New “Petya” Ransomware spreads via MS Word documents

Petya, the well known ransomware worm, is back again, this time exploiting EternalBlue vulnerability, which was exploited by WannaCry and AdyllKuz.

How is Petya different?

Petya’s dropper writes the malicious code at the beginning of the disk. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. Unlike its other siblings, Petya does not encrypt the files but it boots the operating system in an unusable stage unless, ofcourse, ransom is paid.

Petya is believed to have spread by either of the two vulnerabilities.

  1. Microsoft CVE-2017-0199: Microsoft Office/WordPad Remote Code Execution Vulnerability – This vulnerability is specially crafted Microsoft Word and Wordpad files. An attacker who successfully exploited this vulnerability could take control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
  2. MS17-010 “Eternal blue”  – This vulnerability that exploits SMB bug to affect remote systems was made popular by the recently viral Wannacry.

As of now the Ransomware is spreading terror across Europe and possibly Russia. Some of the large corporations hit by the Ransomware are Rosneft, Maersk, Saint Gobain, Nivea and major banks, cell phone providers, subways and airports in Ukraine.

What if you are infected by this malware?

If you suspect that you have this ransomware, DO NOT REBOOT. If you will restart your system after infection, the malware will boot into its kernel instead of your Windows, and it will start encryption of MBR of your disk, encrypting the partition tables. However it does not encrypt entire disk, as of now.

Recovery from Petya can be possible by taking a disk-dump or creating a disk image while the system is live. The data from the image can be salvaged after connecting to another un-infected system.



Leave a Reply

Your email address will not be published. Required fields are marked *