There are several channels of distribution, including phishing e-mails.
For further internal distribution PETYA uses:
PETYA clears event logs and file system log using the command “wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:” in order to hinder further analysis. Notably, the records in the event logs are not being deleted, PETYA only makes a mark in the name of the log about the clearance. Files recovery is possible.
There are two ways of system encryption:
Malicious file writes its code in MBR and the following sectors (original MBR saves encrypted in sector 34 (xor 0x07)). Afterwards malware reboots the system (using commands “schtasks” and “at”). When the system turns on again, a message about the work of CHKDSK utility appears on the screen. In fact, at this moment PETYA is encrypting $MFT using cryptographically resistant cypher Salsa20 (the code is similar to the original Petya). The main feature of this technique is that it conducts the encryption of files records instead of the contents. Files recovery is possible. There are several ways to recover the data:
2. Files encryption (Misha)
When the obtainment of privileges for MBR rewrite is impossible, the files are encrypted without system reboot. File extensions subject to encryption are the following: 3ds, 7z, accdb, ai, asp, aspx, avhd, back, bak, c, cfg, conf, cpp, cs, ctl, dbf, disk, djvu, doc, docx, dwg, eml, fdb, gz, h, hdd, kdbx, mail, mdb, msg, nrg, ora, ost, ova, ovf, pdf, php, pmf, ppt, pptx, pst, pvi, py, pyc, rar, rtf, sln, sql, tar, vbox, vbs, vcb, vdi, vfd, vmc, vmdk, vmsd, vmx, vsdx, vsv, work, xls, xlsx, xvd, zip. Decryption techniques remain unknown. The only possibility is to restore the files from back-up copies, for instance, from Volume Shadow Copy, restore points, File History.
It is strongly recommended not to pay the ransom as the mailbox of the adversaries is blocked. At present, we doubt the technical possibility to decrypt the data and there are still no precedents of successful decryption.
Why data recovery is possible?
NotPetya encrypts only the file table but not the files, therefore it is possible to recover the files after encryption.
The structure of the file system before encryption:
First goes the main file table (MFT) with files names and locations. Upon the encryption, all links to the files in MFT are encrypted but the contents of these files remain the same:
Thereby all recovery techniques based on carving can be used. Moreover, identical MFT records are stored in many parts of the file system (they could be found in hiberfil.sys file, various directory files, MFTmirr etc), thus it is possible to collect all integral MFT records and recover even fragmented files.
The following files in Windows directory may indicate the infection of the system through PSEXEC software:
Install Windows updates for MS17-10 vulnerability:
Block PSEXEC.EXE software using local or group security tools on potentially vulnerable machines in order to stop the distribution of malware. If possible, block or disable remote access to WMI.
In the course of the investigation it was revealed that the creation of the empty file “C:\Windows\perfc” may prevent the infection through PsExec and WMI.