Petya ransomware is now double the trouble

The master boot record killer now can install a second file-encrypting program

The Petya ransomware now bundles a second file-encrypting program for cases where it cannot replace a computer's master boot record to encrypt its file table.

Petya is an unusual ransomware threat that first popped up on security researchers' radar in March. Instead of encrypting a user's files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.

Before encrypting the MFT, Petya replaces the computer's master boot record (MBR), which contains code that initiates the operating system's bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.

However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.

In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users' files directly, an operation that doesn't require special privileges.

"There is nothing a ransomware developer hates more than leaving money on the table and this is exactly what was happening with Petya," said Lawrence Abrams, the founder of the tech support forum, in a blog post. "Unlike Petya, the Mischa Ransomware is your standard garden variety ransomware that encrypts your files and then demands a ransom payment to get the decryption key."

The ransom that Mischa currently asks is 1.93 bitcoins, or around US$875 -- higher than some similar ransomware programs.

Another thing that sets Mischa apart is that it encrypts executable (.EXE) files in addition to documents, pictures, videos and other user-generated files typically targeted by ransomware programs. This has the potential to leave installed programs and the OS in a non-functional state, making it harder to pay the ransom from the affected system.

The installer for the Petya-Mischa combo is distributed via spam emails that pose as job applications. These emails contain a link to an online file storage service that hosts a picture of the alleged applicant and a malicious executable file that masquerades as a PDF document.

If it's downloaded and executed, the fake PDF file first tries to install Petya and if that fails, it installs Mischa. Unlike Petya, for which a decryption tool is available, there is currently no known way to restore files encrypted by Mischa without paying the ransom.

Join the CSO newsletter!

Error: Please check your email address.

Tags securityransomeware attackersmalware

More about UAC

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Lucian Constantin

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts