Vin Ransomware Blog02

A Quick Overview on NOT PETYA2FPETYA Ransomware


Just when the world was beginning to recover from the recent WannaCry Ransomware attack (May 12, 2017), cyber criminals launched another version of a devastating ransomware which causes the same scale of damage if not more than the WannaCry Ransomware. 

The Ransomware is known as NotPetya / Petya ransomware, this ransomware uses the same exploits which was used in WannaCry Ransomware but researchers claim that Petya ransomware is much more robust and capable compared to WannaCry, primarily because of its propagation mechanism in the network.

The countries that got a massive hit are Ukraine, Europe, and the US.

The basic distribution of Petya ransomware is yet to be confirmed, though some researchers say that it could be through phishing mail like other ransomware and few claims that the distribution of this ransomware is done through a software update mechanism built into an accounting program which is mostly used by the Ukrainian government and the organizations working under the Ukrainian government (Source: Ukrainian cyber police). This might be one of the reasons why Ukraine was affected the most. The motive behind the attack is yet to be revealed.

Petya Ransomware uses 

Eternal Blue Exploit, a Windows exploit whose Patch has already been released. It also spreads in the internal network with WMIC and PSEXEC. This is one of the reasons that even the patched systems can be affected by this ransomware.

The Russian security group claims that this ransomware packs along with it a tool known as LSA Dump that can gather the credential data and the windows password from the Domain controller on the network and the Windows computer.

Ransom Demanded – $300

The victims are instructed to contact the cyber criminals through the provided Email ID once the ransom is paid, but the victims are advised not to pay the ransom since the Email ID of the attacker is blocked/terminated/Shutdown by the email provider.

The encryption process of this ransomware is not the same as other ransomwares, this malware does not encrypt the files on the victim's system by particularly targeting subsequent files or the extensions. Instead, it waits one hour and once the victim reboots/Restarts the device, the ransomware starts encrypting the hard drive’s master file table which is MFT and then renders the boot record not usable. This ransomware replaces the victim’s MBR with the special code of its own that displays the ransom note on the victim’s screen, making the device unusable. This restricts the access to the victim’s device completely.

The destruction intended by the ransomware is set at an expert level but if one considers the ransom and the payment process, it seems amateur compared to the malwares working stats.

Certain points to be noted are:

The payments Bitcoin address for all the victims are same, whereas in other ransomware the attackers create custom bitcoin address for a group or a certain number of victims but in the case of Petya ransomware, the email address remains the same for all the infected victims.

The victims are instructed to communicate to the attacker with the provided email address but the Email Provider has blocked the Email ID of the attacker. Which means even if the ransom is paid there is no way to communicate with the attacker, so the files cannot be decrypted at any cost. So, the victims are advised not to pay the ransom.


Affected Vulnerability

  • CVE-2017-0144 - Microsoft CVE-2017-0144: Windows SMB Remote Code Execution Vulnerability
  • CVE-2017-0199- Microsoft CVE-2017-0199: Microsoft Office OLE Arbitrary Code Execution Vulnerability

 Targeted File Extensions

.3ds, .7z, .accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, ctl,.dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar, .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip


Afraid of being a Victim follow these general guidelines and don’t fall prey anymore:

Actions to be taken:

1. Block source E-mail address:

This email address is being protected from spambots. You need JavaScript enabled to view it.

2. Block domains:


3. Block IPs:

4. Apply patches:

Refer(in Russian):

5. Disable SMBv1

Read our Blog: How to Disable SMB on Windows Machines 

6. Update Anti-Virus hashes


7.If the MS17-010 patch is not installed, install the patch immediately.

8. It is recommended to install patches for CVE-2017-0199

9. Update antivirus immediately and scan the devices thoroughly.

10. If an unpatched device is used and cannot be patcheddue to restrictions, consider shutting down the machine, if feasible and leave the machine off and disconnected from the network until a solution is found.

11. Researchers have found a method to vaccinate yourself from this ransomware.
Create a file in C:\Windows\perfc and mark it read only


The following batch file courtesy of BleepingComputer will do the job for you:


Popular posts like this: