Petya, the ransomware family recently discovered to encrypt entire hard disks, performs a two-phase encryption process, researchers have discovered.
Detailed for the first time last week, Petya is the first ransomware found to encrypt entire hard drives, an unusual behavior for this type of malware, but also an important step in the evolution of the threat. Other top ransomware out there, including Locky, CryptoWall and TeslaCrypt, encrypt user’s files individually instead.
When discovered, Petya was said to be aimed at organizations, being distributed via emails sent to the human resources departments, which included a Dropbox download link to an alleged job application portfolio. The portfolio is an executable file that causes a PC crash with a BSOD and prompts a reboot, during which the malware manipulates the Master Boot Record (MBR) to take over the machine.
According to researchers, the reboot process is the key step in the Petya infection, as it allows the ransomware to perform its nefarious operations unhindered. In other words, this second phase of infection is when the hard drive is actually encrypted, and preventing the reboot would allow users to prevent encryption.
During the first phase of infection, the aforementioned executable (the ransomware’s dropper) overwrites the beginning of the disk and creates a XOR encrypted backup of the partition table, malware analyst hasherezade explains. As soon as this stage ends, the user is presented with a BSOD and prompted to reboot the PC, which triggers the second phase of the infection process.
However, since only the beginning of the disk (including the MBR) was overwritten, users can recover their data relatively easy at this stage, mainly because the file system is intact and the disk can be mounted to access its content. Thus, users suspecting they might have been infected should prevent the computer from rebooting and should try to make a disk dump instead or mount the disk to another operating system and backup their files.
The second stage of infection is executed by a fake CHKDSK (check disk), which is executed upon reboot (by forced ExitWindowsEx or NtRaiseHardError, according to a KernelMode forum thread), since the malware is already in control of the MBR. As soon as this stage has been completed, the file system is destroyed and users no longer have access to their files.
Petya encrypts the partition table with XOR by ‘7’ and uses the same algorithm to verify the key supplied by the user during the decryption process, researchers say. Should a fake key be provided and passed as valid, the ransomware is able to recover the original MBR, yet the decryption of the other files will fail, meaning that the operating system won’t run.
— hasherezade (@hasherezade) March 30, 2016
However, should the key pass the check, Petya starts decrypting the drive and displays the progress on the screen, hasherezade says. When done, it asks the user to reboot the computer, and that is the last screen the ransomware displays on the PC, after which the infection is completely removed.
Petya packs a lot of unknowns and more on it will be revealed as security researchers manage to perform deeper analysis of its code. No decryption tool is available as of now, but one might emerge when more details on the ransomware are available.
In the meantime, however, users can stay protected by avoiding opening emails and attachments from unknown or untrusted sources. Should they suspect Petya infection, they should also make sure they don’t reboot the computer when the fake BSOD is displayed to prevent triggering the second phase of the infection, which would still allow them to recover their files.