two versions here.


Various anti-virus vendors struggle to detect the malicious payload, but the success is minimal because of the measures taken by the developers to elude detection, and new releases of Petya that contain new payloads. While the old versions of Petya may have a better success rate, the latest version still causes problems to AV vendors, and…there is no telling when a newer version will be released.

How we can help

So until now in the fight against Petya, prevention is the key. There is little more that can be done, other than relying on a layered security approach, where employee training works together with anti-malware solutions in order to prevent the initial infection from happening. The situation is much worse for most home users who do not have knowledge and resources to effectively prevent the infection or recover from one. Consumers contribute significantly to the attackers’ budgets, so as long as ransom will be paid, new versions will keep coming our way.

TEMASOFT FileMonitor, our file monitoring software, can already detect when suspicious executables are downloaded on systems and can trigger alerts that could be linked to automated tools to quarantine or block a potential offending application.

Moreover, TEMASOFT joins the fight against ransomware by developing a technique that will enable early detection of any typical ransomware, using advanced file-access patterns, correlated with disk protection functionality. This solution will be available soon, and will allow people and companies to add an extra, far more efficient, layer of security to their AV engines, to eliminate ransomware threats.

References: https://hshrzd.wordpress.com/

If you would like to get more information, follow us on LinkedIn or subscribe to our newsletter.