Some history and analytics about Petya and Mischa

Petya (also known as Petya.A, Petya.D, Trojan.Ransom.Petya, PetrWrap, NotPetya, ExPetr, GoldenEye) - malware, worm and ransomware program that affects computers running Microsoft Windows.

The Petya virus was first discovered in March 2016. At that time Check Point noted that while Petya had infected fewer computers than other ransomware, such as CryptoWall, the behaviour of the new virus iwas markedly different. Petya was immediately marked as the next step in the evolution of ransomware. The program required 0.9 bitcoins to restore access to files to the user (this equated to about US$380 as of March 2016).

Another version of the program appeared in May 2016. It contained an additional payload: if the virus can’t obtain administrator rights to overwrite the MBR and then encrypt the MFT, it installs another malicious program on the infected computer, Mischa, which encrypts user files directly (this operation usually does not require administrative rights), and then requires a ransom of 1.93 bitcoins (at that time – US$875):

The exploit encrypts files on the victim computer's hard drive, and also overwrites and encrypts the MBR data required to boot the operating system. Petya encrypts files with algorithms RSA-4096 and AES-256, which are used even for military purposes. Such code can’t be decrypted without a private key.

Like other ransomware, such as Locky virus, CryptoWall virus and CryptoLocker, this private key is stored on some remote server, which can only be accessed after payment of the ransom to the attacker. As a result, all files stored on the computer become unavailable. Then the malware requires a cash ransom in bitcoins for decrypting and restoring access to files.

But, in this case, the first version of the virus Petya encrypted not the files themselves, but the MFT table - a database with information about all the files stored on the disk. A payment of ransom is useless, in case of the version of Petya 2017 (called NotPetya) as it does not decrypt information on the hard drive, but destroys it irretrievably.

It does ask for a ransom, but experts say that this extortion activity is for the species. In fact, its real purpose is to destroy the systems and interfere with infrastructure, to break and destroy the data. This is a fairly complex virus, and it has many methods of distribution.

Petya and Mischa were originally distributed through phishing emails, disguised, for example, as applications for employment. Petya virus usually spreads through spam e-mail messages that contain bootable Dropbox links for a file called "application folder-gepackt.exe" attached to them. In addition, the messages supposedly could contain a link to the applicant's resume, which in fact turns out to be a PDFBewerbungsmappe.exe file. The virus is activated when a specific file is downloaded and opened.

When the victim runs such a file, Petya installation begins, and an administrator rights request appears. If Petya could not be installed, Mischa takes over. Mischa encrypts not only standard file types (images, documents, etc.), but also exe files. The extortion affects the Windows directory, Recycle.Bin, as well as the following: Microsoft, Mozilla Firefox, Opera, Internet Explorer, Temp, Local, LocalLow and Chrome.

A new version of Petya became rampant in the network. “New Petya” encrypts the MBR boot sector of the disk and replaces it with its own, a novelty in the world of Ransomware. #Misha (name from the Internet) arrives later and encrypts all the files on the disk. Such a global spread has not occurred before. Even well-protected companies have become victims. They encrypt everything, including the boot sectors (original) and it only remains to read the text of the extortionist after turning on the computer. This virus is supposed to spread using the latest 0day (Zero day) vulnerabilities.

Petya and Misha have two key differences. Petya can destroy the victim's entire hard drive, while Misha encrypts only certain files. Petya needs admin rights, but Misha does not. They do their work in partnership, complementing each other.

Misha is more like a traditional Trojan extortion. The Bleeping Computer blog says that the Trojan adds an extension of four characters to the name of the encrypted file. Thus, for example, the file "test.txt" becomes "test.txt.2HD5".

Misha has a tremendous "appetite" - it encrypts a huge number of different files, including .exe. Thus, the new Trojan does not allow users to run any program on the computer. With one exception: in the process of encryption, Misha ignores the Windows folder and folders containing browser files. Having finished its manipulations, Misha creates two files containing instructions on how to pay the ransom. They are called as follows: YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

As mentioned above, the virus disguises itself as an extortionist, while its true purpose is not monetary gain, but to cause massive damage. Virus Analyst Marcus Hutchins stated that the purpose of the cyber attacks was to cause massive system failure, rather than obtaining a ransom. Cybersecurity scientist, Nicholas Weaver, proposed the following hypothesis: Petya was "a deliberate, malicious, devastating attack, or perhaps a test disguised as extortion":

A specialist under the pseudonym Grugq noted that the first version of the virus was “a criminal enterprise for the purpose of extorting money”, but the new version is clearly not designed for this purpose. “Most likely, this worm is designed to spread quickly and inflict maximum damage with the help of plausible, at first glance, extortion.”

Petya & Marketing

The names of malicious programs are usually given by employees of anti-virus development companies. The exception is malware, ransomware, destroyers and spyware, which, in addition to computer infections, cause media epidemics - increase media hype and active discussion in the network.

Petya virus is a representative of the new generation. The name itself is part of the marketing strategy of developers aimed at increasing its recognizability and its growing popularity in the darknet market.

Similar marketing strategies to increase the popularity of viruses have already been used in the past: One of the first such was Creeper, jokingly greeting the user and offering to catch and remove it. The next was Cookie Monster, who demanded “give me a cookie” by entering the word “cookie”.

The Petya virus has a logo in the form of a pirate skull with bones, and it comes together with a whole marketing promotion strategy. “Petya” with his brother “Misha” have attracted increased attention due it this marketing activity.

It is clear that Cyber criminals are now playing according to market rules. They use a strategic “marketing approach” – the one that gets the more attention will bring its developers a potentially larger profit.

Source: Intecracy International

Partners provide new generation ICT-services, such as the development of custom software solutions, ICT-outsourcing services, as well as consulting for the information technology sphere.