The Petya and Misha ransomwares families have now decided to start using the quickly catching up Ransomware-as-a-Service (RaaS) trend.
Ransomware-as-a-Service allows anyone to become an official ransomware distributor. RaaS will surely be of a huge help in the increasing numbers of infection process. This is probably the reason why, after running a couple of test on the model, the Petya and Misha creators decided to adopt it and make the service overtly available.
A couple of months ago researchers noticed that the Petya ransomware used an unusual for the other ransomware families operation technique. The malicious package was not going after users` files, as expected, but instead it encrypted the entire hard drive by leveraging the boot sequence. After looking into it, analysts came to the conclusion that Petya was following a two-step encryption process in which it first forced a system reboot and then encrypted the hard drive.
Worried that many users would become suspicious and wouldn`t reboot their systems, the ransomware crooks decided to back up themselves by adding the Misha payload as a guarantee. Misha operates pretty much like any other ransomware, locking victims` file one at a time. It also needs a system reboot to start operating but the cybercriminals hoped that victims will be misled to think it is a failsafe to Petya. Other pieces of ransomware, like Satana has already began to use this two-step tactic.
Even after the upgrade, Petya`s encryption code was not strong enough but its creators succeeded in fixing it a few weeks ago. This is considered one more reason for the ransomware to adopt the RaaS.
Any accessory who wants to help in Petya/Misha distribution has to register by sending a small amount of Bitcoin. This is a prevention technique so the operators know their helpers are reliable and not scammers or timewasters. They promise their affiliates satisfactory profits, based on the payment volume and assure that their investments will be refunded right after the first revenue share payment.
On the welcome screen of Petya RaaS, the operators say that their helpers will get 25% for payment volume per week at first, but the percentage could go up to 85%. There is no doubt that many criminal wannebes will be tempted by this offer hence the expectation that Petya/Misha ransomware will soon be raging out of control.
Moreover, to ensure that their RaaS plan will be successful, the Petya operator have recently sabotaged one of their rivals known as Chimera. They published the Chimera secret keys online so decryptors could be created and their competitor will be out of the picture. But like this wasn’t enough, they also confessed that they had managed to break into the Chimera server and plagiarize its code for their product.
Malwarebytes researchers advise Chimera victims not to pay the ransom or delete their encrypted files because there is a change they can have them restored. They just have to be patient because checking if the keys actually work and, if they do, creating a decryptor will take some time.
