Thursday, March 31, 2016

Petya Ransomware: Threat Actors ready since December 2015

A few days ago TrendMicro made public in his blog that they found a new family of Crypto-Ransomware which is  able to overwrite the MBR. This means that the system can't boot normally until the MBR is restored and for that it is necessary to pay the a 'rescue'. The 'rescue' is paid in BTC and in order to do the payment, it necessary to access a Tor page. 

I was doing some research on this as I ended up with a sample that was not reported yet at the moment of the analysis. At the moment of writing this post, the ratio of detection in VT for that sample was very low:




Taking a look to the Tor website

After the host is infected, it automatically reboots. Once booted, a screen like the one below is displayed:



Here I can already see the onion URL to access the webpage to pay the 'rescue'.  Only the 1st link http://petya37h5tbhyvki.onion/bL25sw was active while doing this analysis.

When accessing the webpage, the first thing I find is a captcha


Then, I am informed that my system is infected with "military grade encryption" and that I need to purchase a key to decrypt the system



The process to obtains the key and requires to identify my infected system with the unique ID, which permits to obtains the BTC wallet where they money must be sent









The web looks quite professional and even there is a support link where the victim can send a message to the threat actors:



Moreover, the copyright message across the web is quite funny



In the news section, one can read that this 'project' (as they call it) was launched the 16/12/2015






To be continued..