Petya and its adaptation NotPetya wreaked havoc in targeted attacks through 2016 and 2017. The Petya ransomware hit the headlines because it represented a new development in malware
Cybersecurity businesses, such a McAfee, Malwarebytes, and Check Point, operate research labs where analysts investigate new viruses and deduce their creators. National governments also have their cyber defense agencies that perform similar research. These security experts came to the same conclusion about Petya that it was an act of state-sponsored terrorism. However, they weren’t correct.
What is distinctive about Petya?
The most noteworthy attribute of Petya is that its creators didn’t seem too interested in collecting ransoms. Another interesting fact about Petya is that its most famous version was a hijacked copy and not the property of the original developer.
That version of Petya that was regarded as a tool of hybrid warfare wasn’t, in fact, Petya, but a system built by a hacker group linked to the Russian government that borrowed code from Petya. That pirated version of the ransomware is called NotPetya.
The original Petya was not so well known. However, the name of this ransomware became world-famous once the pirated version ripped across the world in 2017.
Where does Petya ransomware come from?
The creator of Petya was called Janus Cybercrime Solutions. No one knows where this group is based, but its logo includes the Soviet Union’s hammer and sickle icon, and it identifies with a fictional Russian crime syndicate. The group aimed to provide a ransomware template that others could use for a fee. This was a Ransomware-as-a-Service concept, similar to the “stress testing” services that creators DDoS botnets provide to monetize their assets.
So, with the original Petya, the attackers that targeted businesses with ransomware were using a tool. Each user set up an account and acted as an affiliate, using the toolkit for attacks and then paying the Janus group a percentage of their earnings. The Beta phase of the original Petya was open to applicants by invitation only.
A big problem for the hackers was that the original Petya needed administrator privileges. The holders of those accounts in businesses are not so easy to trick into handing over their credentials. Without administrator status for installation, the Petya software couldn’t run. So, Janus added on a second system called Mischa. This encrypts files on the current user account and doesn’t need high-level privileges. The RaaS platform opened fully in July 2016.
What does Petya mean?
The James Bond film, GoldenEye, inspired the Petya name. The hackers who created it adopted names and images from that film, which had a plot centered around a Russian hacker group hijacking satellite-based weapon launchers.
The group had a Twitter account called Janus Secretary and had an avatar showing a picture of the Scottish actor Alan Cumming in Boris Grishenko, a hacker in the group, Janus Syndicate.
In the film, set shortly after the dissolution of the Soviet Union, the Janus Syndicate uses malware to take control of two Soviet-era satellites. These carry GoldenEye weapons, which are electromagnetic pulse (EMP) systems. One of these satellites was called Petya. The RaaS website that accesses the Petya system is labeled “Janus Cybercrime.” When Janus added its second infection system to the Petya service, it used the name of the other GoldenEye satellite – Mischa.
Versions of Petya
Janus Cybercrime Solutions created four releases of Petya. These are:
- Version 1.0, known as Red Petya because its ransom demands were on a red background, and the service’s logo was a skull and crossbones on a red background. This was live during the Beta phase of the RaaS.
- Version 2.0, called Green Petya because its color palette had green text on a black background. This is the version that partnered with Mischa.
- Version 2.5, same themes as Green Petya but with bug fixes.
- Version 3.0, known as Goldeneye, used yellow text on a black background for its communications and black text on a yellow background for its skull and crossbones logo. This added a User Access Control (UAC) bypass to get at Administrator privileges.
Goldeneye was the last official version of Petya, and it was active up to December 2016. Versions after that were pirated copies created by other hacker teams that appropriated the Petya code and adapted it. Those are not, strictly speaking, new versions of Petya but new viruses that incorporate some of the principles of Petya. These are:
- PetrWrap, which is based on Green Petya but has its loading mechanism.
- Santana, which is a copy of Mischa rather than Petya.
- Petya+, written in the .NET framework, this virus doesn’t encrypt files but puts up a lock screen with a demand for payment.
- NotPetya, also known as EternalPetya and ExPetr, is based on Goldeneye and is the copy that drew the most attention to the Petya family. The Sandworm hacker group developed this for the Russian military intelligence agency, the GRU.
The real Petya isn’t circulating anymore. So, you don’t need to worry about it. However, NotPetya is a more persistent problem.
How does Petya Ransomware work?
Petya only runs on Windows. It overwrites the Master Boot Record (MBR) of an infected computer, encrypting its Master File Table (MFT). It also disables the Safe Mode. The result of this action is that both files and the operating system become blocked, so there isn’t any way to continue to use the computer unless the ransom is paid. This action requires Administrator access. If that is not possible, the installer runs the Mischa ransomware system instead. That encrypts files, making it possible to access the computer still.
A Petya attack begins with a spam email that purports to contain important information in an attachment. Users who download that attachment and open it triggers the virus. Green Petya masqueraded as a job application with a link to a profile. The profile included a downloadable PDF, which included the virus. Goldeneye was initially aimed at Germany with a German language email that had an infected attachment.
The dropper (installer) copies the Petya executable into the %APPDATA% directory under the name of a randomly encountered program on the computer. Goldeneye will run the Mischa routine before the Petya attack.
If Administrator access is allowed, the computer will crash and then restart with a fake CHKDSK display. In truth, while you watch the progress of this operation, you are watching the progress of the encryption of the MFT, which is performed with the Salsa20 cipher. The computer then displays a skull and crossbones logo. The colors used in this screen tell you which version of Petya you are dealing with.
If the Petya version is Goldeneye, the Administrator’s permission is not needed to get to the MFT. Red Petya won’t harm if the user account it downloads onto doesn’t have Administrator privileges. Green Petya will implement Mischa if it can’t get to the MFT to run its Petya routine. Mischa encrypts files in the account with a combination of asymmetric RSA encryption and the AES cipher.
Annoyingly, while other ransomware focuses on personal files that contain documents, images, video, and audio, Mischa also encrypts .EXE files. An encrypted file has its original name but with an extra extension on the end, a random string of characters. Renaming the file to remove that different extension won’t decrypt the contents.
The skull and crossbones logo is animated, and when the initial run-through completes, the screen shows a ransom demand. It asks for a payment in Bitcoin. By Green Petya, the ransom was 1.93 Bitcoin, which, at the time, was worth $875. Today, that amount would be worth $71,975.
The demand gives the user instructions to download the tor browser and go to a specific site. This page has the price in Bitcoin on it. The user has to enter a unique ID, which is shown on the ransom demand screen. The result of the payment process is a decryption key for Petya and a decryptor utility for Mischa.
Once NotPetya started to circulate, Janus Cybercrime Solutions shut down Petya and published its master key to decrypt all previous attacks. In addition, Malwarebytes Labs produces an automated decryptor based on this key to assist victims.
How to deal with a Petya ransomware attack
The best way to deal with any malware is to be prepared. As email phishing scans, tempting illegal video downloads, and infected websites are the most frequently used channels for infection; you particularly need to watch over the security of your endpoints.
Follow these four points to prevent system susceptibility to Petya ransomware:
- Educate users about virus access and explain to them how to avoid infections.
- Use an automated Patch manager and software updater
- Backup all systems with a strategy to keep separate backups for each device
- Install an endpoint detection and response service
Using the right tools for the system, you can prevent infections from Petya ransomware and other malware and be in a good position to recover from any ransomware attacks that foil your defenses.
The best tools to protect against Petya ransomware
The story of the Petya ransomware family shows how quickly malware can change. All of the eight versions and adaptations of Petya emerged in a little over a year. So, getting a defense tool that works well right now doesn’t necessarily mean that you will be protected against future attacks from new malware.
Fortunately, some excellent systems can detect malicious activity even if it is caused by malware that has never been encountered before. Here are two tools that you could try that watch over endpoints and protect files from tampering.
1. CrowdStrike Falcon Insight
CrowdStrike Falcon Insight combines endpoint software with a cloud platform. This is a combination of the CrowdStrike Falcon Prevent next-generation antivirus package with a cloud-based coordinator that acts as a SIEM.
The advantage of this configuration is that endpoint protection continues even if the device is disconnected from the network and the Internet. In addition, the cloud module is updated immediately with the latest threat intelligence and coordinates instructions to all endpoint agents.
Falcon Insight updates endpoints when available, and in return, the endpoint agents upload activity intelligence. The Insight system scans through the logs that Prevent sends it to look for indicators of compromise. A significant advantage of using the CrowdStrike system is that it maintains a research team that constantly looks for new viruses and ransomware and works out how to combat them. The data uploaded from the Falcon Prevent systems provides the source data for these investigations.
CrowdStrike Falcon Insight can manage threat response. This module includes isolating a machine if ransomware is detected. The service also runs a blacklist of infected sites and known hacker IP addresses. Falcon Insight is also helpful for defending against network intrusion. You can get a 15-day free trial of Falcon Prevent.
2. ManageEngine DataSecurity Plus
ManageEngine DataSecurity Plus is a data and file protector. As such, it is adept at spotting unauthorized changes to files, which is precisely the activity that most ransomware systems implement. In addition, the ManageEngine system installs on Windows Server and watches over devices running Windows, the most frequently attacked operating system.
The DataSecurity Plus system monitors files and identifies unauthorized changes. As soon as one is spotted, the system raises an alert. The system administrator can decide when setting up the ManageEngine software what the tool should do to identify malware activity. It is possible to set up a workflow that institutes automated responses, such as isolating the device or restoring files.
ManageEngine DataSecurity Plus can also serve businesses following a data privacy standard, such as PCI DSS, HIPAA, or GDPR. The service will identify sensitive data locations and categorize all data instances. It also tracks activity around sensitive data. DataSecurity Plus is available for a 30-day free trial.
L’article What is Petya Ransomware & How to Protect Against It? est apparu en premier sur Comparitech.
0 Commentaires