Petya – Taking Ransomware To The Low Level

  • 1 April 2016
  • 9 replies
  • 954 views

Userlevel 7
Badge +54
See Also - PETYA ransomware targets enterprise users via the cloud and overwrites MBRs Options
 
April 1, 2016 | BY hasherezade
 
                                                 


 
Petya is different from the other popular ransomware these days. Instead of encrypting files one by one, it denies access to the full system by attacking low-level structures on the disk. This ransomware’s authors have not only created their own boot loader but also a tiny kernel, which is 32 sectors long.
 
Petya’s dropper writes the malicious code at the beginning of the disk. The affected system’s master boot record (MBR) is overwritten by the custom boot loader that loads a tiny malicious kernel. Then, this kernel proceeds with further encryption. Petya’s ransom note states that it encrypts the full disk, but this is not true. Instead, it encrypts the master file table (MFT) so that the file system is not readable.
 
PREVENTION TIP: Petya is most dangerous in the Stage 2 of the infection, that starts when system is being rebooted after the BSOD caused by the dropper. In order to prevent your computer from going automatically to this stage, turn off automatic restart after a system failure (see how to do it).
If you detect Petya in Stage 1, your data still can be recovered. More information about it you can find here and in this article.
 
Full Article

9 replies

Userlevel 7
Badge +62
Another nasty Ransomeware! Seems like they are coming on in the herds now. Did someone say this might just be our worst year for Ransomware? Whenever it was said...it's going to be harder then ever for security AVs to stay on top of all these. 
Userlevel 7
Hmmm...have to say that all ransomware is nasty by definition...LOL...nice ransomeware would be a real oxymoron.
 
I was actually the one who mentioned that I had read that the 'pundits' predicted that this would be the year of the ransomware strike...but mainly in relation to attacks on corporate servers & networks rather than the individual user...and it seems that so far they were right...:(
Userlevel 7
Badge +54
I remember you talking about that Baldrick. I think the creators of ransomware have gone into overdrive, the question is though just how bad is it going to get?
Userlevel 7
Well, to be honest I suspect that it will follow the usual 'greed' profile, i.e., it is new and lucrative as defenses and public awareness are relatively low, but once they get enhanced the miscreants will move on to the next 'hot' infection vector, and whilst not as prevalent as before ransomware will be with us in some form or another for years to come. :(
Userlevel 7
Badge +54
Lawrence Abrams  April 10, 2016 
An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds.
The solution used to generate this key is called a genetic algorithm and is one that that mimics the evolutionary process in order to solve problems.  According to MathWorks:
A genetic algorithm (GA) is a method for solving both constrained and unconstrained optimization problems based on a natural selection process that mimics biological evolution. The algorithm repeatedly modifies a population of individual solutions. At each step, the genetic algorithm randomly selects individuals from the current population and uses them as parents to produce the children for the next generation. Over successive generations, the population "evolves" toward an optimal solution.
 
 
Full Article
Userlevel 7
Well, it just goes to show that it is not just the miscreants who have the clever people, eh? :D
Userlevel 7
+++++++ The following article is a  update o Petya Ransomware++++++++++++++++
================================================================================================

Keygen alert: free password generator released for PETYA ransomware.

By Mark Wilson
 


 
The PETYA ransomware is just one of the recent examples of malware that encrypts victims' hard drives until a fee is paid. The advice from the government is not to pay the ransom -- or at least not expect to get a decryption key if you do -- but a password generator has been created that means you can decrypt your hard drive for free.
While TeslaCrypt 4 boasts 'unbreakable encryption', the same cannot be said of PETYA, although the PETYA ransomware does have the irritating habit of overwriting MBRs. This does mean that there is no way to interact with the drive on the infected computer, but with access to a spare machine to read the drive and access to the online tool created by Leostone, you could have your data back in seconds. As the tool's website proudly proclaims, you can "Get your petya encrypted disk back, WITHOUT paying ransom!!!" -- here's what you need to do.
 
full article here:
Userlevel 5
Hi ,
 
one of my Pcs just infected by Petya Ransomware ... and when i try to restart windows i see a red page before boot ... ( request code... for unblock my files.. )  i had Webroot and my heuristics was Maximum :(
 
so really? Webroot why cant stop petya by behavior blocker :( 
really bad experience :(
i think Webroot can do rolback after infection... so i turn of real-time and run the petya ransomware... i see in monitoring Webroot Blocked Petya but after 1 second system restart and red page show...  
 
Regards,
Parham
Userlevel 7
Hi MrParham
 
Your best bet here is to Open a Support Ticket as soon as possible (if you have not already) to let the Support Team know of your situation...make sure that you precise that you have suffered an attack by ransomware.
 
Hopefully they can help you in relation to that.
 
Regards, Baldrick

Reply