8.2 PETYA-MISCHA/GREEN-PETYA

Petya-Mischa was seen around September 2016. This was actually not a single piece of malware but consists of two components. One is actual Petya while other is MISCHA. Both names were derived from the film GoldenEye, in which these were the satellite names. Petya is meant to encrypt the MFT as the other version of Petya did. If it fails to encrypt the MFT, Mischa encrypts the individual files on the system. Petya needs administrator privileges to execute; otherwise, it fails. The skull in the boot screen was changed to green in this version, so it was called GREEN-PETYA. Also, Petya-Mischa was capable of encrypting files when offline. Unlike CryptoLockers, they did not rely on communication with C&C to encrypt files:

A ransom note from Mischa

When Mischa encrypts the files in a folder, it drops files containing ransom notes. The following are the ransom note files:

  • YOUR_FILES_ARE_ENCRYPTED.HTML
  • YOUR_FILES_ARE_ENCRYPTED.TXT

The file extensions are changed to random strings:

Folder encrypted by Mischa

After successful execution, the malware connects to its CnC.

The URLs for the C&C were of the following patterns: http://petya3*****.onion and http://mischa****.onion, where * is anything. The URLs start with petya or mischa and end with onion.

Petya-Mischa appends a unique key at the end of the encrypted file so that it can tell if the file is already encrypted.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.117.142.248