By now we know that ransomware operates by encrypting select files and demanding the victim pay a ransom to decrypt them. A pesky new strain called Petya takes a different approach to wreaking havoc. Instead of encrypting one file at a time, it locks down the whole machine by encrypting the master boot record, which contains all the data needed to load the operating system. Unable to launch the system, victims are forced to make some crucial decisions – fast! The ransom sum doubles after seven days. If you’re thinking Petya sounds like a piece of work, you literally haven’t heard the half of it.
Multiple sources are reporting that a new Petya strain has been unleashed, this time accompanied by a second piece of malware coined “Mischa.” When it first emerged on the scene, Petya needed administrative privileges to encrypt the MBR, crash the system and reboot it with the ransom note front and center. Without this access, it would halt the infection process and essentially give up. If the necessary privileges can’t be obtained, the latest version of Petya simply introduces Mischa. And Mischa doesn’t require any special access to lock your system down with airtight AES encryption.
The original Petya was thought to be unbeatable. “Unfortunately, as with other recent types of ransomware, researchers still haven’t found a way to decrypt information encrypted by Petya,” said John Snow in a blog post by security software firm Kaspersky. Luckily a solution was right around the corner. Just a few weeks after the initial launch, a security expert simply known by the Twitter handle @leo_and_stone created a free tool that decrypts the MBR and enables victims to reclaim their systems without paying the ransom. The Petya-Mischa combo package is a problem security specialists have yet to figure out.
In researching this topic we’ve learned that ransomware developers are not only callous, but also incredibly thorough. After doing its dirty work, Mischa leaves behind digital ransom notes that tell you what’s going on with your files and directs you to a portal to pay up. The payment site, accessible via TOR, rolls out a wizard that provides step by step instructions on how to send the funds. There is also an impressively structured support page equipped with FAQs as well as the ability to pose questions to the developers. So thoughtful, these guys.
Advances in Ransomware
Petya may be the most unique strain to come out of the ransomware factory thus far, but it isn’t the only one on the fast track of evolution. Security software vendor TrendMicro reported that ransomware strains 7ev3n and CryptXXX were also the recent recipients of significant upgrades. 7Ev3n was made to be more user-friendly and give victims more payment options, while CryptXXX has taken a more personalized approach by greeting each victim with a unique ransom note. Once again, the masterminds of malware showing their compassionate side.
How to Beat Petya and Mischa
Every source I’ve combed on the subject seems to yield the same consensus: there is no getting up from the one-two punch of Petya and Mischa. Once you’ve been hit, you may feel like the countless other victims who’d rather just fork over the ransom and get the torture over with. Every second of downtime hurts your operation. In short, it sucks. But the good thing is that all of this madness can be avoided. We’ve rounded up some surefire effective ways to keep these malicious cyber bullies at bay.
Ever heard the phrase prevention is the best protection? Well that definitely rings true in this case. First and foremost, your goal should be to avoid this sinister combination before it has a chance to inflict any damage. So far, all Petya variants are distributed via email, specifically PDF files masquerading as job applications. It’s the classic phishing trap. Unless you’re actively pursuing new job opportunities, the message and the suspicious EXE. file it bundles should be a dead give away. See to it that your staff is educated on ransomware and how it gets around.
Get Comprehensive Malware Protection
The typical virus remover is useless here. By locking up the MBR, Petya restricts access to your anti-virus software and all other applications. For this reason, organizations must put emphasis on installing security software that not only detects and removes malware, but combats spam and phising emails as well. A program with stout anti-spam capabilities will detect malware like Petya and remove it before it has a chance to infect your system.
Back Up All the Time
When Petya made its initial rounds, repairing the master boot record was recommended as a way to sort of get around the infection without paying the ransom. The problem with this approach is that it means reinstalling the OS and losing your data. A better alternative is simply having a comprehensive disaster recovery strategy. If you backup your data on a regular basis, you can wipe the infected machine clean and restore the most recent version you tucked away in another location for times like this. Even with all the recent advancements, a bulletproof BDR plan is still the one thing ransomware doesn’t have an answer for.
The rapid progression of ransomware highlights the importance of making sure your cyber security strategy continues to evolve. Malware writers are getting craftier by the second, but at the end of the day, human error is what allows a tag team like Petya and Mischa to lay the smack down on IT systems. Human error can be corrected.
A Real Costly Problem
The meteoric rise of ransomware is backed up by some very scary numbers. FBI stats reveal that the trend was responsible for nearly $210 million worth of damage over the first three months of 2016 – in the U.S. alone. If that data is anywhere near accurate, then ransomware has already obliterated the roughly $24 million criminals extorted from organizations in all of 2015. At this rate we could be looking at close to a billion dollars in extorted funds by the time the year wraps up.