{
	"id": "fec4b46c-9a53-4975-89d6-c182c3339fe7",
	"created_at": "2026-04-10T03:22:04.386699Z",
	"updated_at": "2026-04-10T03:22:19.680045Z",
	"deleted_at": null,
	"sha1_hash": "9d52871bf7a9f4e33bc68132f34daf3781e20f89",
	"title": "Petya: the two-in-one trojan",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1505316,
	"plain_text": "Petya: the two-in-one trojan\r\nBy Fedor Sinitsyn\r\nPublished: 2016-05-04 · Archived: 2026-04-10 03:01:42 UTC\r\nInfecting the Master Boot Record (MBR) and encrypting files is nothing new in the world of malicious programs.\r\nBack in 1994, the virus OneHalf emerged that infected MBRs and encrypted the disk contents. However, that\r\nvirus did not extort money. In 2011, MBR blocker Trojans began spreading (Trojan-Ransom.Win32.Mbro) that\r\ninfected the MBR and prevented the operating system from loading further. The victim was prompted to pay a\r\nransom to get rid of the problem. It was easy to treat a system infected by these blocker Trojans because, apart\r\nfrom the MBR, they usually didn’t encrypt any data on the disk.\r\nToday, we have encountered a new threat that’s a blast from the past. The Petya Trojan (detected by Kaspersky\r\nLab products as Trojan-Ransom.Win32.Petr) infects the MBR preventing normal system loading, and encrypts the\r\nMaster File Table (MFT), an important part of the NT file system (NTFS), thus preventing normal access to files\r\non the hard drive.\r\nThe infection scenario\r\nThe people spreading Petya attack their potential victims by sending spam messages containing links that\r\ndownload a ZIP archive. The archive contains the Trojan’s executable file and a JPEG image. The file names are\r\nin German (Bewerbungsunterlagen.PDF.exe, Bewerbungsmappe-gepackt.exe), are made to look like resumes for\r\njob candidates, and target HR staff in German-speaking countries.\r\nContents of the archives downloaded from links in spam\r\nThe cybercriminals didn’t bother with automatic escalation of privileges – the manifest of the Trojan’s executable\r\nfile contains the following standard record:\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 1 of 19\n\nIf the user launches the malicious executable file Petya, Windows will show the standard UAC request for\r\nprivilege escalation. If the system has been properly configured by the system administrators (i.e. UAC is enabled,\r\nand the user is not working from an administrator account), the Trojan won’t be able to run any further.\r\nUnfortunately, a user who has the privileges to agree to a UAC request often underestimates the potential risks\r\nassociated with launching unknown software with elevated rights.\r\nHow it works\r\nThe executable file and the packer\r\nA Petya Trojan infection begins with the launch of the malicious executable file. The samples of the Trojan that\r\nKaspersky Lab received for analysis are, just like most other malware samples, protected with a customized\r\npacker. When the executable file launches, the malicious packer’s code begins to work – it unpacks the malicious\r\nDLL Setup.dll into a newly designated RAM area, and then passes control to it.\r\nCybercriminals typically use packers to avoid detection – circumvent static signatures, trick the heuristic analyzer,\r\netc. While investigating the Petya packer, we noticed an unusual trick used by the cybercriminals.\r\nCybercriminals often try to create the packer in such a way that a packed malicious executable file looks as similar\r\nas possible to a regular legitimate file. Sometimes, they take a legitimate file and substitute part of the code with\r\nmalicious code. That’s what they did with Petya, with one interesting peculiarity: it was a part of the standard\r\ncompiler-generated runtime DLL that was replaced with malicious code, while the function WinMain remained\r\nintact. The illustration below shows the transition, beginning from the entry point (“start”). As can be seen, the\r\nfunction of unpacking malicious code (which we dubbed “evil”) is called from the legal function __calloc_crt\r\nwhich is part of the runtime code.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 2 of 19\n\nDiagram of transitions between the malicious packer’s functions\r\nWhy do it that way? Obviously, the creators of the malicious packer were trying to trick an inattentive researcher\r\nor automatic analyzers: the file looks legitimate – WinMain doesn’t contain malicious code – so it’s possible that it\r\nwill be overlooked. Besides, if the breakpoint is set at WinMain during debugging, then the malicious code works\r\n(and sends the system into BSOD, as we will discuss later in detail) and execution is over before the breakpoint is\r\neven reached.\r\nKaspersky Lab has detected Petya samples that masquerade as legitimate files written in C/C++ and in Delphi.\r\nThe malicious DLL\r\nSetup.dll is a DLL with just one export: _ZuWQdweafdsg345312@0. It is written in C and compiled in Microsoft\r\nVisual Studio. The cybercriminals used an implementation of cryptographic algorithms available in the public\r\nlibrary mbedtls (formerly polarssl). Setup.dll is not saved to the hard drive as a separate file, but always remains in\r\nthe RAM.\r\nWhen Setup.dll receives control, it decrypts the data contained in the section ‘.xxxx’ and then proceeds to infect\r\nthe victim computer.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 3 of 19\n\nThe encrypted ‘.xxxx’ section containing data\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 4 of 19\n\nFragment of the decrypted data from the ‘.xxxx’ section\r\nAt a higher degree of abstraction, the actions of Setup.dll come down to the following:\r\n1. 1 Re-write the boot record on the hard drive with its own malicious loader;\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 5 of 19\n\n2. 2 Generate a key, infection ID and other auxiliary information, and save them to the hard drive;\r\n3. 3 Cause a system abort and reboot, thereby passing control to the malicious loader.\r\nNow let’s look in detail at how all of this is implemented in the Trojan. But before doing so, we need to define the\r\nterminology used.\r\nHard disk sector – the minimum addressable unit of a hard drive, typically 512 bytes.\r\nMaster boot record (MBR) – the code and the data written to Sector 0. After hardware is initialized, this code is\r\nused to boot the PC. Also, this sector contains the hard disks’ partition table. A disk partitioned with MBR may\r\nhave up to four primary partitions, and the maximum partition size is ~2.2 TB.\r\nGUID Partition Table (GPT) – a more modern standard of hard drive layout. It supports up to 128 partitions, each\r\nup to 9.4 ZB in size (1 ZB = 1021 bytes.)\r\nNow let’s return to the Trojan under review. Setup.dll can infect disks partitioned according to either the older\r\nMBR standard or the more modern GPT standard. There are two alternative branches of execution sequences in\r\nthe malicious program; the choice of execution branch depends on the data in the field PartitionStyle of the\r\nstructure PARTITION_INFORMATION_EX.\r\nSelection of the execution branch for disk infection, depending on whether the disk has MBR or GPT partitioning\r\nInfecting an MBR disk\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 6 of 19\n\nWhen infecting an MBR disk, Setup.dll performs the following actions:\r\n1. 1 Encrypts sector 0 (the original code and the MBR data) with the simple operation XOR 0x37 (ASCII\r\n‘7’), writes the result to sector 56;\r\n2. 2 Encrypts sectors 1-33 with the same operation XOR 0x37;\r\n3. 3 Generates configuration data for the malicious loader, writes them to sector 54;\r\n4. 4 Creates the verification sector 55 populated with the repeating byte 0x37;\r\n5. 5 Copies the disk’s NT signature and the partition table saved from the original MBR into its own first-level loader; writes first-level malicious code to sector 0 of the disk, and writes second-level code to\r\nsectors 34-50 (referred to here as the malicious loader);\r\n6. 6 Calls the function NtRaiseHardError, which causes the operating system to crash (BSOD – the ‘blue\r\nscreen of death’).\r\nWhen an MBR disk has been infected, the beginning of the disk has the following structure:\r\nNumber of sector Content\r\n0 First-level malicious loader\r\n1 – 33 Encrypted sectors 1-33 (XOR 0x37)\r\n34 – 50 Second-level malicious code\r\n…\r\n54 Configuration sector of the malicious program\r\n55 Verification sector (populated with byte 0x37)\r\n56 Encrypted original MBR code (XOR 0x37)\r\nInfecting a GPT disk\r\nWhen infecting a GPT disk, Setup.dll performs more actions:\r\n1. 1 Based on Primary GPT Header data, it receives the address of GPT header copy;\r\n2. 2 Encrypts the GPT header copy with XOR 0x37;\r\n3. 3 Performs all the actions that are performed when encrypting an MBR disk.\r\nWhen a GPT disk has been infected, the beginning of the disk has the following structure:\r\nNumber of sector Content\r\n0 First-level malicious loader\r\n1 – 33 Encrypted sectors 1-33 (XOR 0x37)\r\n34 – 50 Second-level malicious code\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 7 of 19\n\n…\r\n54 Configuration sector of the malicious program\r\n55 Verification sector (populated with byte 0x37)\r\n56 Encrypted original MBR code (XOR 0x37)\r\n…\r\nBackup LBA –\r\nBackup LBA + 33\r\nEncrypted copy of GPT Header (XOR 0x37)\r\nGeneration of configuration data\r\nIn the configuration sector (sector 54), the Trojan keeps the data it needs to encrypt MFT and decrypt it if the\r\nvictim pays the ransom. Generation of the configuration data consists of the following steps:\r\n1. 1 Setup.dll generates a random string that is 16 characters long [1-9, a-x, A-X]; we will call this string\r\npassword;\r\n2. 2 Generate a pair of keys: ec_session_priv (a private key, a random large integer number) +\r\nec_session_pub (public key, a point on a standard elliptic curve secp192k1);\r\n3. 3 Calculate the session secret: session_secret = ECDH (ec_session_priv, ec_master_pub); the\r\ncybercriminals’ public key ec_master_pub is contained in the Trojan’s body;\r\n4. 4 Calculate the aes_key = SHA512(session_secret) – only the first 32 bytes of the hash sum are used;\r\n5. 5 Encrypt the ‘password’ string by XORing it with the first 16 bytes of ec_session_pub: password_xor =\r\nec_session_pub[0, 15] xor password;\r\n6. 6 Encrypt the result using AES-256 with the key aes_key: password_aes_encr =\r\nAES_enc(password_xor);\r\n7. 7 Create the array ec_session_data = [ec_session_pub, password_aes_encr];\r\n8. 8 Calculate base58: ec_session_data_b58 = base58_enc(ec_session_data);\r\n9. 9 Use the result to calculate SHA256: digest = sha256(ec_session_data_b58);\r\n10. 10 Create array: ec_data = [check1, check2, ec_session_data_b58], where check1, check2 are bytes\r\ncalculated by the formulas:\r\na = digest[0] \u0026 0xF;\r\nb = (digest[0] \u0026 0xF) \u003c 10;\r\ncheck1 = (digest[0] \u003e\u003e 4) + 0x57 + ((digest[0] \u003e\u003e 4) \u003c 10 ? 0xD9 : 0);\r\ncheck2 = a + 0x57 + (b ? 0xD9 : 0);\r\n11. 11 Based on the ‘password’, create a key for MFT encryption;\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 8 of 19\n\nPseudocode creating a key for MFT encryption\r\n12. 12 Generate IV – 8 random bytes which will be used during MFT encryption;\r\n13. 13 Generate infection ID and use it to create “personalized” URLs for ransom payment webpages.\r\nUltimately, the configuration data structure looks like this:\r\nIn C language syntax, this structure can be presented as follows:\r\nThis is what the configuration data looks like after it is written to the hard drive:\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 9 of 19\n\nNote that if the user turns off their computer after this stage and doesn’t switch it on again, only minimum damage\r\nwill be done, as it is not difficult to decrypt data encrypted with 1-byte XOR. Therefore, a good piece of advice: if\r\nyou launch an unknown file and your system suddenly crashes, showing a blue screen, you should switch off your\r\ncomputer and get help from a qualified specialist. The specialist should be able to identify a Petya infection and\r\nrestore the disk sectors encrypted with XOR.\r\nIf, however, the computer was re-booted, then the Trojan’s third stage kicks in – the malicious code written to\r\nsectors 0 and 34–50.\r\nThe malicious loader\r\nAfter rebooting, the code in sector 0 (the first-level loader) gains control. It loads the main second-level malicious\r\ncode from sectors 34–50 into the memory and passes control to it. This code, in turn, receives information about\r\nthe hard drives available in the system, searches for the disk where the configuration is written, reads the\r\nconfiguration data from sector 54 and, depending on the value in the field ‘config.state’, begins encryption (if the\r\nvalue is 0) or asks the user to enter the decryption key that they have purchased (if the value is 1).\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 10 of 19\n\nFragment of code implementing the Trojan’s logic\r\nEncryption of MFT\r\nThe master file table (MFT) is a data structure with information about every file and directory on a volume\r\nformatted into NTFS, the file system that is used in all modern versions of Windows. The table contains the\r\nservice data required to find each file on the disk. It can be compared to a table of contents in a book that tells you\r\non which page to find a chapter. Similarly, MFT indicates which logical cluster a file is located in.\r\nIt is namely this critical area that is attacked by Petya. If the value of ‘config.state’ is equal to 0 during launch, it\r\ndoes the following:\r\n1. 1 Displays a fake disk check message:\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 11 of 19\n\n2. 2 Reads the key ‘config.salsa_key’ from the configuration sector into a local array; sets this field to zero on\r\nthe disk, sets ‘config.state’ field at 1;\r\n3. 3 Encrypts the verification sector 55 with the stream cipher Salsa20; this sector is populated beforehand\r\nwith the byte 0x37 (see the section ‘Infecting an MBR disk’ above);\r\n4. 4 Searches for each partition’s MFT on each connected hard drive;\r\n5. 5 Encrypts the MFT data with cipher Salsa20. Encryption is performed in parts of 8 sectors (i.e. the size of\r\neach part is 4 KB). A counter of the encrypted parts is kept in sector 57 of the first disk.\r\n6. 6 When encryption is over, it triggers a system reboot.\r\nAfter the reboot, Petya displays an animated image of a flashing red and white skull drawn in ACCII-art style.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 12 of 19\n\nIf the user presses any key, the Trojan displays a text which tells the victim in no uncertain terms what has\r\nhappened.\r\nRansom demand and decryption\r\nOn this screen Petya displays links to the ransom payment webpages located in the Tor network (the addresses are\r\nspecified in config.mal_urls), and the “personal decryption code” which the victim has to enter at either of the\r\nabove sites. In reality, this “code” is the content of the field ‘config.ec_data’, hyphenated every six characters.\r\nSo, how do the cybercriminals plan to decrypt MFT, and are they even capable of doing so?\r\nThe ‘Key:’ field on this screen accepts a text string from the user. This string is checked for length (a 16-character\r\nlong string is required), and then the Trojan uses it to calculate a 32-byte ‘salsa_key’ (following the algorithm\r\ndiscussed above in the section ‘Generation of configuration data’). The Trojan then attempts to decrypt the\r\nverification sector 55 with this key, and checks that the decrypted sector is completely populated with the byte\r\n0x37. If it is, the key is considered correct, and Petya uses it to decrypt MFT. Then it decrypts all starting sectors\r\nencrypted with XOR 0x37, decrypts the original MBR and prompts the user to reboot the computer.\r\nThus, the correct string to be entered in the ‘Key:’ field is that very same ‘password‘ string that is generated in the\r\nfirst step when the configuration data is created.\r\nScreen message displayed after successful decryption\r\nThe question remains: how do the cybercriminals know this string so they can communicate it to a victim who has\r\npaid the ransom? No automatic communication with C\u0026C servers is established during the entire infection life\r\ncycle. The answer lies in the description of the algorithm for generating configuration data.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 13 of 19\n\nThe victim is prompted to manually enter their “personal decryption code” ec_data on the ransom payment\r\nwebpage. The cybercriminal can then perform the following actions:\r\n1. 1 Decode base58: base58_dec(ec_session_data_b58) = ec_session_data = [ec_session_pub,\r\npassword_aes_encr]\r\n2. 2 Calculate session_secret = ECDH(ec_session_pub, ec_master_priv), in accordance with the Elliptic\r\ncurve Diffie–Hellman properties, where ec_master_priv is a private key known to the Trojan’s creators\r\nonly;\r\n3. 3 Calculate aes_key = SHA256(session_secret);\r\n4. 4 Decrypt AES-256: password_xor = AES_dec(password_encr);\r\n5. 5 Knowing ec_session_pub, calculate the original password based on password_xor.\r\nThe ransom payment webpage\r\nWhen we visit the Tor site at the URL provided by the Trojan, we see a page that requires a CAPTCHA to be\r\nentered, after which the main ransom payment page is loaded. The design of the page immediately catches the\r\neye, with its hammer and sickle and the word ‘ransomware’ in pseudo-Cyrillic. It looks like a USSR parody along\r\nthe lines of the game Red Alert.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 14 of 19\n\nThis page displays a countdown clock showing when the ransom price will be doubled, as well as regularly\r\nupdated links to news and publications related to Petya.\r\nWhen the ‘Start the decryption process’ button is pressed, you end up on a page that asks you to enter the value of\r\n‘ec_data’, which is now called “your identifier” rather than “your personal decryption code”. It looks like the\r\ncybercriminals still haven’t decided what to call this part.\r\nWhen the user enters this string, the site displays the amount of ransom in BTC, information on how to purchase\r\nbitcoins, and the address where the money should be sent.\r\nAs well as that, there are two other pages on the website: FAQ and Support.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 15 of 19\n\nThe FAQ page\r\nThe FAQ page is interesting in that it contains false information: in reality, RSA is not used by the Trojan in any\r\nway, at any stage of infection.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 16 of 19\n\nThe Support page\r\nOn the Support page, the user is given the option of sending a message to the cybercriminals. One phrase in\r\nparticular stands out: “Please write your message in english, our russian speaking staff is not always available”.\r\nThis implies that there is at least one person in the group who speaks Russian.\r\nGeographic distribution\r\nAs we noted above, the spam messages target German-speaking victims. KSN statistics clearly show that\r\nGermany is the main target for the cybercriminals.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 17 of 19\n\nTOP 5 countries attacked by Petya Trojan by the number of attacked users:\r\nCountry Number of attacked users\r\n1 Germany 579\r\n2 China 19\r\n3 India 8\r\n4 Japan 5\r\n5 Russian Federation 5\r\nConclusion\r\nAfter analyzing the Petya Trojan, we discovered that it is an unusual hybrid of an MBR blocker and data\r\nencryptor: it prevents not only the operating system from booting but also blocks normal access to files located on\r\nthe hard drives of the attacked system.\r\nAlthough Petya is noticeably different from the majority of ransomware that has emerged in the recent years, it\r\ncan hardly be described as a fundamentally new development. The ideas behind the Trojan have been seen before\r\nin earlier malware; the creators of Petya have simply combined them all in a single creation. That said, it should\r\nbe acknowledged that it requires a certain degree of technical skill to implement a low-level code to encrypt and\r\ndecrypt data prior to OS booting.\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 18 of 19\n\nAnother interesting peculiarity about Petya is the pseudo-Soviet graphic design on the ransom payment website;\r\nthe name of the Trojan also fits into the image of a “Russian Trojan” designed by cybercriminals. There is no\r\ncertainty as to whether the Trojan’s creators originally come from Russia or other former Soviet states; however,\r\nthe text on the payment page suggests there is at least one Russian speaker in the gang.\r\nKaspersky Lab’s products protect users from this threat: Petya’s executable files are detected with the verdict\r\nTrojan-Ransom.Win32.Petr; in addition, the behavior analyzer proactively detects even unknown versions of this\r\nTrojan with the verdict PDM:Trojan.Win32.Generic.\r\nP.S. How to decrypt your data without paying the ransom\r\nOn April 8, some independent researchers reported that they had found a method of restoring the password\r\nwithout paying the ransom to the cybercriminals. The method is based on a genetic algorithm; with the 8-byte\r\nlong IV (stored in configuration sector 54) and the content of the encrypted verification sector 55, you can\r\ncalculate the value of the password that generates the salsa key, which can then be used to decrypt the MFT.\r\nSource: https://securelist.com/petya-the-two-in-one-trojan/74609/\r\nhttps://securelist.com/petya-the-two-in-one-trojan/74609/\r\nPage 19 of 19",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://securelist.com/petya-the-two-in-one-trojan/74609/"
	],
	"report_names": [
		"74609"
	],
	"threat_actors": [],
	"ts_created_at": 1775791324,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9d52871bf7a9f4e33bc68132f34daf3781e20f89.pdf",
		"text": "https://archive.orkl.eu/9d52871bf7a9f4e33bc68132f34daf3781e20f89.txt",
		"img": "https://archive.orkl.eu/9d52871bf7a9f4e33bc68132f34daf3781e20f89.jpg"
	}
}