Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Petya Ransomware Gets Encryption Upgrade

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

Unlike other ransomware families out there, which encrypt files one by one, Petya would manipulate the Master Boot Record (MBR) to take over the boot process and would encrypt the entire hard disk after a reboot. What researchers discovered was that the reboot was essential to the encryption process and that file recovery could be easily performed if the reboot was prevented.

To counter this weakness in their malware, the Petya operators bundled it with another ransomware, called Mischa, which was designed to encrypt user files one by one. Thus, in the event that Petya was unsuccessful in encrypting the entire disk, Mischa would function as a failsafe.

Right from the start, Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. However, it also contained a series of implementation bugs that rendered the encryption algorithm weak, making it possible to recover data without paying the ransom.

The latest Petya iteration no longer includes such weaknesses, but instead comes with a proper Salsa20 implementation, security researcher Hasherezade warns in a post on Malwarebytes Labs’ blog. The ransomware’s behavior hasn’t changed from the previous variants, but bugs spotted before are no longer present in the malware’s code.

One major bug in the previous version was the result of an invalid implementation of the function s20_littleendian, resulting in only 8 out of 16 characters of the encryption key being meaningful, thus opening the door to brute-force attacks. The current Petya release, however, contains a fixed implementation, meaning that previous decryption tools are no longer usable.

“The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign bit expansion to the 16 bit value. Now, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making implementation complete,” the security researcher explains.

Additionally, Petya has returned to using 32 byte long Salsa key instead of 16 byte long key. The initial release used the longer key but generated it from the 16 byte long key, the researcher says. Now, Petya authors went back to using 32 byte long key, but also implemented a more complex pre-processing algorithm compared to the original ransomware release.

Advertisement. Scroll to continue reading.

According to Hasherezade, the new update shows that Petya is reaching maturity, yet its authors still say that it is a beta version, on Petya’s ransomware-as-a-service page. With the Petya/Mischa dropper previously distributed via spam emails disguised as job applications (they included a link leading to cloud storage), users are advised to steer clear of such emails, unless they are certain they come from trusted sources.

The Petya/Mischa couple has already inspired copycats, such as Satana ransomware, which was detailed in early July. Unlike the original malware, however, which would either encrypt the MBR or individual files, Satana does both, yet the new malware family doesn’t appear ready for public release. 

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.