News recently broke  of the ransomware Trojan Petya coming bundled together with an additional, secondary Trojan. The second Trojan, Mischa, is included as a fallback or failsafe. If the initial Petya installation routine is unable to acquire proper privileges on the system to do its dirty work, Mischa can run instead.
Often, the logged-in user is an employee using a company system and does not have admin rights, or User Account Control (UAC) prompts allow a user to disallow code. This can frustrate the malware authors and ultimately eat into their profits. You can understand why it would then make sense for them to include Mischa as a backup.
Towards the end of April 2016, the public face of Petya and Mischa, self-described ‘professional cybercriminals’ Janus Cybercrime Solutions, began updating various resources. This included the creation of their Twitter handle (@janussec) and updates to their dark web presence.
Promotion then began for a closed and exclusive beta phase of the new combined malware. Currently this program is closed off to all but approved “high-volume distributors”. The current message on the site reads as follows:
The registration is closed at the moment. We are testing this platform with a few high volume distributors. But this closed beta phase is almost finished.
Please try again in a few days. Follow our twitter page for updates.
If you think you are a high volume distributor and want access to the closed beta, please write a message to BM-2cXrxmXcTtQah7rAvofVTXdWeZAYJHwRmk (bitmessage).
Furthermore, the page highlights the new features of the combined ransomware:
Petya is considered by malware experts to be above average in terms of sophistication, which makes it surprising to see it spring up so quickly as a pseudo-public ransomware-as-a-service (RaaS) offering. From a code and execution perspective, it is far beyond previous offerings, including the likes of Tox, Ransom32, and especially the Goliath offering from 'Hall of Ransom'.
In addition to the new combined Petya/Mischa offering, it is very important to note the FUD/Evasion offering. For those enrolled, free crypting/FUD services are included. The authors are providing assurance that your binaries will go undetected, ongoing and 24/7. As a bonus, if you are one of their ‘high-volume distributors’, you will get your own unique stub. This step further assures evasion, as private stubs are 100% unique to those recipients.
This step helps reduce the amount of ‘leakage’ of the binaries into the wild, and gives them an advantage, evasion-wise, over the public/non-private stub crypts.
Similar to other RaaS offerings, administration duties for the ransomware are handled via a simple web interface. The provided interface gives the ransomware buyer basic administration access, which includes management of payment amounts, victim tracking, binary updating/recrypting and more. You also get full support for any issues that might arise. Consider this as the cybercriminal’s version of a gold-level technical support package.
Their FAQ provides basic answers to questions around infection, encryption and options around payment:
Our system has a strong physical low level encryption, which encrypts all of your data storages, include USB devices. Windows repair programs or other diagnostic tools can't restore any data.
All your data will be irreversible destroyed and you have to buy a new windows license. Nobody can restore any data without your personal decryption key.
The RSA (cryptosystem) 4096 bit and Advanced Encryption Standard (AES) 256 bit are used. Both systems are very secure and can't be bypassed or cracked.
Follow the decryption wizard on this page. It will help you with the payment and the dexryption of your computer. In some cases your personal data will published to the darknet if you don't pay!
Revenue and profit sharing is set up to benefit the highest-volume distributors of the ransomware. Again, the fact that Mischa is included as a user-context failsafe makes this goal far more attractive and achievable.
Behavior-wise, the malware behaves in a very similar fashion to prior versions of Petya. A few seconds after execution, the system reboots and the victim is presented with a fake chkdsk screen. Allowing this process to complete, or forcing a reboot results in the familiar skull and crossbones strobe (as shown below), albeit an updated version to match their new color scheme:
Once again, this is exactly what occurs when Petya is able to get full administrative privileges. When Petya is unable to gain admin rights (due to UAC or other controls), Mischa then deploys.
Mischa infections resemble the more traditional ransomware cases. There are no skulls or fancy special effects. You simply get notified of the encryption via a plain text file on the desktop. All encrypted files are appended with a ‘.bQx1’ extension. The instructions include links for ‘potential’ recovery of the files.
The Mischa .onion links lead to an updated Petya Ransomware decryption service page:
When entering the personal decryption code, you are presented with details on how to purchase bitcoins (BTC), and shown the amount demanded. In the example above, the Mischa decryption price is 2.08600000 BTC, which is roughly $947.00 USD.
It is highly likely that the payment wallets are processed though several layers of obfuscation (washing). The wallet above currently holds 0.00 (no funds) with no attached transactions, according to Blockchain.
CylancePROTECT is able to detect and prevent execution on 100% of the binaries from this particular malware family - even with the malware authors' guarantee of 24/7 FUD and evasion. This level of detection does not exist with the more traditional, signature-based AV technologies.
Offerings like the Petya/Mischa combo are sure to flourish and become far more prevalent and accessible. Advanced, artificial intelligence based AV solutions are now required to provide ongoing and preventative protection.
Believe the Math!