Various organizations are being targeted by cyber crooks leveraging the infamous Petya ransomware.
A modified Petya version inside a Trojan
But victims will have a difficult time identifying the threat as Petya, as the criminals have integrated it into a Trojan (dubbed “PetrWrap” by the researchers), and have modified it to show no mention of the ransomware’s name or Petya’s memorable flashing red skull-and-bones animation.
The Trojan uses Petya to infect the victim’s machine, but it implements its own cryptographic routines and modifies the code of Petya in runtime to control its execution.
“Petya generates a 16-byte key and uses the Salsa20 cipher to encrypt the MFT of the NTFS partitions found on local drives. To make decryption possible only by its operators, it uses the Elliptic Curve Diffie-Hellman (ECDH) key agreement algorithm with the curve secp192k1 and a public key is embedded into Petya’s body,” Kaspersky Lab researchers explained.
“The criminals behind PetrWrap faced a problem: if they used Petya as is, they would be unable to decrypt the victim’s machine because they would need the Petya operators’ private key. So what they decided to do was to completely replace the ECDH part of Petya with their own independent implementation and use their own private and public keys.”
They say that the strong encryption algorithm makes it impossible to create a dedicated decryption tool, but victims can try restoring files using third-party tools such as R-Studio.
How to protect your organization against these attacks?
According to the researchers, the ransomware is set to work after the attackers penetrate an organization’s network, usually through vulnerable servers or servers with unprotected RDP access.
They use PsExec, a light-weight telnet-replacement tool, to install the ransomware on all endpoints and servers, and tools like Mimikatz to obtain the credentials that will allow them to perform the installation.
“To protect against such attacks, organizations need to keep their server software up to date, use secure passwords for remote access systems, install security solutions on their servers and use security solutions with behavioral detection components on their endpoints,” the researchers advise.