Raoul Alvarez's presentation during the Hack In Paris 2017 This is interesting when analyzing the PETYA malware, which is why we recommend watching the entire conference. However, here is the essential information to remember.

I. Concepts

First, it's important to understand what the MBR – Master Boot Record – is and how it works. It's only present at the very beginning of hard drives and allows the BIOS to identify bootable partitions. It's worth noting that one of its limitations is that the MBR only supports a maximum of four partitions. This is one of the reasons for the creation of its successor: GPT – GUID Partition Table, which overcomes this restriction.

However, whether your hard drive uses MBR or GPT, the PETYA infection method is the same.

Another important concept to understand is the basic workings of the Windows NTFS file system. The role of a file system is to standardize data storage so that it can be manipulated (read, write). One of the fundamental components of NTFS is the MFT – Master File Table, which is simply an index listing the logical addresses of all the data on the partition.

II. Infection

Let's skip the infection phase. Once PETYA executes, it first modifies the MBR to replace the boot sector of the active partition. Then it performs a forced restart of the computer to run itself, taking over from Windows. At this point, the user thinks their computer has crashed.

Once restarted, PETYA displays the same message as the Windows "Check Disk" utility. Typically, a message from this utility indicates that a Windows error has occurred and that it needs to verify data integrity to prevent any loss. This is consistent with what the user has just witnessed. However, in reality, it is during this bogus disk integrity check that it encrypts the MFT – Master File Table, theoretically making data recovery impossible without paying the ransom.

At the end of this step, PETYA restarts a second time properly in order to display its ransom message.

Summary:

1. Insertion into the MBR
2. Forced restart of the computer in order to boot from itself
3. The BIOS runs the infected MBR partition and therefore PETYA
4. PETYA displays a fake CHKDISK interface
5. Meanwhile, he encrypts the MFT – Master File Table

Once the encryption is complete, it restarts to display the ransom message.