4

Within the last 48 hours we've been informed of the Petya ransomware similar to the "Wanna Cry" ransomware. Both ransomware packages encrypt your data and demand $300 to unlock your data. However in the Petya case Germany has closed down the email address to respond to so you can't pay even if you wanted to.

Unlike "Wanna Cry" which had a global kill-switch that was turned on within 72 hours by accident, "Petya" requires you to create a local file in order to stop your data getting encrypted however you are still infected and can pass the ransomware onto other systems.

I read in the story ‘Petya’ ransomware may be smokescreen for potentially larger attack you need to create the file C:\Windows\perfc and flag it as read-only to protect your system. This would include Linux users using wine I presume. However:

  • in the comment section a user posted the file name must be C:\Windows\perfc.exe.

  • in Ransomware Vaccine Now Available they say the file name must be C:\Windows\perfc.dll.

Can anyone confirm Linux Wine users are potential victims and what the actual read-only file name must be?

muru
  • 207,228
WinEunuuchs2Unix
  • 105,762

1 Answers1

4

I ran it ...
As I promised, I installed wine on a Debian virtual machine, got some sample of Petya, ran them directly and using: rundll32 path,#1, with regular and root user and nothing happend to my VM or its MBR.

How it propagate itself?
Petya uses the Eternal Blue exploit and classic SMB network spreading techniques.

The related CVE of this vulnerability for Linux is: "CVE-2017-7494" which has been already fixed:

Is my Ubuntu vulnerable to SambaCry?

perfc and perfc.dat:
Symantec states that Petya creates a file "C:\Windows\perfc" to indicate that computer has been infected and the "perfc.dat" is the one it uses to execute itself.

To stop petya you should create a read-only file here: "C:\Windows\perfc.dat" so petya can't write and execute itself.

And "C:\Windows\perfc" is some kind of kill switch if "Petya" gets run, after seeing this file it consider your computer as infected and only tries to infect other network devices.

Encryption and MBR:
After infection it tries to change the MBR. a MBR has three section: partition table, boot code, magic code. by changing the boot code it can hijack the boot process so instead of loading a bootloader you will see a message and behind that message it's going to start a full disk encryption, before the final message it seems that petya runs full disk encryption while it's showing a fake check disk.

With "wine" it can not change your MBR (unless you run the wine using sudo), it just tries to infect other devices.

It also does a user-mod encryption, for that purpose after infection it looks for specific extensions in all drives and starts to encrypt the first 1MB of them.

So it seems that there is nothing to be worry about unless you run it yourself using wine and root access.

source: symantec.

Ravexina
  • 57,256