Pierluigi Paganini April 02, 2016

Several days ago, I wrote about a new singular Ransomware dubbed Petya that captured the attention of security experts because it causes a blue screen of death (BSoD) by overwriting the MBR.

Now security firm F-Secure has issued an alert on the Petya ransomware, sharing the results of its analysis about the threat.

The malware encrypts the entire disk instead of encrypting files on the infected system like any other ransomware,

The Petya ransomware encrypts the filesystem’s master file table (MFT) making impossible for the operating system the access to any file and making the machine unusable.

The MFT contains at least one entry for every file, including the MFT itself.

” Specifically, it will encrypt the filesystem’s master file table (MFT), which means the operating system is not able to locate files.” wrote Jarkko Turkulainen, F-Secure senior security researcher.

“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system.”

Why encrypt the MFT?

Because the encryption of an MFT is less consuming than the encryption of all the files contained on the disk, and the result is the same.

Even restoring the MBR with recovery system won’t help, because the MFT remains encrypted.

The attack of a generic ransomware is very slow respect an attack based on the Petya ransomware, this means that victims aware of the threat could act to limit the effects of the malware.

Petya is able to compromise the MFT in a few seconds, causing the system crash and forcing a restart, and according to F-Secure experts, in an enterprise environment there would be no time to take mitigation measures.

Another effect of the Petya infection is that the victim would need to use a machine different from the infected computer to pay the ransom.

Petya operates in two stages, in the first one is the main dropper that performs the following operations:

• Infects the MBR using direct \\.\PhysicalDrive manipulation.
• Generates a set of crypto keys, including a disk encryption 16-byte key consisting of ASCII characters. It also wraps up a special decryption code, which only the server can open. This code contains the actual disk encryption key.
• Saves the crypto keys to disk for later use in the MBR infection code.
• Shuts down the machine without any warning to boot to MBR code.

In the second phase, once infected the PC, the machine boots to MBR code, which:

• First checks to see if the disk is infected.
• If not, it will present a fake CHKDSK screen and will encrypt the MFT using the shared secret as the encryption key.
• Uses salsa20 for disk encryption, and destroys the key after encryption.
• Presents the red “skull screen” and then the screen with Tor hidden service URLs, and the “decryption code”, which is an encrypted message only the server can open.

The Petya ransomware implements a custom Elliptic Curve encryption scheme for file encryption, the dropper ships with a 192-bit public key and secp192k1 curve parameters hardcoded in the code.

Wanting to make a critical to the authors, the Petya ransomware doesn’t implement a mechanism for paying the ransom, instead, it just share a URL with victims.

“Somewhat ironically, in making it harder for victims to pay a ransom, Petya’s authors may have also lowered their own chances of profiting from it” F-Secure security advisor Sean Sullivan explained to Dark Reading. “As a result, the likelihood of the same technique being used more widely will depend on the success malware authors have in monetizing Petya.”

It is important to notice that only the server can restore the encryption key used to encrypt the files with the EC algorithm.

“The only way to restore the machine without the help of the server is to catch the salsa20 key inline of the infection process, using debuggers. Not a very attractive counter measure for the average computer user.” states F-Secure.

Ransomware is a serious threat, this form of digital extortion is becoming a common and profitable practice in the criminal underground.In recent months, ransomware samples like

In recent months, many ransomware strains like TeslaCrypt, Locky and CryptoWall have infected a large number of victims worldwide.

The U.S DHS issued an alert warning users of the threat. The alert, issued late Thursday, warned consumers and businesses about the “devastating” consequences of a ransomware attack.

“In early 2016, destructive ransomware variants such as Locky and Samas were observed infecting computers belonging to individuals and businesses, which included healthcare facilities and hospitals worldwide. Ransomware is a type of malicious software that infects a computer and restricts users’ access to it until a ransom is paid to unlock it.” states the alert.

“The United States Department of Homeland Security (DHS), in collaboration with Canadian Cyber Incident Response Centre (CCIRC), is releasing this Alert to provide further information on ransomware, specifically its main characteristics, its prevalence, variants that may be proliferating, and how users can prevent and mitigate against ransomware.” 

Pierluigi Paganini

(Security Affairs – Petya ransomware , cybercrime)

[adrotate banner=”9″]