Tech Topics

Catching Petya: How Endgame Protects Against Another Global Attack

Editor’s Note: Elastic joined forces with Endgame in October 2019, and has migrated some of the Endgame blog content to See Elastic Security to learn more about our integrated security solutions.

Throughout the day, news spread of a ransomware attack hitting Europe and Russia, before making its way into the United States. By one estimate, it has already impacted tens of thousands computers, including pharmaceutical giant Merck, Russian oil company Rosneft, Danish shipping company AP Moller-Maersk, and a Ukrainian company responsible for monitoring Chernobyl’s radiation system. Today’s ransomware attack follows closely on the heels of the widespread WannaCry ransomware infection, which struck 300,000 machines in May, and just last week debilitated computers at Honda.. Given the widespread impact and potential for propagation, we quickly tested the Endgame platform against this latest Petya-like ransomware. Endgame’s layered approach once again proved up to the task, catching and remediating the ransomware before it could inflict damage.

Ransomware - Today’s Hottest Attack Trend

2017 already has proven to be a stellar year for ransomware, and we’re just half-way through it. Experts are divided whether this is a variant of Petya or just Petya-like, and some have recently dubbed it Goldeneye, which is a hybrid of Petya and another ransomware variant, Misha. For the sake of simplicity, we will refer to it as Petya. Despite this nomenclature disagreement, there is general consensus that it has already had a large impact.

As our ransomware timeline below illustrates, the Petya ransomware variant emerged last year. It is just one of the many new variants of ransomware that continue to shape the threat landscape. Petya overwrites the master boot record (MBR) with a custom bootloader from user space by the DLL and then the system is rebooted. Upon reboot, the custom bootloader that overwrote the MBR is loaded, which will encrypt the MFT and then display the ransom note, demanding $300 in bitcoin (which is proving problematic).


While Petya is similar to WannaCry, there are a few significant differences. With WannaCry, a kill switch was discovered relatively early, helping limit its propagation. There were signs late Tuesday that one was discovered for Petya as well, but it works more as a local inoculation than a global kill switch. The efficacy is also questionable because it is filename dependent.

Despite being spotted in the wild in early 2016, it is not terribly surprising to see Petya reappear. This time around, Petya takes advantage of the EternalBlue exploit released by the Shadow Brokers, similar to WannaCry. It includes additional propagation methods as well, taking advantage of at least one other ShadowBrokers exploit and leveraging credential harvesting and usage of legitimate administrative tools to move laterally and inflict damage more broadly inside a network. While many thought WannaCry was yet another wake-up call to companies and governments, the quick diffusion of Petya demonstrates yet another wake-up call that went ignored.

Protecting Against Petya and Beyond

As we’ve discussed in previous posts, Endgame stops ransomware attacks by combining several layered, signatureless preventions including exploit prevention, malware prevention, and a variety of behavioral preventions. Endgame’s MalwareScore TM catches Petya immediately, identifying the malware as malicious. MalwareScoreTM is a machine-learning based approach to detection and has proven highly effective at detecting known and unknown malware. Unlike some other machine learning-based solutions, MalwareScore does not require a cloud connection to be effective, protecting even those critical assets without an internet connection. We also tested Petya against many early versions of our MalwareScoreTM model, and all detect Petya, proving the protective power of our signatureless machine learning approach yet again. With Endgame deployed on a system, Petya is prevented without any prior knowledge of the ransomware variant. This is especially important because there is near certainty that Petya will not be the last, highly impactful ransomware attack. As long as these attacks remain profitable, they will continue.

Despite being highly effective, MalwareScoreTM comprises just one layer of Endgame’s multi-layer approach to protection. We know machine learning is not a silver bullet, and as impactful as ransomware is, there are other forms of malware-less and file-less attacks that require additional protection capabilities. In just a few weeks, our team will be in full force at BSidesLV, Black Hat, and DEF CON, talking about our research and the protection capabilities within our platform. Swing by our Black Hat booth 1360, and attend our conference talks covering everything from prevention to machine learning to the essential role of design and user experience in facilitating the analyst workflow.