There have already been a lot of write-ups for the NotPetya malware. This article is just a supplement for what is already out there. Our focus is to highlight some key differences between a previous strain of the Petya ransomware and the malware that scared everyone a few weeks ago, which is now sometimes being referred to as NotPetya.
I posted a blog post a couple of months ago about the MBR (Master Boot Record) infected by Petya. I explained how the ransomware infected the boot process and how it executed its own kernel code. In this post, I will show some key technical differences between the two malware.
Petya and NotPetya both read the MBR and encrypt it using a simple XOR key. The only difference is that Petya uses 0x37 as a key, while NotPetya uses 0x07.
Figure 1. Petya XORing MBR with 0x37
Figure 2. NotPetya XORing MBR with 0x07
Petya runs a mini-kernel code in place of the original kernel. The code is responsible for the encryption process, the fake CHKDSK display, the blinking skull, and the ransomware note. NotPetya’s mini-kernel is responsible for the same things, except that it does not include the skull display.
As for the differences, Petya writes its mini-kernel starting at sector 0x22, while NotPetya starts at sector 0x02, right after the MBR sector.
After writing its MBR and mini-kernel code to the infected disk, Petya and NotPetya both restart the infected system to activate the second stage of the malware infection.
Petya uses NtRaiseHardError API to initiate the reboot process (see Figure 3), while NotPetya schedules a reboot by issuing the command “shutdown.exe /r /f” at a set time using CreateProcessW API (see Figure 4).
Figure 3. Petya reboot process
Figure 4. NotPetya reboot process
Petya displays a red skull after its fake CHKDSK operation is done. NotPetya also displays a fake CHKDSK while it is encrypting the disk, but no skull is displayed afterwards.
Figure 5 shows a snapshot of the virtual memory of Petya that contains the strings for the fake CHKDSK, the ransom note, and the distorted skull image.
Figure 5. Petya’s strings
Figure 6 shows a snapshot of the virtual memory of NotPetya that contains the strings for the fake CHKDSK and the ransom note, as well as the blank space that should contain the skull image.
Figure 6. NotPetya’s strings
The Petya and NotPetya ransomware notes are completely different, as seen in the figures below:
Figure 7. Petya’s Ransom Note
Figure 8. NotPetya’s ransom note
While Petya and NotPetya have some key differences, they are also very similar in many ways, especially in that they are both destructive in every sense. Overwriting the MBR paralyzes the infected machine.
Please take note that paying the ransom demanded by either of these attacks does not guarantee that you will get your files back or even end up with a working machine. Instead, one of the best ways to battle destructive malware like this is to have a good backup of your system that is stored off network.