Skip Navigation
BlackBerry Blog

Petya and Mischa for All! The RaaS Boom Expands to Include the Petya/Mischa Combo

FEATURE / 05.19.16 / Jim Walter

News recently broke [1] of the ransomware Trojan Petya coming bundled together with an additional, secondary Trojan. The second Trojan, Mischa, is included as a fallback or failsafe. If the initial Petya installation routine is unable to acquire proper privileges on the system to do its dirty work, Mischa can run instead.

Often, the logged-in user is an employee using a company system and does not have admin rights, or User Account Control (UAC) prompts allow a user to disallow code. This can frustrate the malware authors and ultimately eat into their profits. You can understand why it would then make sense for them to include Mischa as a backup.

Towards the end of April 2016, the public face of Petya and Mischa, self-described ‘professional cybercriminals’ Janus Cybercrime Solutions, began updating various resources. This included the creation of their Twitter handle (@janussec) and updates to their dark web presence.

petya3.png janus_twitter.png

Promotion then began for a closed and exclusive beta phase of the new combined malware. Currently this program is closed off to all but approved “high-volume distributors”. The current message on the site reads as follows:

The registration is closed at the moment. We are testing this platform with a few high volume distributors. But this closed beta phase is almost finished.

Please try again in a few days. Follow our twitter page for updates.

If you think you are a high volume distributor and want access to the closed beta, please write a message to BM-2cXrxmXcTtQah7rAvofVTXdWeZAYJHwRmk (bitmessage).

petya2.png

Furthermore, the page highlights the new features of the combined ransomware:

petya_page_1.pngpetya_Page_2.png

Petya is considered by malware experts to be above average in terms of sophistication, which makes it surprising to see it spring up so quickly as a pseudo-public ransomware-as-a-service (RaaS) offering. From a code and execution perspective, it is far beyond previous offerings, including the likes of Tox, Ransom32, and especially the Goliath offering from 'Hall of Ransom'.

hall_of_ransom.png

In addition to the new combined Petya/Mischa offering, it is very important to note the FUD/Evasion offering. For those enrolled, free crypting/FUD services are included. The authors are providing assurance that your binaries will go undetected, ongoing and 24/7. As a bonus, if you are one of their ‘high-volume distributors’, you will get your own unique stub. This step further assures evasion, as private stubs are 100% unique to those recipients.

This step helps reduce the amount of ‘leakage’ of the binaries into the wild, and gives them an advantage, evasion-wise, over the public/non-private stub crypts.

Similar to other RaaS offerings, administration duties for the ransomware are handled via a simple web interface. The provided interface gives the ransomware buyer basic administration access, which includes management of payment amounts, victim tracking, binary updating/recrypting and more. You also get full support for any issues that might arise. Consider this as the cybercriminal’s version of a gold-level technical support package.

petya_admin.png

Their FAQ provides basic answers to questions around infection, encryption and options around payment:

Petya/ Mischa FAQ Section

is the infection screen shown before Windows starts?

Our system has a strong physical low level encryption, which encrypts all of your data storages, include USB devices. Windows repair programs or other diagnostic tools can't restore any data.

What will happen if I just reinstall my computer?

All your data will be irreversible destroyed and you have to buy a new windows license. Nobody can restore any data without your personal decryption key.

Which encryption algorithms are used?

The RSA (cryptosystem) 4096 bit and Advanced Encryption Standard (AES) 256 bit are used. Both systems are very secure and can't be bypassed or cracked.

What can I do?

Follow the decryption wizard on this page. It will help you with the payment and the dexryption of your computer. In some cases your personal data will published to the darknet if you don't pay!

petya_faq.png

Revenue and profit sharing is set up to benefit the highest-volume distributors of the ransomware. Again, the fact that Mischa is included as a user-context failsafe makes this goal far more attractive and achievable.

petya_sharing_profit.png

Behavior-wise, the malware behaves in a very similar fashion to prior versions of Petya. A few seconds after execution, the system reboots and the victim is presented with a fake chkdsk screen. Allowing this process to complete, or forcing a reboot results in the familiar skull and crossbones strobe (as shown below), albeit an updated version to match their new color scheme:

Screen_Shot_2016-05-18_at_12.15.43_AM.png Screen_Shot_2016-05-18_at_12.15.58_AM.png Screen_Shot_2016-05-18_at_12.16.01_AM.png

Once again, this is exactly what occurs when Petya is able to get full administrative privileges. When Petya is unable to gain admin rights (due to UAC or other controls), Mischa then deploys.

Mischa infections resemble the more traditional ransomware cases. There are no skulls or fancy special effects. You simply get notified of the encryption via a plain text file on the desktop. All encrypted files are appended with a ‘.bQx1’ extension. The instructions include links for ‘potential’ recovery of the files.

Screen_Shot_2016-05-18_at_12.27.39_AM.png
Screen_Shot_2016-05-18_at_12.28.15_AM-1.png Screen_Shot_2016-05-18_at_12.28.26_AM-1.png Screen_Shot_2016-05-18_at_12.28.44_AM.png

 The Mischa .onion links lead to an updated Petya Ransomware decryption service page:

mischa_dec_1.png
Screen_Shot_2016-05-18_at_12.40.17_AM.png

When entering the personal decryption code, you are presented with details on how to purchase bitcoins (BTC), and shown the amount demanded. In the example above, the Mischa decryption price is 2.08600000 BTC, which is roughly $947.00 USD.

decrypt_4.png
decrypt5.png decrypt_6.png The BTC wallet cited in our example is:  1AMBh1HtqhTCcNm31xuLp2DPvaL3umjoTM

It is highly likely that the payment wallets are processed though several layers of obfuscation (washing). The wallet above currently holds 0.00 (no funds) with no attached transactions, according to Blockchain.

Analysis on the service side of this is ongoing. We will update this blog as new developments become available.

Detection

One sample has been circulated in multiple recent blogs and articles:

SHA256: d4b6524315d5de727a8af3e4e73e8b28dab27c62fd0a6a7a891460061c2f3d60

Upon analysis of this file, we came across a few other samples that are similar/ directly related.

Note: Compilation dates on all these are as follows:

d4b6524315d5de727a8af3e4e73e8b28dab27c62fd0a6a7a891460061c2f3d60            3/27/2016
6f9aae315ca6a0d3a399fa173b0745b74a444836b5efece5c8590589e228dbca             3/27/2016
e03e2d150b8135cfb330394c35f9bf372801b8a7c52a7a271db0a4ee46abbdd7            3/27/2016

CylancePROTECT® vs. Petya and Mischa

CylancePROTECT is able to detect and prevent execution on 100% of the binaries from this particular malware family - even with the malware authors' guarantee of 24/7 FUD and evasion. This level of detection does not exist with the more traditional, signature-based AV technologies.

Here are the CylancePROTECT detection results for the prior-noted binaries. As you can see, CylancePROTECT detected and quarantined each malicious binary, pre-execution:

Screen_Shot_2016-05-18_at_6.05.43_PM.png

Screen_Shot_2a016-05-18_at_6.07.12_PM-1.png

Offerings like the Petya/Mischa combo are sure to flourish and become far more prevalent and accessible. Advanced, artificial intelligence based AV solutions are now required to provide ongoing and preventative protection.

Believe the Math!


[1]
http://www.securityweek.com/upgraded-petya-malware-installs-additional-ransomware 

Jim Walter

About Jim Walter

Senior Security Researcher at Cylance

Jim Walter is a Senior Security Researcher at Cylance.