Beware of GhostPetya Ransomware !

07/12/2018 18:08:01

Beware of GhostPetya Ransomware

The Chinese semiconductor industry recently suffered a severe ransomware attack, causing a large-scale business failure. The Sangfor Technologies security team who discovered the new variant and named it “GhostPetya,” took on the responsibility of researching and compiling information on the attack and developing comprehensive defenses and solutions. Sangfor discovered that while the GhostPetya attack methods were very similar to those of previously studied Petya ransomware, this new variant presented with a few very pronounced differences. Attack methods may include controlling domain control servers, phishing emails, EternalBlue vulnerability attacks and brute-force attacks. Its carries significant destructive power, rendering a large number of hosts on the intranet incapacitated in a very short time, and hijacking the screens of infected machines with a ghostly skull and crossbones.

On a compromised host, a ransom note pops up demanding 0.1 bitcoin for the restoration of encrypted files.

Virus Distribution

1.    The following drives are opened in read/write mode: \\.\PhysicalDrive0, \\.\PhysicalDrive1, \\.\PhysicalDrive2 and \\.\PhysicalDrive3, \\.\I

2. Malicious code is written into those drives, as shown below:

The following shows the written code:

Ransom information is as shown below:

3. A reboot command is executed, as shown below:

4. The corresponding MBR data is extracted from the infected host, as shown below:

5. CHKDSK is called to check disks on an infected host, as shown below:

Disk check information is called, as shown below:

Finally, a ransom image pops up and the following ransom note appears when any key is pressed:

The attacker demands that the victim pay 0.1 BTC to unlock the file.
BTC address: 1Ex6qfkopZ5wgbiCrxpq4cALF56yr8gLhX

6. MBR is debugged dynamically on infected host, as shown below:

7. After debugging, Sangfor found the infected MBR is very similar to the that of previous Petya ransomware viruses. Call to int 13 is stopped and partitions 1-32 are loaded from disk to the start address of memory 0x8000, and then to 0x8000 to execute instructions, as shown below:

8. Continuously check character strings like “$” display ransom information, as shown below:

9. Ransom information is as shown below


Set screen mode

Set scroll parameter

Splash screen

10. Check whether there is key press information, as shown below:

11. If there is key press information, the ransom notes are displayed on the screen, as shown below:

The corresponding ransom data is as follows:

12. Continuously check key press, as shown below


1.    Isolate the virus-infected host as soon as possible and disable all its connections and network adapters.
2.    Disable the SMB port 445 and cut communication between the host and any external network. Sangfor NGAF customers can turn on intrusion prevention and botnet prevention to block the attack.
3.    Scan and remove the virus with Sangfor EDR:
4.    Fix the vulnerability by installing the corresponding patch.

Our Social Networks

Global Service Center: