Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Petya Ransomware Gets Encryption Upgrade

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

Unlike other ransomware families out there, which encrypt files one by one, Petya would manipulate the Master Boot Record (MBR) to take over the boot process and would encrypt the entire hard disk after a reboot. What researchers discovered was that the reboot was essential to the encryption process and that file recovery could be easily performed if the reboot was prevented.

To counter this weakness in their malware, the Petya operators bundled it with another ransomware, called Mischa, which was designed to encrypt user files one by one. Thus, in the event that Petya was unsuccessful in encrypting the entire disk, Mischa would function as a failsafe.

Right from the start, Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. However, it also contained a series of implementation bugs that rendered the encryption algorithm weak, making it possible to recover data without paying the ransom.

The latest Petya iteration no longer includes such weaknesses, but instead comes with a proper Salsa20 implementation, security researcher Hasherezade warns in a post on Malwarebytes Labs’ blog. The ransomware’s behavior hasn’t changed from the previous variants, but bugs spotted before are no longer present in the malware’s code.

One major bug in the previous version was the result of an invalid implementation of the function s20_littleendian, resulting in only 8 out of 16 characters of the encryption key being meaningful, thus opening the door to brute-force attacks. The current Petya release, however, contains a fixed implementation, meaning that previous decryption tools are no longer usable.

“The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign bit expansion to the 16 bit value. Now, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making implementation complete,” the security researcher explains.

Additionally, Petya has returned to using 32 byte long Salsa key instead of 16 byte long key. The initial release used the longer key but generated it from the 16 byte long key, the researcher says. Now, Petya authors went back to using 32 byte long key, but also implemented a more complex pre-processing algorithm compared to the original ransomware release.

According to Hasherezade, the new update shows that Petya is reaching maturity, yet its authors still say that it is a beta version, on Petya’s ransomware-as-a-service page. With the Petya/Mischa dropper previously distributed via spam emails disguised as job applications (they included a link leading to cloud storage), users are advised to steer clear of such emails, unless they are certain they come from trusted sources.

The Petya/Mischa couple has already inspired copycats, such as Satana ransomware, which was detailed in early July. Unlike the original malware, however, which would either encrypt the MBR or individual files, Satana does both, yet the new malware family doesn’t appear ready for public release. 

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.