Petya Ransomware Gets Encryption Upgrade

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

Unlike other ransomware families out there, which encrypt files one by one, Petya would manipulate the Master Boot Record (MBR) to take over the boot process and would encrypt the entire hard disk after a reboot. What researchers discovered was that the reboot was essential to the encryption process and that file recovery could be easily performed if the reboot was prevented.

To counter this weakness in their malware, the Petya operators bundled it with another ransomware, called Mischa, which was designed to encrypt user files one by one. Thus, in the event that Petya was unsuccessful in encrypting the entire disk, Mischa would function as a failsafe.

Right from the start, Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. However, it also contained a series of implementation bugs that rendered the encryption algorithm weak, making it possible to recover data without paying the ransom.

The latest Petya iteration no longer includes such weaknesses, but instead comes with a proper Salsa20 implementation, security researcher Hasherezade warns in a post on Malwarebytes Labs’ blog. The ransomware’s behavior hasn’t changed from the previous variants, but bugs spotted before are no longer present in the malware’s code.

One major bug in the previous version was the result of an invalid implementation of the function s20_littleendian, resulting in only 8 out of 16 characters of the encryption key being meaningful, thus opening the door to brute-force attacks. The current Petya release, however, contains a fixed implementation, meaning that previous decryption tools are no longer usable.

“The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign bit expansion to the 16 bit value. Now, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making implementation complete,” the security researcher explains.

Additionally, Petya has returned to using 32 byte long Salsa key instead of 16 byte long key. The initial release used the longer key but generated it from the 16 byte long key, the researcher says. Now, Petya authors went back to using 32 byte long key, but also implemented a more complex pre-processing algorithm compared to the original ransomware release.

According to Hasherezade, the new update shows that Petya is reaching maturity, yet its authors still say that it is a beta version, on Petya’s ransomware-as-a-service page. With the Petya/Mischa dropper previously distributed via spam emails disguised as job applications (they included a link leading to cloud storage), users are advised to steer clear of such emails, unless they are certain they come from trusted sources.

The Petya/Mischa couple has already inspired copycats, such as Satana ransomware, which was detailed in early July. Unlike the original malware, however, which would either encrypt the MBR or individual files, Satana does both, yet the new malware family doesn’t appear ready for public release. 

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal