Since being released on June 27, the Cylance Threat Guidance team have been analyzing the Petya-like ransomware that was highly effective in targeting organizations around the world. Initially distributed via the hacked Ukrainian accounting software MEDoc, the malware quickly spread within the country, and due to highly sophisticated worm capabilities, spread globally at a rapid rate. In addition to worm propagation, Petya-like can encrypt files, infect the Master Boot Record (MBR) and destroy the filesystem of an infected computer, causing irreversible data-loss.
What is Petya?
Petya is a sophisticated ransomware, designed to encrypt the filesystem at a low-level via a custom bootloader. It usually comprises a user-mode dropper/installer, and is often bundled with an additional user-mode ransomware called Mischa, which is used when it’s not possible to install the Petya bootloader. The original author, Janus, released Petya as a RaaS (Ransomware-as-a-Service) in July 2016, meaning anyone could create/distribute their own Petya samples whilst the author takes a cut of the profits.
Is This Petya?
Yes and no! The bootloader in Petya-like is certainly a variant of Petya (albeit slightly modified compared to previous versions). However, the user-mode components vary greatly from anything seen previously. This would appear to be a new strain of malware, developed primarily to utilize the Petya bootloader to securely wipe an infected computer.
In addition, the original author of Petya has publicly stated that he was not responsible for the development of Petya-like, and is actively working with the research community to provide details and analysis, even going so far as to release the private AES decryption key for all prior Petya variants.
Petya-like is modular in nature, relying upon several components to operate:
perfc.dat (Read more...)
This is a Security Bloggers Network syndicated blog post authored by Cylance Threat Guidance Team. Read the original post at: Cylance Blog