« Back to Blog

Petya and Mischa For All Part II: They’re Here…

By Jim Walter

The time has come to follow up on our previous analysis of the Petya and Mischa ransomware family. When we last left off, private ransomware distributor Janus Cybercrime Solutions had started opening up the platform by offering private stubs and support, in line with most ransomware as a service (RaaS) offerings.

Now, the day security experts around the world have both expected and feared has finally come: the Petya and Mischa bundle is open and available to all!

The update was quietly announced on July 26, 2016, on a little-known Twitter account run by Janus Cybercrime Solutions. It is important to note here that this Twitter alias changed between updates as well. Prior to July, the account username was '@janussec,' whereas now, Janus is operating as '@janussecretary'.

Fig1-8.pngFigure 1: Janus Cybercrime Solutions Twitter Page - July 26th, 2016 

Fig2-11.png

Figure 2: Previous Twitter Page for Janus Cybercrime Solutions - May 12th, 2016

Petya: Coming Soon to a Computer Near You

In short, the platform is now fully open to anyone who wants to create, spread, and manage their own Petya infections. The danger here of course is that the Petya ransomware generated by this service is every bit as destructive as previous generations.

This is how a typical Petya infection goes: upon execution of the malware, the infected host computer will shut down and reboot. Following the restart, the victim (as was the case prior) will be presented with a false CHKDSK screen. Interrupting that screen, or forcing a reboot in an attempt to stop the fake process, leads to the familiar skull and crossbones animation. Pressing any key during the skull display leads the victim to instructions on how to pay the ransom, along with their personal decryption code.

Fig3.jpgFigure 3: Skull and Crossbones Display – the Hallmark of a Petya Ransomware Infection 

Fig4.pngFigure 4: Petya Ransom Note 

Fig5B.pngFigure 5: Petya Payment Screen 

Fig6.pngFigure 6: Purchasing Bitcoin to Pay the Petya Ransom 

Fig7.pngFigure 7: Ransom Demand for 0.97 Bitcoin - Worth Approximately $637.00 in July 2016

What’s in it For Them?

As is the case with other similar ransomware offerings (TOX, Ransom32, Encryptor RaaS[1]), the authors or facilitators get a ‘cut’ of the payment. Payment is dictated by a random range set by the user of the portal. The victims will be charged a random amount within this range. 

Fig8.pngFigure 8: Janus Cybercrime Solutions Payment Settings Screen

The amount of the ‘cut’ is unclear at the time of writing this, as the FAQ for Petya RaaS is not yet live. In the absence of the FAQ, users are instructed to message support via a form on the Janus Cybercrime portal.

Fig9.png
Figure 9: Missing ‘FAQ’ Section for the Petya RaaS Offering

Petya RaaS Administrative Portal

The administrative portal for Petya is very straightforward and ‘Tox-like’. The same site page used for registration serves as the management portal and panel for subsequent infections.

Fig10-1.pngFigure 10: Behind the Scenes at Petya RaaS

Registration, however, is not as immediate as the past offerings from Janus. For starters, it is not 100% free. The authors require a small fee which is paid upfront. On their registration page, they position this as a way to weed out the “timewasters and kiddies”. 

Fig11-1.pngFigure 11: Fine Print on Janus Registration Page

The price of the upfront fee fluctuates, as it is based on bitcoin (BTC). That being said, it appears to hover around the $8.00 to $18.00 USD range – a low price which is (in my opinion) certainly well within the reach of the aforementioned “kiddies and timewasters.”

In order to register and make payment, you must provide the authors with a valid bitcoin address for payment collection, along with the public key for that address. The system then runs a script to generate your private key for the ransomware. 

Fig12-1.png
Figure 12: Entering Registration Information Into the System

Once you are ‘in’ - a process that takes between one and twelve hours due to manual verification of the bitcoin transfers - you are then able to download binaries, update wallet settings, track infections, contact support and more.

An important note on the binaries themselves: most registrants will be offered the ‘public’ stub. The private stubs, which are more rare, are reserved for their most active distributors.

The stubs (binaries) are updated daily, possibly multiple times per day, to ensure detection evasion. Even the ‘public’ stubs vary per user, and as stated, over time.

Fig13-1.pngFigure 13: Download Screen for Binaries

Petya vs. Mischa: Stages of Infection

Mischa and Petya infections are handled via the same binary and portal as per previous generations. When Petya is denied administrative privileges by way of UAC controls or otherwise, the Mischa-specific payload is executed. Rather than overwrite the master boot record (MBR), Mischa behaves more like ‘traditional’ ransomware. It will encrypt the local files and then inform the victim how to recover them, in a style mimicking the Petya instructions. 

Fig14-1.png
Figure 14: User Account Control Notification – Clicking "No" May Earn You a Mischa Infection
 


Fig15B.png

Figure 15: Mischa Malware Detonation In Progress  

Fig16-2.pngFigure 16: Stage 2 of the Mischa Infection 

Fig17.png

Figure 17: Victim Document Library, Showing Mischa Ransom Notes

In our analysis, Mischa-encrypted files are given a 'MspqYy' extension.

 Fig17b.png


The Test: CylancePROTECT®
vs. Petya and Mischa RaaS Bundle

Even the public stubs are very effective at evading legacy signature-based endpoint products, as you can see in the image below. The fact that the binaries are updated daily, if not more often, further compounds this problem. Casual testing with a popular multi-engine scanning site shows that only one vendor picked up the Petya/ Mischa sample!

Fig18.png
Figure 18: Multi-Engine Scanning Site Encountering a Malicious Petya/ Mischa Binary

It’s a different story with CylancePROTECT. Our artificial intelligence-based mathematical model was able to prevent the execution of Petya and Mischa right out of the gate, stopping it dead pre-execution. We tested multiple binaries over the course of 48 hours and the Petya/ Mischa bundle was no match for our math-based technology.

Figure_19.pngFigure 19: CylancePROTECT Console View, Showing the Detection and Quarantine of Petya/ Mischa Binaries

Fig20.pngFigure 20: CylancePROTECT Threats and Activities Tab, Showing the Pre-Execution Quarantine of Petya/ Mischa Binaries

Believe the Math!

(NOTE: Sample hashes withheld intentionally.)

 

[1] Encryptor RaaS was discontinued recently, on 7/6/2016

Tags: