Petya

Petya targets Windows OS and is distributed via email campaigns designed to look like the sender is seeking a job within the recipient’s company. The emails contain a link that leads the recipient to a self-extracting ransomware executable file named Bewerbungsmappe-gepackt.exe. Once this file is executed, Petya overwrites the hard drive’s Master Boot Record (MBR) which prevents the OS from loading and displays a blue screen. It will then reboot the infected machine, appear to run CHKDSK, encrypt the Master File Table (MFT), and flash a red lock screen with an ASCII image of a skull and crossbones followed by a screen outlining a ransom demand. The modified MBR eliminates both the infected machine’s ability to start the OS normally or in “Safe Mode.” Petya can only successfully infect a machine if the executable is launched via an account with administrator privileges. The latest version of Petya comes bundled with a second ransomware program, called Mischa, that begins to encrypts victims’ files in the event that Petya is unable to encrypt the MFT.

UPDATE 7/28/2016: The developers of Petya and Mischa have begun enticing new distributors as they now offer their malware as an affiliate program, or Ransomware-as-a-Service (RaaS).

UPDATE 12/6/2016: A new version of the Petya-Mischa variant, dubbed “GoldenEye,” is now being distributed via spam emails containing a fake PDF resume and an Excel file containing a malicious macro. Like its predecessor, GoldenEye encrypts victims’ files and modifies the system’s MBR to prevent the OS from loading. It appends a random eight-character extension to the names of the encrypted files and drops a ransom note text file named YOUR_FILES_ARE_ENCRYPTED.TXT. This file is briefly displayed before the infected system reboots and GoldenEye proceeds to encrypt the system’s MFT. To counteract ransomware variants that modify the MBR and encrypt the MFT, Cisco Talos has released a Windows disk filter driver called MBRFilter, available on GitHub here.

  • Trend Micro has more information about Petya here.
     
  • Bleeping Computer has more information about the combination of Petya and Mischa here.
     
  • A decryption tool for Petya is available for download here. A web-based tool is available here. Additional information about the decryption tool can be found on Github and on the Bleeping Computer website.