Hit enter to search

Petya ransomware: How does it work? How to protect?

28/06/2017
Author Avatar
Maxime Lamarche
Technical Engineer, EASI

Petya, as WannaCry, will stay in some people's mind still a long time! 

How does it work?

Petya is based on the same NSA's stolen and leaked EternalBlue and EternalRomance SMB exploits. It also uses a bunch of tools, including PsExec and WMICto spread all over the network and infect other machines.

Sadly, because a lot of organizations still have a flat network (e.g. no network segregation), Petya can easily use NSA exploits to gain administrator access on a machine and then, leverages that power to control other computers all over the network. 

When Petya got admin access, it will lift credentials out of the RAM to access other internal systems and rewrite the local machine's hard drive's MBR so that when the machine will reboot, the message starting with "Ooops, your important files are encrypted."  will be displayed. Furthermore, it will also encrypt, with AES-128, the filesystem tables and files on the drive. This means that there is no way to get the keys to restore your documents. So please, don't pay the ransom!

How to protect?

Multiple actions are required to improve your security to face this threat:

  • Patch your systems with the latest Windows Updates.
  • Disable SMB v1.
  • Block outside access to ports 137, 138, 139 and 445.
  • Limit the access to the domain administrators account.
  • Create a read-only file C:\Windows\perfc.dat to prevent the file-scrambling part of Petya.

Need assistance? We are here to help you!

Current job openings

Sign up to our newsletter

Follow us

  

Share this article