Several days ago, I wrote about a new singular Ransomware dubbed Petya that captured the attention of security experts because it causes a blue screen of death (BSoD) by overwriting the MBR.
Now security firm F-Secure has issued an alert on the Petya ransomware, sharing the results of its analysis about the threat.
The malware encrypts the entire disk instead of encrypting files on the infected system like any other ransomware,
The Petya ransomware encrypts the filesystem’s master file table (MFT) making impossible for the operating system the access to any file and making the machine unusable.
The MFT contains at least one entry for every file, including the MFT itself.
” Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files.” wrote Jarkko Turkulainen, F-Secure senior security researcher.
“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system.”
Why encrypt the MFT?
Because the encryption of an MFT is less consuming than the encryption of all the files contained on the disk, and the result is the same.
Even restoring the MBR with recovery system won’t help, because the MFT remains encrypted.
The attack of a generic ransomware is very slow respect an attack based on the Petya ransomware, this means that victims aware of the threat could act to limit the effects of the malware.
Petya is able to compromise the MFT in a few seconds, causing the system crash and forcing a restart, and according to F-Secure experts, in an enterprise environment there would be no time to take mitigation measures.
Another effect of the Petya infection is that the victim would need to use a machine different from the infected computer to pay the ransom.
Petya operates in two stages, in the first one is the main dropper that performs the following operations:
In the second phase, once infected the PC, the machine boots to MBR code, which:
The Petya ransomware implements a custom Elliptic Curve encryption scheme for file encryption, the dropper ships with a 192-bit public key and secp192k1 curve parameters hardcoded in the code.
Wanting to make a critical to the authors, the Petya ransomware doesn’t implement a mechanism for paying the ransom, instead, it just share a URL with victims.
“Somewhat ironically, in making it harder for victims to pay a ransom, Petya’s authors may have also lowered their own chances of profiting from it” F-Secure security advisor Sean Sullivan explained to Dark Reading. “As a result, the likelihood of the same technique being used more widely will depend on the success malware authors have in monetizing Petya.”
It is important to notice that only the server can restore the encryption key used to encrypt the files with the EC algorithm.
“The only way to restore the machine without the help of the server is to catch the salsa20 key inline of the infection process, using debuggers. Not a very attractive counter measure for the average computer user.” states F-Secure.
Ransomware is a serious threat, this form of digital extortion is becoming a common and profitable practice in the criminal underground.In recent months, ransomware samples like
The U.S DHS issued an alert warning users of the threat. The alert, issued late Thursday, warned consumers and businesses about the “devastating” consequences of a ransomware attack.
“In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” states the alert.
“The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.”
(Security Affairs – Petya ransomware , cybercrime)