Is Petya ransomware defective or too smart?
Petya Ransomware is a nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a target system, one by one.
Instead, Petya restarts victim computers and encrypts the hard disk master file (MFT), disabling the master boot record (MBR), limiting access to the entire system by exploiting information about file names, size, and file size Position on the physical disk.
Petya ransomware then takes an MBR encrypted copy and replaces it with its own malicious code that displays a ransom request, leaving the computer able to boot.
However, this new Petya ransomware variant does not retain a copy of the MBR replaced by mistake or intentionally, leaving unauthorized infected computers even if the victims get the decryption keys.
Also, after infecting a machine, ransomware from Pétja scans the local network and rapidly infects all other machines (even all patches) on the same network, using SMB to leverage EternalBlue, WMIC and PsExec tools.
The new ransomware attack (Petya ransomware) currently attacks a large number of countries around the world, including Ukraine, the United Kingdom, India, the Netherlands, Spain, Denmark and much more. The new ransomware uses contact information “[email protected]” and requires $ 300 in Bitcoin.
Petya is not a ransomware it is a malware
Malware is spreading rapidly using the same vulnerability as Windows SMBv1 Ransomware WannaCry used to attack 300,000 devices worldwide.
Nearly 45 victims have paid a total of $ 10,500 Bitcoin in the hope of returning the encrypted files but unfortunately does not have because the e-mail address created by hackers to contact their victims and send the decryption keys was suspended from German Mail Provider right after the attack.
Kaspersky Security researchers said:
“Our analysis shows that there is little hope for the victims to recover their data. We analyzed the high-level code of encryption routines, and we found out that after the encryption of the disk, the threat actor could not read the Disks of victims, ”
“To decrypt a victim’s victim threat, actors need the installation ID. In earlier versions of ransomware” like “such as Petya / Mischa / GoldenEye this installation ID contains the information needed to recover the key.”
Many security researchers and even Microsoft researchers said (fiscal accounting system of Ukraine) Medoc has been violated and malware spread through system updates.
How did Petya Ransomware into computers in the first place?
According to a research conducted by Talos Intelligence, the unknown Ukrainian company Medoc is probably the main source of the global burst of ransomware yesterday.
The researchers said the virus spread, probably through a malware update to a Ukrainian tax accounting system called Medoc, Medoc but denied accusations in a Facebook post.
“At the time of the program update, the system may be infected with the virus directly from the update file,” the translated MÉDOC mail reads. “We can argue that users of the Medoc system can not infect the PC with viruses when updating the program.”
However, several security researchers and even Microsoft agreed with the Find House, saying MÉDOC was violated and the virus spread through updates.