Petya Is Back With a Nasty Secondary Payload
Petya is a ransomware that always did things differently than run-of-the-mill exploits. It didn’t encrypt the files on a hard disk, but rather encrypted the entire hard disk.
To do that, it had to escalate its privileges to the administrative level. If this ploy failed, the ransomware would just shut itself down without performing any malicious action. However, that has now changed.
A New Payload for Petya
The ransomware’s developers decided to bundle another program with it, and it functions quite differently. The additional payload, called Mischa, is a fairly standard ransomware effort: It does not try to encrypt the entire hard disk as Petya does, so it does not require administrative access. It just encrypts all files and promises to decrypt them for money.
Bleeping Computer reported that the installer trail first shows up with an email pretending to be a job application. The email itself is not dangerous, but it contains a malicious link.
That directs users to a cloud storage site, where the victim is prompted to download an executable file that starts with PDF. If the file is indeed downloaded, it first tries to install Petya by corrupting the master boot records. Should that fail, the same file will install Mischa.
Mischa Does Things Differently
Mischa scans the target disk and looks for data files. It will then encrypt them using the AES encryption algorithm, adding a four-character extension to the file name. The decryption key is stored at the end of the encrypted file.
Petya and Mischa are part of a new ransomware-as-a-service (RaaS) platform. Tech Republic reported that the intent is for other cybercriminals to distribute the malware package. Should victims make a payment, the money is split between the coder and distributors.
This RaaS effort highlights a disturbing development in ransomware: Cybercriminals are teaming up to make money in inventive ways, and a wide skill set is no longer needed to cash in. The new dual-payload package shows how vigilance, as well as up-to-date backups, are needed to avoid disaster.