Categories: Blog

Ransomware stories – Petya, the odd one out

What is Petya and how is it different from other ransomware?

Petya ransomware is meant to prevent users from accessing their data and force them to pay ransom in order to recover it. However, unlike other types of ransomware, it does not use encryption to compromise the files one by one, which may take time – time in which malicious activity may be detected. Instead, it developed a more efficient way of compromising a lot of information over a very short period of time, by replacing the computer operating system loader with its own code.

This allows the malware to take control over the entire PC, preventing the original OS from running, which means nothing OS-related runs anymore. And that includes AV engines or other security tools.

Delivery and infection stages

Petya is delivered through social engineering techniques based on fake email campaigns, leading users into believing they are downloading a document of relative significance.

During the first stage, the obfuscated payload is executed, protected by advanced anti-detection techniques simulating harmless behavior and preventing anti malware solutions from accessing the payload itself. It copies necessary information to the disk and then compromises the master boot record, thus preparing for the next stage, that of taking complete control over the PC. In order to trigger the next stage, it causes a forced reboot of the computer.

After the reboot, the second stage begins, where a malicious kernel is booted up instead of the original OS. During this stage, Petya encrypts the master file table, thus preventing access to the files themselves, if the disk is plugged in other machines for recovery purposes. Once the job is done, it will display a UI that instructs the victim how to proceed in order to recover the files.

Recovery options

We are now at the third version of Petya that features improved cryptography, new keys and better hiding techniques. Thanks to a handful of people who studied the malware closely, for the first two versions of Petya, some recovery options and advice are available (and an ongoing effort to crack the latest version), either by preventing the trigger of the second phase, or by using tools that are able to crack the malware’s cryptography. Read more information on recovery from the first two versions here.

Detection

Various anti-virus vendors struggle to detect the malicious payload, but the success is minimal because of the measures taken by the developers to elude detection, and new releases of Petya that contain new payloads. While the old versions of Petya may have a better success rate, the latest version still causes problems to AV vendors, and…there is no telling when a newer version will be released.

How we can help

So until now in the fight against Petya, prevention is the key. There is little more that can be done, other than relying on a layered security approach, where employee training works together with anti-malware solutions in order to prevent the initial infection from happening. The situation is much worse for most home users who do not have knowledge and resources to effectively prevent the infection or recover from one. Consumers contribute significantly to the attackers’ budgets, so as long as ransom will be paid, new versions will keep coming our way.

TEMASOFT FileMonitor, our file monitoring software, can already detect when suspicious executables are downloaded on systems and can trigger alerts that could be linked to automated tools to quarantine or block a potential offending application.

Moreover, TEMASOFT joins the fight against ransomware by developing a technique that will enable early detection of any typical ransomware, using advanced file-access patterns, correlated with disk protection functionality. This solution will be available soon, and will allow people and companies to add an extra, far more efficient, layer of security to their AV engines, to eliminate ransomware threats.

References: https://hshrzd.wordpress.com/

If you would like to get more information, follow us on LinkedIn or subscribe to our newsletter.

This post was last modified on August 21, 2023 7:27 am

Calin Ghibu

Technical background: over 15 years experience in testing, developing, researching and managing network security solutions. Currently focusing on information security and IT management. Specialties: Network audit, information security, web security, endpoint security, perimeter security SIEM, legal compliance, competitive intelligence.

Share
Published by
Calin Ghibu
Tags: ranstop

Recent Posts

The Role of File Monitoring Solutions in Maintaining File Integrity

In the digital world, information is often stored and transferred through files. From the most…

May 12, 2023

Guide to Conducting an Efficient File Access Permissions Audit for Admins and Technology Managers

Introduction Data security is more important than ever in today's fast-paced digital world. One critical…

April 9, 2023

File Integrity Monitoring: What It Is and Why It Matters

Introduction: Cyber threats are a growing concern for businesses and individuals alike. With the increasing…

March 5, 2023

Monitoring Essential Microsoft IIS Server Configuration Files for Enhanced Security

Microsoft Internet Information Services (IIS) is a popular web server that is widely used to…

February 25, 2023

Tracking file changes helps admins solve server configuration problems

File tracking is an important aspect of server administration, and it can help administrators detect…

February 1, 2023

Three reasons why admins should use file monitoring solutions

File monitoring solutions are essential tools for administrators to manage and protect their organizations' data…

January 6, 2023