Petya was first discovered in March 2016. Petya was spread via spam emails that looked like a resume with the executable as an attachment. There was another outbreak of ransomware in June 2017. It resembled Petya. Later, it was named NotPetya. The outbreak spread across Ukranian organizations. After Ukraine, it spread to France, Germany, Italy, Poland, Russia, the United Kingdom, the United States and Australia. We will talk about NotPetya later. Petya had a few versions. Petya-mischa and goldeneye petya were the most well-known ones.

Petya, instead of encrypting individual files on the disk, infects the Master Boot Record (MBR) which locks down the whole system on Windows. We talked about MBR infection in Chapter 5, Ransomware Economics. Petya overwrites the MBR with its malicious code and then boots the Windows system. When the system is rebooted by the malware, we see the ransom message on the boot screen. Windows does not boot further. The ransom note claims to infect the whole disk, but actually it encrypts the Master File Table (MFT) only.

Here are the steps employed by Petya to encrypt the MFT:

• When executed, it will overwrite the Master Boot record with a malicious bootstrap-loader (bootstrap-loader is explained in Chapter 4, Ransomware Techniques for Hijacking the System)
• It calls the NtRaiseHardError() Windows API, which causes Blue Screen Of Death (BSOD), thereby causing the system to reboot. 

When rebooted after infection, Petya creates a fake CHDISK screen. This is created by the bootstrap-loader that replaced the original MBR. This bootstrap-loader further encrypts the MFT behind the scenes while showing the CHKDISK screen to the victim. ( We have talked about the Windows boot process in Chapter 4, Ransomware Techniques for Hijacking the System , Windows boot process, Boot Process (mention section no). When computer is switched on, the first program to execute is BIOS(Basic Input Output System).BIOS conduct POST(Power on Self test) and reads Master Boot Record (MBR).POST  verifies if all hardware devices are connected to the system for smooth running of the system. BIOS then reads the MBR. MBR points to the first sector in a partition which is known as Volume Boot Record (VBR). VBR contains a lot of information, such as size of partition and type of partition. If the type of partition is NTFS(New Technology File System  is the file system, used by windows), VBR contains information about the Master File Table (MFT). The MFT is the space reserved by the NTFS file system, where all information about a file, including its size, time and date stamps, permissions, and data content, is stored either in MFT entries, or in space outside the MFT that is described by MFT entries. Since MFT is encrypted, Windows cannot identify the filesystem and so it becomes clueless and does not load rest of the operating system components.

CHDISK is a Windows utility that checks the integrity of the hard disk. Petya shows a fake CHKDISK message, but behind the scenes it encrypts the MFT. After MFT encryption, the skull image pops up:

The preceding screenshot pops up when the system is booted. When any key is pressed, another image pops up on the screen that asks for a ransom. The following is a screenshot:

Salsa was used in Petya for MFT encryption.