{"id":6970,"date":"2017-03-14T10:30:30","date_gmt":"2017-03-14T18:30:30","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-761\/"},"modified":"2017-03-14T10:30:30","modified_gmt":"2017-03-14T18:30:30","slug":"news-761","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/03\/14\/news-761\/","title":{"rendered":"Hackers use dangerous Petya ransomware in targeted attacks"},"content":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2016\/03\/petya_ransomware_logo_1-100652676-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lucian Constantin| Date: Tue, 14 Mar 2017 11:19:00 -0700<\/strong><\/p>\n<p> In a case of no honor among thieves, a group of attackers has found a way to hijack the Petya ransomware and use it in targeted attacks against companies without the program creators&#8217; knowledge. <\/p>\n<p> A computer Trojan dubbed PetrWrap, being used in attacks against enterprise networks, installs Petya on computers and then patches it on the fly to suit its needs, <a href=\"https:\/\/securelist.com\/blog\/research\/77762\/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks\/\">according to<\/a>\u00a0security researchers from antivirus vendor Kaspersky Lab. <\/p>\n<p> The Trojan uses programmatic methods to trick Petya to use a different encryption key than the one its original creators have embedded inside its code. This ensures that only the PetrWrap attackers can restore the affected computers to their previous state. <\/p>\n<p> The Trojan also removes all mentions of Petya from the ransom message, as well as its signature red skull designed in ASCII. <\/p>\n<p> Petya first appeared a year ago and immediately stood out from other ransomware programs. Instead of encrypting files directly, it replaces the hard drive&#8217;s master boot record (MBR) code, which normally starts the operating system, with malicious code that encrypts the drive&#8217;s master file table (MFT). <\/p>\n<p> The MFT is a special file on NTFS volumes that contains information about all other files: their name, size, and mapping to hard disk sectors. The actual contents of the user&#8217;s files are not encrypted, but without the MFT, the OS no longer knows where those files are located on disk. <\/p>\n<p> Unlike other ransomware infections that only lock access to certain files by encrypting them, Petya locks access to the entire computer. With a corrupted MBR and MFT, the operating system will no longer start, and users will only be greeted by a ransom message on the screen when they turn on their computer. <\/p>\n<p> The decision to hijack and use Petya without its authors&#8217; consent is clever because it solves several problems for the PetrWrap attackers. First, they don&#8217;t have to write their own ransomware program, which is hard to get right, and they don&#8217;t have to pay someone else for a ready-made solution either. <\/p>\n<p> Second, because it has been around for a while, Petya has had time to mature into a well-developed piece of malware. The PetrWrap attackers use Petya version 3, the latest variant of the program, which, unlike previous versions, has no known flaws. That&#8217;s because its creators have perfected their encryption implementation over time. <\/p>\n<p> Creating something like Petya from scratch would not only be prone to errors but would also require knowledge of writing low-level bootloader code for the MBR. <\/p>\n<p> Once inside a network, the PetrWrap attackers look for and steal administrative credentials. They then use the PsExec tool to deploy the malware to all endpoint computers and servers they can access. <\/p>\n<p> There is no tool to decrypt the MFT of hard disk volumes affected by Petya, but because this malware doesn&#8217;t encrypt the file contents, some data recovery tools might be able to reconstruct the files from hard disk raw data. <\/p>\n<p><a href=\"http:\/\/www.computerworld.com\/article\/3180848\/security\/hackers-use-dangerous-petya-ransomware-in-targeted-attacks.html#tk.rss_security\" target=\"bwo\" >http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><img decoding=\"async\" src=\"http:\/\/zapt4.staticworld.net\/images\/article\/2016\/03\/petya_ransomware_logo_1-100652676-primary.idge.jpg\"\/><\/p>\n<p><strong>Credit to Author: Lucian Constantin| Date: Tue, 14 Mar 2017 11:19:00 -0700<\/strong><\/p>\n<article>\n<section class=\"page\">\n<p> In a case of no honor among thieves, a group of attackers has found a way to hijack the Petya ransomware and use it in targeted attacks against companies without the program creators&#8217; knowledge.<\/p>\n<p> A computer Trojan dubbed PetrWrap, being used in attacks against enterprise networks, installs Petya on computers and then patches it on the fly to suit its needs, <a href=\"https:\/\/securelist.com\/blog\/research\/77762\/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks\/\">according to<\/a>\u00a0security researchers from antivirus vendor Kaspersky Lab.<\/p>\n<p> The Trojan uses programmatic methods to trick Petya to use a different encryption key than the one its original creators have embedded inside its code. This ensures that only the PetrWrap attackers can restore the affected computers to their previous state.<\/p>\n<p class=\"jumpTag\"><a href=\"\/article\/3180848\/security\/hackers-use-dangerous-petya-ransomware-in-targeted-attacks.html#jump\">To read this article in full or to leave a comment, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[10439,11073,714],"class_list":["post-6970","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-encryption","tag-malware-vulnerabilities","tag-security"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6970","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=6970"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/6970\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=6970"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=6970"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=6970"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}