Ransomware-as-a-service soon to be renamed Lure-as-a-Service
TL;DR: The ransonware was a lure for the media, this version of Petya actually wipes the first sectors of the disk like we have seen with malwares such as Shamoon.
What’s the difference between a wiper and a ransomware#?
The goal of a wiper is to destroy and damage. The goal of a ransomware is to make money. Different intent. Different motive. Different narrative. A ransomware has the ability to restore its modification such as (restoring the MBR like in the 2016 Petya, or decrypting files if the victim pays) — a wiper would simply destroy and exclude possibilities of restoration.
Yesterday, we provided a preliminary analysis where we demonstrated that the 27th June 2017 version of Petya leveraged SMB exploits ETERNALBLUE and ETERNALROMANCE.
Today, we spent more time to understand how the files could be retrieved and how the actual MBR and MFT was being encoded.
Fortunately, there are multiple excellent existing analysis from 2016 Petya that have been published last year in multiple languages such as French, or English [1, 2]. Today, Microsoft published a very descriptive analysis of the 2017 Petya but for some reasons missed the below part.
542a38bf52afa6a4a008089a6fbf22c9d68ef5d6c634dd2c07 73d859a8ae2bbf (2016)
027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b 30f6b0d7d3a745 (27th 2017)
After comparing both implementation, we noticed that the current implemented that massively infected multiple entities Ukraine was in fact a wiper which just trashed the 25 first sector blocks of the disk.
The first sector block is being reversibly encoded by XORed with the 0x7 key and saved later in the 34th block. But since it replaces it with a new bootloader (41f75e5f527a3307b246cadf344d2e07f50508cf75c9c2ef8 dc3bae763d18ccf) of 0x22B1 bytes it basically sets v19 to 0x19 (25).
16.0: kd:x86> ? 0x22B1 - (0x22B1 & 0x1FF) + 0x1024
Evaluate expression: 12836 = 00003224
16.0: kd:x86> ? 0x00003224 >> 9
Evaluate expression: 25 = 00000019
That would mean that 24 sector blocks following the first sector block are being purposely overwritten, they are not read or saved anywhere. Whereas the original 2016 Petya version correctly reads each sector block and reversibly encode them.
2016 Petya modifies the disk in a way where it can actually revert its changes. Whereas, 2017 Petya does permanent and irreversible damages to the disk.
On the left, we can see the current version of Petya clearly got rewritten to be a wiper and not a actual ransomware.
Bookmarks