Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Petya Ransomware Gets Encryption Upgrade

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

The latest updates in Petya, a piece of ransomware observed a few months ago to encrypt entire hard disks after taking over the boot sector, no longer allow for easy data recovery, researchers warn.

Unlike other ransomware families out there, which encrypt files one by one, Petya would manipulate the Master Boot Record (MBR) to take over the boot process and would encrypt the entire hard disk after a reboot. What researchers discovered was that the reboot was essential to the encryption process and that file recovery could be easily performed if the reboot was prevented.

To counter this weakness in their malware, the Petya operators bundled it with another ransomware, called Mischa, which was designed to encrypt user files one by one. Thus, in the event that Petya was unsuccessful in encrypting the entire disk, Mischa would function as a failsafe.

Right from the start, Petya has been using the Salsa20 stream cipher to encrypt the Master File Table and make the compromised disk inaccessible. However, it also contained a series of implementation bugs that rendered the encryption algorithm weak, making it possible to recover data without paying the ransom.

The latest Petya iteration no longer includes such weaknesses, but instead comes with a proper Salsa20 implementation, security researcher Hasherezade warns in a post on Malwarebytes Labs’ blog. The ransomware’s behavior hasn’t changed from the previous variants, but bugs spotted before are no longer present in the malware’s code.

One major bug in the previous version was the result of an invalid implementation of the function s20_littleendian, resulting in only 8 out of 16 characters of the encryption key being meaningful, thus opening the door to brute-force attacks. The current Petya release, however, contains a fixed implementation, meaning that previous decryption tools are no longer usable.

“The old implementation was truncated – it didn’t used 32 bit values as it should – only added a sign bit expansion to the 16 bit value. Now, authors got the proper implementation, using 32 bits. So, the last bug in Salsa20 got finally fixed, making implementation complete,” the security researcher explains.

Additionally, Petya has returned to using 32 byte long Salsa key instead of 16 byte long key. The initial release used the longer key but generated it from the 16 byte long key, the researcher says. Now, Petya authors went back to using 32 byte long key, but also implemented a more complex pre-processing algorithm compared to the original ransomware release.

According to Hasherezade, the new update shows that Petya is reaching maturity, yet its authors still say that it is a beta version, on Petya’s ransomware-as-a-service page. With the Petya/Mischa dropper previously distributed via spam emails disguised as job applications (they included a link leading to cloud storage), users are advised to steer clear of such emails, unless they are certain they come from trusted sources.

The Petya/Mischa couple has already inspired copycats, such as Satana ransomware, which was detailed in early July. Unlike the original malware, however, which would either encrypt the MBR or individual files, Satana does both, yet the new malware family doesn’t appear ready for public release. 

Related: Ransomware-as-a-Service Lets Anyone be a Cybercriminal

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.