Ransomware has become well-known over the last few years. The effects have been devastating to the consumer and commercial victims. Hospitals have had to pay in order to gain access to their files. At times, there have been no alternatives.
Ransomware had been used to encrypt data, files, or hard drives with a robust enough algorithm so it would take a year or years to guess the decryption key. Without this, the data is simply jumbled letters. A payment is generally demanded for the decryption key. This amount would vary in amount and would need to be paid within a certain number of days. If not paid within the attacker imposed timeframe, the deviant may not accept the funds and provide the key, or increase the fee for the decryption key.
Unfortunately for consumer and commercial enterprises, this has become more prevalent (Ginos, 2016). The deviants have noted the effort needed for the attack (spam email) in comparison to the potential fees to be collected. This has become lucrative for them based on this simple equation. This activity has been particularly rampant in the healthcare industries, as they need access to the patient medical records.
Some have no choice but to pay. If there are no recent back-ups, or the back-ups are corrupt or were not done there truly is not a choice if the data that is encrypted by the third party is of any consequence or the entity has to have it to operate, as in the case of hospitals.
This is not a new avenue for the criminals. Although much more common recently this has been an active pursuit for years. Prior versions of this included Cryptowall, TeslaCrypt, and Locky (Zorabedian, 2016).
Petya
With this specific sample of ransomware, the users statistically are lucky. Although this was, prior to the decryption methods, a true issue to the infected users and more importantly to their systems, Petya has not been seen abundantly (Zorabedian, 2016).
In general, the prior mode of operations had been to encrypt files. This is where the data was located the people needed for home or work. As this is the case, there would be a greater possibility of them paying. This is a clear detriment for the infected clients.
If this was not bad enough, Petya provided a new twist. This was coded specifically to also encrypt the master file table (MFT) (Bisson, 2016b; Ducklin, 2016). Petya also replaces the master boot record (MBR) with a malicious loader (Zorz, 2016a; Mimoso, 2016; Zorz, 2016b; Torres, 2016; Constantin, 2016).
As with other ransomware samples, this also had a target market in mind. The attackers sent the ransomware to mostly companies in Germany (Mimoso, 2016). The specific intended victims were the HR departments (Zorz, 2016a).
Petya also followed suit as there was a time limit involved for the payments. The user with the infected system had a week to pay the fee. After this the fee would double (Torres, 2016).
Method of Delivery
In order to get the most victims infected, a social engineering tactic was used. The user in the HR department receives the email. This appears to be from a job-seeker, but is really the deviant, with a malicious payload in the spam email. The file enclosed in the spam email appears to be a CV or a resume, which is what the HR department would expect (Zorz, 2016a; Ginos, 2016). There may also be a link to a dropbox file (Mimoso, 2016). Instead of an innocent file being downloaded, Petya is installed. The file is not a .doc or .docz file that is attached is an executable (Zorz, 2016a; Bisson, 2016). The HR department may not be that tech savvy and may not even notice it. The MBR is replaced with a malicious loader (Mimoso, 2016). After all the steps were done, the user would not receive the blue screen of death. After the infection has occurred, the ransomware demands approximately $400 in bitcoin for the decryption key (Torres, 2016; Thomson, 2016; Constantin, 2016; Bisson, 2016b; Mimoso, 2016b).
Encryption Cracked
Any encryption is valid only when it is not cracked. Once this is done, the encryption itself is only a speedbump. In this case the encryption was done with the Salsa 10 algorithm (Thomson, 2016). This has a less powerful encryption than the Salsa 20. Fortunately, there are tools that have been created to decrypt Petya (Zorz, 2016b). With this tool in hand, the computer is once again usable for more than just a boat anchor.
In late March 2016, an analyst specializing in malware (Hasherezade) wrote a decoder which was coded to extract the key needed to decrypt the ransomware (Zorz, 2016b; Zorz 2016c). Another tool created by “Leo Stone” also accomplishes this (Zorabedian, 2016; Zorz, 2016b; Zorz, 2016c). The difference with this other option is this tool can be used also the computer is rebooted. This is also provided free of charge (Mendoza, 2016). The decryption process may take up to seven seconds (Reeve, 2016).
It should be noted this is a relative anomaly. Generally these are written not to be able to be cracked within a reasonable amount of time.
References
Abrams, L. (2016, March 25). Petya ransomware skips the files and encrypts your hard drive instead. Retrieved from http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/
Bisson, D. (2016, March 29). Petya ransomware goes for broke and encrypts hard drive master file tables. Retrieved from https://www.grahamcluley.com/2016/03/petya-ransomware
Bisson, D. (2016b, April 11). Infected by petya ransomware? Use this tool to unlock your files...for now. Retrieved from https://www.grahamcluley.com/2016/04/petya-ransomware-unlock-tool/
Constantine, L. (2016, March 28). Petya ransomware overwrites MBRs, locking users out of their computers. Retrieved from http://www.infowarold.com/article/3048713/security/petya-ransomware-overwrites-mbrs-locking-users-out-of-their-computers.html
Constantin, L. (2016b, April 11). Experts crack petya ransomware, enable hard drive decryption for free. Retrieved from http://www.pcworld.com/article/3054220/security/experts-crack-petya-ransomware-enable-hard-drive-decryption-for-free.html
Ducklin, P. (2016, April 4). New ransomware with an old trick: “Petya” parties like it’s 1989. Retrieved from https://nakedsecurity.sophos.com/2016/04/04/new-ransomware-with-an-old-trick-petya-parties-like-its-1989/
Ginos, I. (2016, March 26). Petya ransomware reportedly encrypts hard drives, manipulates operating system boot process. Retrieved from http://www.neowin.net/news/petya-ransomware-reportedly-encrypts-hard-drives-manipulates-operating-system-boot-process
Mendoza, M. (2016, April 13). Victims of petya ransomware, rejoice! Retrieved from http://www.techtimes.com/articles/149437/20160413/victims-of-petya-ransomware-rejoice-security-researchers-create-free-password-generator.htm
Mimoso, M. (2016, March 29). Researchers learning more about petya ransomware. Retrieved from https://threatpost.com/researchers-learning-more-about-petya-ransomware/117068/
Mimoso, M. (2016, March 28). Petya ransomware encrypts master file table. Retrieved from https://threatpost.com/petya-ransomware-encrypts-master-file-table/117024/
Reeve, T. (2016). Cure for petya engineered by anonymous security researcher. Retrieved from http://www.scmagazineuk.com/cure-for-petya-engneered-by-anonymous-security-researcher/article/488802/?DCMP=EMC-SCUK_Newswire&spMailingID=14201710&spUserID-NTAzOTUzMjgwNzES1&spJob...
Thomson, I. (2016, April 12). Infected with petya ransomware? Retrieved from http://www.theregister.co.uk/2016/04/12/petya_ransomware_free_fixit_tool/
Torres, J.C. (2016, March 28). Petya ransomware targets entice drives, not just files. Retrieved from http://www.slashgear.com/petya-ransomware-targets-entice-drives-not-just-files-28433671/
Zorabedian, J. (2016, April 12). Petya ransomware decryption tools sets your files free. Retrieved from https://nakedsecurity.sophos.com/2016/04/12/petya-ransomware-decryption-tool-sets-your-files-free/
Zorz, Z. (2016a, March 29). Petya ransomware encrypts files, disks, locks users out. Retrieved from https://www.helpnetsecurity.com/2016/03/29/petya-ransomware-locks-computers/
Zorz, Z. (2016b, April 11). Petya ransomware encryption has been cracked. Retrieved from https://www.helpnetsecurity.com/2016/04/11/petya-ransomware-encryption-cracked/
Zorz, Z. (2016c, April 11). Petya ransomware encryption has been cracked. Retrieved from https://www.helpnetsecurity.com/2016/04/11/petya-ransomware-encryption-cracked/
No comments:
Post a Comment