{"id":228091,"date":"2017-07-06T19:07:10","date_gmt":"2017-07-06T17:07:10","guid":{"rendered":"http:\/\/securite.intrinsec.com\/?p=3262"},"modified":"2017-07-06T19:07:10","modified_gmt":"2017-07-06T17:07:10","slug":"hip2017-dissecting-a-ransomware-infected-mbr-petya","status":"publish","type":"post","link":"https:\/\/www.intrinsec.com\/en\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/","title":{"rendered":"[HIP2017] \u2013 Dissecting A Ransomware-infected MBR \u2013 PETYA"},"content":{"rendered":"

<\/h1>\n

Raoul Alvarez's presentation during the Hack In Paris 2017<\/a> This is interesting when analyzing the PETYA malware, which is why we recommend watching the entire conference. However, here is the essential information to remember.<\/p>\n

I. Concepts<\/h1>\n

First, it's important to understand what the MBR \u2013 Master Boot Record \u2013 is and how it works. It's only present at the very beginning of hard drives and allows the BIOS to identify bootable partitions. It's worth noting that one of its limitations is that the MBR only supports a maximum of four partitions. This is one of the reasons for the creation of its successor: GPT \u2013 GUID Partition Table, which overcomes this restriction.<\/p>\n

However, whether your hard drive uses MBR or GPT, the PETYA infection method is the same.<\/p>\n

Another important concept to understand is the basic workings of the Windows NTFS file system. The role of a file system is to standardize data storage so that it can be manipulated (read, write). One of the fundamental components of NTFS is the MFT \u2013 Master File Table, which is simply an index listing the logical addresses of all the data on the partition.<\/p>\n

II. Infection<\/h1>\n

Let's skip the infection phase. Once PETYA executes, it first modifies the MBR to replace the boot sector of the active partition. Then it performs a forced restart of the computer to run itself, taking over from Windows. At this point, the user thinks their computer has crashed.<\/p>\n

Once restarted, PETYA displays the same message as the Windows "Check Disk" utility. Typically, a message from this utility indicates that a Windows error has occurred and that it needs to verify data integrity to prevent any loss. This is consistent with what the user has just witnessed. However, in reality, it is during this bogus disk integrity check that it encrypts the MFT \u2013 Master File Table, theoretically making data recovery impossible without paying the ransom.\"\"<\/p>\n

At the end of this step, PETYA restarts a second time properly in order to display its ransom message.\"\"<\/p>\n

Summary: <\/strong><\/p>\n

    \n
  1. Insertion into the MBR<\/li>\n
  2. Forced restart of the computer in order to boot from itself<\/li>\n
  3. The BIOS runs the infected MBR partition and therefore PETYA<\/li>\n
  4. PETYA displays a fake CHKDISK interface<\/li>\n
  5. Meanwhile, he encrypts the MFT \u2013 Master File Table<\/li>\n<\/ol>\n

    Once the encryption is complete, it restarts to display the ransom message.<\/p>","protected":false},"excerpt":{"rendered":"

    Raoul Alvarez's presentation at Hack In Paris 2017 was interesting during [\u2026]<\/p>","protected":false},"author":1,"featured_media":3268,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22],"tags":[],"class_list":["post-228091","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-veille-securite"],"yoast_head":"\n[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA - INTRINSEC<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.intrinsec.com\/en\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA\" \/>\n<meta property=\"og:description\" content=\"La pr\u00e9sentation de Raoul Alvarez lors de la Hack In Paris 2017 est int\u00e9ressante lors […]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.intrinsec.com\/en\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/\" \/>\n<meta property=\"og:site_name\" content=\"INTRINSEC\" \/>\n<meta property=\"article:published_time\" content=\"2017-07-06T17:07:10+00:00\" \/>\n<meta name=\"author\" content=\"Intrinsec\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:site\" content=\"@Intrinsec\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Intrinsec\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/\"},\"author\":{\"name\":\"Intrinsec\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\"},\"headline\":\"[HIP2017] – Dissecting A Ransomware-infected MBR \u2013 PETYA\",\"datePublished\":\"2017-07-06T17:07:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/\"},\"wordCount\":499,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"articleSection\":[\"Veille S\u00e9curit\u00e9\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/\",\"name\":\"[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA - INTRINSEC\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#primaryimage\"},\"thumbnailUrl\":\"\",\"datePublished\":\"2017-07-06T17:07:10+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#primaryimage\",\"url\":\"\",\"contentUrl\":\"\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/hip2017-dissecting-a-ransomware-infected-mbr-petya\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Accueil\",\"item\":\"https:\\\/\\\/www.intrinsec.com\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"[HIP2017] – Dissecting A Ransomware-infected MBR \u2013 PETYA\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#website\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"name\":\"INTRINSEC\",\"description\":\"Notre m\u00e9tier , Prot\u00e9ger le v\u00f4tre\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.intrinsec.com\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#organization\",\"name\":\"INTRINSEC\",\"alternateName\":\"ISEC\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"contentUrl\":\"https:\\\/\\\/www.intrinsec.com\\\/wp-content\\\/uploads\\\/2025\\\/02\\\/libellule.png\",\"width\":1322,\"height\":1322,\"caption\":\"INTRINSEC\"},\"image\":{\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/Intrinsec\",\"https:\\\/\\\/fr.linkedin.com\\\/company\\\/intrinsec\",\"https:\\\/\\\/www.youtube.com\\\/channel\\\/UC0trUZAHNZOUbxYnNdecM4A\"],\"description\":\"soci\u00e9t\u00e9 de consulting, pure player cybers\u00e9curit\u00e9 fran\u00e7ais et europ\u00e9en depuis plus de 30ans, sp\u00e9cialiste dans la s\u00e9curit\u00e9 offensive & audit (pentest\\\/red team), GRC, et services IMSS comme le SOC, CTI et CERT Intrinsec est qualifi\u00e9 PASSI Elev\u00e9, PRIS Elev\u00e9 et PACS par l'ANSSI\",\"email\":\"contact@intrinsec.com\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.intrinsec.com\\\/#\\\/schema\\\/person\\\/ade590fbc7ad6f413727bae7cd3fb799\",\"name\":\"Intrinsec\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g\",\"caption\":\"Intrinsec\"},\"sameAs\":[\"https:\\\/\\\/www.intrinsec.com\"],\"url\":\"https:\\\/\\\/www.intrinsec.com\\\/en\\\/author\\\/ufhtbqccsz\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA - INTRINSEC","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.intrinsec.com\/en\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/","og_locale":"en_US","og_type":"article","og_title":"[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA","og_description":"La pr\u00e9sentation de Raoul Alvarez lors de la Hack In Paris 2017 est int\u00e9ressante lors […]","og_url":"https:\/\/www.intrinsec.com\/en\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/","og_site_name":"INTRINSEC","article_published_time":"2017-07-06T17:07:10+00:00","author":"Intrinsec","twitter_card":"summary_large_image","twitter_creator":"@Intrinsec","twitter_site":"@Intrinsec","twitter_misc":{"Written by":"Intrinsec","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#article","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/"},"author":{"name":"Intrinsec","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799"},"headline":"[HIP2017] – Dissecting A Ransomware-infected MBR \u2013 PETYA","datePublished":"2017-07-06T17:07:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/"},"wordCount":499,"commentCount":0,"publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"image":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#primaryimage"},"thumbnailUrl":"","articleSection":["Veille S\u00e9curit\u00e9"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/","url":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/","name":"[HIP2017] - Dissecting A Ransomware-infected MBR \u2013 PETYA - INTRINSEC","isPartOf":{"@id":"https:\/\/www.intrinsec.com\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#primaryimage"},"image":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#primaryimage"},"thumbnailUrl":"","datePublished":"2017-07-06T17:07:10+00:00","breadcrumb":{"@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#primaryimage","url":"","contentUrl":""},{"@type":"BreadcrumbList","@id":"https:\/\/www.intrinsec.com\/hip2017-dissecting-a-ransomware-infected-mbr-petya\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Accueil","item":"https:\/\/www.intrinsec.com\/"},{"@type":"ListItem","position":2,"name":"[HIP2017] – Dissecting A Ransomware-infected MBR \u2013 PETYA"}]},{"@type":"WebSite","@id":"https:\/\/www.intrinsec.com\/#website","url":"https:\/\/www.intrinsec.com\/","name":"INTRINSEC","description":"Our job is to protect yours.","publisher":{"@id":"https:\/\/www.intrinsec.com\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.intrinsec.com\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.intrinsec.com\/#organization","name":"INTRINSEC","alternateName":"ISEC","url":"https:\/\/www.intrinsec.com\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/","url":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","contentUrl":"https:\/\/www.intrinsec.com\/wp-content\/uploads\/2025\/02\/libellule.png","width":1322,"height":1322,"caption":"INTRINSEC"},"image":{"@id":"https:\/\/www.intrinsec.com\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/Intrinsec","https:\/\/fr.linkedin.com\/company\/intrinsec","https:\/\/www.youtube.com\/channel\/UC0trUZAHNZOUbxYnNdecM4A"],"description":"Intrinsec, a consulting firm and pure-play French and European cybersecurity provider for over 30 years, specializes in offensive security and auditing (penetration testing\/red teams), GRC, and IMSS services such as SOC, CTI, and CERT. Intrinsec is qualified at PASSI High, PRIS High, and PACS levels by ANSSI.","email":"contact@intrinsec.com"},{"@type":"Person","@id":"https:\/\/www.intrinsec.com\/#\/schema\/person\/ade590fbc7ad6f413727bae7cd3fb799","name":"Intrinsic","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fde6ed961c7078765b03a213927b5c4001b1cef4787255188f5b502a99e6ddd6?s=96&d=retro&r=g","caption":"Intrinsec"},"sameAs":["https:\/\/www.intrinsec.com"],"url":"https:\/\/www.intrinsec.com\/en\/author\/ufhtbqccsz\/"}]}},"_links":{"self":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/228091","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/comments?post=228091"}],"version-history":[{"count":0,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/posts\/228091\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/media?parent=228091"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/categories?post=228091"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.intrinsec.com\/en\/wp-json\/wp\/v2\/tags?post=228091"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}