The time has come to follow up on our previous analysis of the Petya and Mischa ransomware family. When we last left off, private ransomware distributor Janus Cybercrime Solutions had started opening up the platform by offering private stubs and support, in line with most ransomware as a service (RaaS) offerings.
Now, the day security experts around the world have both expected and feared has finally come: the Petya and Mischa bundle is open and available to all!
The update was quietly announced on July 26, 2016, on a little-known Twitter account run by Janus Cybercrime Solutions. It is important to note here that this Twitter alias changed between updates as well. Prior to July, the account username was '@janussec,' whereas now, Janus is operating as '@janussecretary'.
In short, the platform is now fully open to anyone who wants to create, spread, and manage their own Petya infections. The danger here of course is that the Petya ransomware generated by this service is every bit as destructive as previous generations.
This is how a typical Petya infection goes: upon execution of the malware, the infected host computer will shut down and reboot. Following the restart, the victim (as was the case prior) will be presented with a false CHKDSK screen. Interrupting that screen, or forcing a reboot in an attempt to stop the fake process, leads to the familiar skull and crossbones animation. Pressing any key during the skull display leads the victim to instructions on how to pay the ransom, along with their personal decryption code.
As is the case with other similar ransomware offerings (TOX, Ransom32, Encryptor RaaS), the authors or facilitators get a ‘cut’ of the payment. Payment is dictated by a random range set by the user of the portal. The victims will be charged a random amount within this range.
The amount of the ‘cut’ is unclear at the time of writing this, as the FAQ for Petya RaaS is not yet live. In the absence of the FAQ, users are instructed to message support via a form on the Janus Cybercrime portal.
The administrative portal for Petya is very straightforward and ‘Tox-like’. The same site page used for registration serves as the management portal and panel for subsequent infections.
Figure 10: Behind the Scenes at Petya RaaS
The price of the upfront fee fluctuates, as it is based on bitcoin (BTC). That being said, it appears to hover around the $8.00 to $18.00 USD range – a low price which is (in my opinion) certainly well within the reach of the aforementioned “kiddies and timewasters.”
In order to register and make payment, you must provide the authors with a valid bitcoin address for payment collection, along with the public key for that address. The system then runs a script to generate your private key for the ransomware.
Once you are ‘in’ - a process that takes between one and twelve hours due to manual verification of the bitcoin transfers - you are then able to download binaries, update wallet settings, track infections, contact support and more.
An important note on the binaries themselves: most registrants will be offered the ‘public’ stub. The private stubs, which are more rare, are reserved for their most active distributors.
The stubs (binaries) are updated daily, possibly multiple times per day, to ensure detection evasion. Even the ‘public’ stubs vary per user, and as stated, over time.
Mischa and Petya infections are handled via the same binary and portal as per previous generations. When Petya is denied administrative privileges by way of UAC controls or otherwise, the Mischa-specific payload is executed. Rather than overwrite the master boot record (MBR), Mischa behaves more like ‘traditional’ ransomware. It will encrypt the local files and then inform the victim how to recover them, in a style mimicking the Petya instructions.
In our analysis, Mischa-encrypted files are given a 'MspqYy' extension.
Even the public stubs are very effective at evading legacy signature-based endpoint products, as you can see in the image below. The fact that the binaries are updated daily, if not more often, further compounds this problem. Casual testing with a popular multi-engine scanning site shows that only one vendor picked up the Petya/ Mischa sample!
It’s a different story with CylancePROTECT. Our artificial intelligence-based mathematical model was able to prevent the execution of Petya and Mischa right out of the gate, stopping it dead pre-execution. We tested multiple binaries over the course of 48 hours and the Petya/ Mischa bundle was no match for our math-based technology.
Believe the Math!
(NOTE: Sample hashes withheld intentionally.)