Overview of Petya ransomware
In March, we covered the emergence of Petya trojan-ransomware; an original and dangerous threat. It was very virulent malware as it did not merely encrypt user files and hold them to ransom like its comrades; it encrypted the Master Boot Record (MBR), effectively locking the entire operating system.
The badware was delivered disguised as a fake résumé, targeting German H.R departments. This boot-locking of course prevented any remedial action and removal of the malware. If, however the system it penetrated was configured NOT to allow it Administrative privileges – or the user was alert – it could not run.
In April a clever technician came up with a way to deal with Petya’s threat, if it was caught in the act. It was thought that Petya’s time had come and gone, like the short life of the Tolstoy character of the same name. Wrong – it’s back, and this time it has a partner to overcome any Admin difficulties. If you are inattentive or unlucky enough to become acquainted with these two, you must dispatch Petya & Mishca as soon as possible.
The problem with Petya
As mentioned, if the malware cannot attain Admin status, it cannot touch the MBR. This privilege escalation was achieved in the last version by presenting a UAC prompt necessary to view the fake portfolio (in the form of a PDF update or similar). As systems and software (and users!) start to adapt to the growing threat from ransomware, the other side have to change tactics to stay in this perpetual war game. In that case, a decryption process was devised, so when the (supposedly) Red developers decided to relaunch on the West again, they sent Petya with rearguard to patch the privilege flaw – enter Mischa.
Mischa is traditional trojan ransomware that encrypts files and gives them a four character extension. This is your ‘customer reference number’, to be used for payment on the TOR ‘site. Mischa provides full details in every folder regarding efficient payment (YOUR_FILES_ARE_ENCRYPTED.TXT). The ransom is currently reported to be about 1.93 bitcoin, or $875U.S. It is so far reported as being delivered in the same was as the last wave of Petya malware. The one difference from most ransomware is that this bad bear also encrypts .exe files
If Petya cannot gain status on penetrating a machine, it commands Mischa to take over. This malware works in the background encrypting. In Russian, this name is the diminutive of Micheal. It’s meaning is ‘Like God’ which fits with the arrogance of the opening statement on Petya’s original ransom demand, “Today we have launched the Petya Ransomwear Project”.
How to defeat Petya & Mischa
So far, research suggests that Petya is the same version, only with an ally. Details for dealing with Petya can be found here. However, it is not yet known if eradicating the primary attacker will automate the second wave. The best way to defend against Petya & Mischa is to avoid infection; find out here how to harden your system against ransomware. We will post more information on these two bad bears as soon as it becomes available.