CONFERENCE Watch Now: Threat Detection & Incident Response (TDIR) Summit - Watch Event On-Demand
Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Petya Ransomware Gets Encryption Upgrade

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

Unlike other ransomware families out there, which encrypt files one by one, Petya would manipulate the Master Boot Record (MBR) to take over the boot process and would encrypt the entire hard disk after a reboot. What researchers discovered was that the reboot was essential to the encryption process and that file recovery could be easily performed if the reboot was prevented.

To counter this weakness in their malware, the Petya operators bundled it with another ransomware, called Mischa, which was designed to encrypt user files one by one. Thus, in the event that Petya was unsuccessful in encrypting the entire disk, Mischa would function as a failsafe.

Right from the start, Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. However, it also contained a series of implementation bugs that rendered the encryption algorithm weak, making it possible to recover data without paying the ransom.

The latest Petya iteration no longer includes such weaknesses, but instead comes with a proper Salsa20 implementation, security researcher Hasherezade warns in a post on Malwarebytes Labs’ blog. The ransomware’s behavior hasn’t changed from the previous variants, but bugs spotted before are no longer present in the malware’s code.

One major bug in the previous version was the result of an invalid implementation of the function s20_littleendian, resulting in only 8 out of 16 characters of the encryption key being meaningful, thus opening the door to brute-force attacks. The current Petya release, however, contains a fixed implementation, meaning that previous decryption tools are no longer usable.

“The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign bit expansion to the 16 bit value. Now, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making implementation complete,” the security researcher explains.

Additionally, Petya has returned to using 32 byte long Salsa key instead of 16 byte long key. The initial release used the longer key but generated it from the 16 byte long key, the researcher says. Now, Petya authors went back to using 32 byte long key, but also implemented a more complex pre-processing algorithm compared to the original ransomware release.

Advertisement. Scroll to continue reading.

According to Hasherezade, the new update shows that Petya is reaching maturity, yet its authors still say that it is a beta version, on Petya’s ransomware-as-a-service page. With the Petya/Mischa dropper previously distributed via spam emails disguised as job applications (they included a link leading to cloud storage), users are advised to steer clear of such emails, unless they are certain they come from trusted sources.

The Petya/Mischa couple has already inspired copycats, such as Satana ransomware, which was detailed in early July. Unlike the original malware, however, which would either encrypt the MBR or individual files, Satana does both, yet the new malware family doesn’t appear ready for public release. 

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Jeremy Koppen has left Mandiant after 13 years to become the CISO of Equifax.

Engineering and technology solutions provider Amentum has appointed Max Shier as its CISO.

PAM provider Keeper Security has appointed Shane Barney as its Chief Information Security Officer.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.