Petya — Technologically Challenging and Imaginative Ransomware

The malware uses the following icons to disguise its EXE files as PDF and RAR executables. The attacker then sends malicious code to the target via email, tricking the victim into executing it. In this way, an attack is successfully launched via social engineering.

Date of Release: April 14, 2016

Sample Information

MD5 File
A92F13F3A1B3B39833D3CC336301B713 EXE file masquerading as a PDF file
AF2379CC4D607A45AC44D62135FB7015 EXE file masquerading as a RAR file

Behavior Analysis

The malware uses the following icons to disguise its EXE files as PDF and RAR executables. The attacker then sends malicious code to the target via email, tricking the victim into executing it. In this way, an attack is successfully launched via social engineering.

After being executed, the trojan internally calls a system hardware error, which causes the system to reboot, a condition known as a Blue Screen of Death (BSOD).

After the system is rebooted, the user is prompted to perform a disk check, which is actually for the purpose of encrypting the disk.

After completing the encryption, Petya displays an animated image of a flashing red and white skull drawn in ASCII characters.

If the user presses any key as instructed, a ransom message is displayed on the screen, demanding the user to pay a specified amount of Bitcoins for the decryption of the encrypted disk.

Use DiskGenius to check the encrypted disk. It turns out that partitions on the disk rather than the entire disk are encrypted.

Executive Summary

The master file of the trojan is a shell program so that malicious code cannot be statically detected. During execution, more memory space will be requested to drop the main functional code, which will be written into the boot location of the physical disk, thus changing the Master Boot Record (MBR). Finally, the system is forced to reboot. The encryption process is as follows:

What Is MBR?

The MBR is a special type of boot sector at the very beginning of a fixed disk or removable drive for use with IBM PC-compatible systems. Its specific location on the disk is cylinder 0, head 0, and sector 1 (each sector contains 512 bytes).

The MBR holds the information on how the logical partitions, containing file systems, are organized on the medium. The MBR also contains executable code to function as a loader for the installed operating system — usually by passing control over to the loader’s second stage, or in conjunction with each partition’s volume boot record (VBR). This MBR code is usually referred to as a boot loader.

The MBR structure is as follows:

Byte Offset (Hexadecimal) Size (Bytes) Description
0x00-0x1BD 446 Bootstrap code area
0x1BE-0x1CD 16 Partition entry 1
0x1CE-0x1DD 16 Partition entry 2
0x1DE-0x1ED 16 Partition entry 3
0x1EE-0x1FD 16 Partition entry 4
0x1FE-0x1FF 2 Boot signature 0xAA55 or 0x55AA

Behavior Analysis

  • Behaviors of the sample file

Encrypting 0x22 sectors

Replacing MBR data

Writing decryption code to disk sectors

Writing three pieces of encryption/decryption-related data to the disk

The data in red frames is a 32-byte encrypted key; the data in the blue frame indicates the unique device ID; the data in the violet frame is the decryption string provided for the user to type at the ransom website.

Calling a function to display a hardware error

  • MBR code

Malicious MBR code


At 0x7C21, the main functional code of the malware is loaded to memory 0x8000. Then at 0x7C30, it skips to the malicious code for encryption and decryption operations.

  • Encryption code

Location of the encrypted key (0x20) data in memory

Encryption function

Partial handling procedure of the encryption function


  • Decryption code

Procedure of encrypting the user-supplied key

Procedure of checking the authentication buffer and decrypting the encrypted hard disk

Debugging Method

The malware uses MBR for attacks. Considering the importance of MBR, debugging should not be carried out at the user layer. Instead, it is advisable to perform it on a virtual machine. Here we combine IDA with VMware for debugging.

The GDB stub provided by VMware consists of two parts: one to support x86 and the other to support x64. When the virtual CPU on VMware in debugging state is running in 16/32-bit mode, the GDB stub supported by the 32-bit mode takes effect and will listen on port 8832. When the virtual CPU on VMware in debugging state is running in long mode, the GDB stub supported by the 64-bit mode takes effect and will listen on port 8864. Add the following code to the master configuration file (.vmx) of the virtual machine:

debugStub.listen.guest32.remote = “TRUE”

debugStub.listen.guest64.remote = ”TRUE”

monitor.debugOnStartGuest32 = “TRUE”

debugStub.hideBreakpoints = “TRUE”

bios.bootDelay = “3000”


After the virtual machine is started, IDA uses the remote GDB debugger to perform debugging, with parameters configured as follows.

Check Result

Antivirus Software Check Result
MicroWorld-eScan Trojan.GenericKD.3132766
nProtect Trojan/W32.Petr.806912
CAT-QuickHeal Trojan-Ransom.Petr.r5
McAfee RDN/Ransom
VIPRE Trojan.Win32.Generic!BT
K7AntiVirus Trojan (004e1c831)
BitDefender Trojan.GenericKD.3132766
K7GW Trojan (004e1c831)
Cyren W32/Petya.XMFF-8835
Symantec Trojan.Cryptolocker.AJ
ESET-NOD32 Win32/Diskcoder.Petya.A
TrendMicro-HouseCall Ransom_PETYA.E
Kaspersky Trojan-Ransom.Win32.Petr.l
NANO-Antivirus Trojan.Win32.AD.ebjjem
ViRobot Trojan.Win32.S.Petya.806912[h]
AegisLab Troj.Ransom.W32!c
Rising PE:Malware.Generic/QRS!1.9E2D [F]
Ad-Aware Trojan.GenericKD.3132766
Sophos Troj/Petya-C
F-Secure Trojan.GenericKD.3132766
DrWeb Trojan.MBRlock.245
Zillya Trojan.Petr.Win32.5
TrendMicro Ransom_PETYA.E
Emsisoft Trojan-Ransom.Win32.Petya (A)
F-Prot W32/Petya.G
Avira TR/AD.Petya.Y.hhcl
Microsoft Ransom:Win32/Petya
Arcabit Trojan.Generic.D2FCD5E
SUPERAntiSpyware Ransom.Petya/Variant
GData Trojan.GenericKD.3132766
ALYac Trojan.GenericKD.3132766
AVware Trojan.Win32.Generic!BT
Panda Trj/CryptoPetya.A
Tencent Win32.Trojan.Petr.Llrb
Yandex Trojan.Petr!
Ikarus Trojan-Ransom.PetYa
AVG Ransomer.LBN
Qihoo-360 Trojan.Generic

Check result of various antivirus software (check time: 2016-04-12 07:05:29)

Check result of NSFOCUS POMA


Data Recovery

  1. Obtain the PetyaRansomware system recovery CD from NSFOCUS.
  2. Boot the system from the CD-ROM drive or from a USB flash drive that contains the system recovery program.

3.  Record the key prompted by the program, reboot the host from the original hard disk drive, and then type the recorded key.

4.  The system starts to decrypt the hard disk.

5.  The system prompts users to reboot the computer after the decryption is complete.

6.  The system can be accessed after the reboot.


  • For individual users:
  1. Install antivirus software and update it to the latest version.
  2. Run NSFOCUS’s PetyaRansomware system recovery software.
  • For enterprise users:
  1. Install endpoint security software and update it to the latest version.
  2. Adopt NSFOCUS’s integrated solution of TAC + IPS + NGFW.
  3. Use NSFOCUS’s secure mail gateway.
  4. Run NSFOCUS’s PetyaRansomware system recovery software.

声 明