Security Experts:

Connect with us

Hi, what are you looking for?


Incident Response

Petya Ramsomware Performs Two-Step Encryption

Petya, the ransomware family recently discovered to encrypt entire hard disks, performs a two-phase encryption process, researchers have discovered.

Petya, the ransomware family recently discovered to encrypt entire hard disks, performs a two-phase encryption process, researchers have discovered.

Detailed for the first time last week, Petya is the first ransomware found to encrypt entire hard drives, an unusual behavior for this type of malware, but also an important step in the evolution of the threat. Other top ransomware out there, including Locky, CryptoWall and TeslaCrypt, encrypt user’s files individually instead.

When discovered, Petya was said to be aimed at organizations, being distributed via emails sent to the human resources departments, which included a Dropbox download link to an alleged job application portfolio. The portfolio is an executable file that causes a PC crash with a BSOD and prompts a reboot, during which the malware manipulates the Master Boot Record (MBR) to take over the machine.

According to researchers, the reboot process is the key step in the Petya infection, as it allows the ransomware to perform its nefarious operations unhindered. In other words, this second phase of infection is when the hard drive is actually encrypted, and preventing the reboot would allow users to prevent encryption.

During the first phase of infection, the aforementioned executable (the ransomware’s dropper) overwrites the beginning of the disk and creates a XOR encrypted backup of the partition table, malware analyst hasherezade explains. As soon as this stage ends, the user is presented with a BSOD and prompted to reboot the PC, which triggers the second phase of the infection process.

However, since only the beginning of the disk (including the MBR) was overwritten, users can recover their data relatively easy at this stage, mainly because the file system is intact and the disk can be mounted to access its content. Thus, users suspecting they might have been infected should prevent the computer from rebooting and should try to make a disk dump instead or mount the disk to another operating system and backup their files.

The second stage of infection is executed by a fake CHKDSK (check disk), which is executed upon reboot (by forced ExitWindowsEx or NtRaiseHardError, according to a KernelMode forum thread), since the malware is already in control of the MBR. As soon as this stage has been completed, the file system is destroyed and users no longer have access to their files.

Petya encrypts the partition table with XOR by ‘7’ and uses the same algorithm to verify the key supplied by the user during the decryption process, researchers say. Should a fake key be provided and passed as valid, the ransomware is able to recover the original MBR, yet the decryption of the other files will fail, meaning that the operating system won’t run.

However, should the key pass the check, Petya starts decrypting the drive and displays the progress on the screen, hasherezade says. When done, it asks the user to reboot the computer, and that is the last screen the ransomware displays on the PC, after which the infection is completely removed.

Petya packs a lot of unknowns and more on it will be revealed as security researchers manage to perform deeper analysis of its code. No decryption tool is available as of now, but one might emerge when more details on the ransomware are available.

In the meantime, however, users can stay protected by avoiding opening emails and attachments from unknown or untrusted sources. Should they suspect Petya infection, they should also make sure they don’t reboot the computer when the fake BSOD is displayed to prevent triggering the second phase of the infection, which would still allow them to recover their files.  

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...