Last week, starting from the 6th of December, there has been a spam campaign that hit Germany spreading the version of Goldeneye and Petya though e-mails. The spam campaign was confirmed by Janus, the creator of Petya Goldeneye, on the 7th of December thought a tweet: The C.R.A.M. (Center of Research and Analysis of Malware) of TG Soft has analysed this new variant in order to establish the differences between previous releases. |
CONTENTS==> How Petya Goldeneye spreads==> Running Goldeneye: Mischa ransomware ==> Running Goldeneye: Petya ransomware phase 1 ==> Running Goldeneye: Petya ransomware phase 2 ==> Running Goldeneye: Petya ransomware phase 3 ransom request ==> The ransom requested by Petya Goldeneye ==> Conclusions |
The new variant of Petya Goldeneye spreads through e-mails. The spam campaign which has been observed starting from the 6th of December hit mainly the german market and, like all previous cases, the e-mail still refers to recruitment possibilities. In this case the e-mail was a candidacy for a work place in the production of optoelectronic devices. The subject of the e-mail can have the similar form: Bewerbung als Facharbeiter für die Fertigung optoelektronischer Bauteile |
Click to enlarge |
Sehr geehrte Damen und Herren, hiermit bewerbe ich mich bei Ihnen für die die Stelle als Facharbeiter für die Fertigung optoelektronischer Bauteile. Meine vollständigen Bewerbungsunterlagen können Sie dem Anhang entnehmen. Ich freue mich auf Ihre Rückmeldung und stehe Ihnen bei Rückfragen jederzeit gerne zur Verfügung. Mit freundlichem Gruß Andreas Meier Anlagen Lebenslauf Zertifikate Zeugnisse Kompetenztest |
You became victim of the GOLDENEYE RANSOMWARE! The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2. To purchase your key and restore your data, please follow these three easy steps: 1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page". 2. Visit one of the following pages with the Tor Browser: http://golden5a4eqranh7.onion/rCazhYJU http://goldeny4vs3nyoht.onion/rCazhYJU 3. Enter your personal decryption code there: rCazhYJUF1pRVywmEsuUey9LrqMAAQ4yYrdeoNHB93eikeexJNBjaRL64UWfNG6PNSo9us5v9[..] |
Sector 0x22 contains the Master Boot Record encrypted with either xor 0x07 as we can observe in the following image.
Sector 0x23, during this phase only contains 0. |
On the other hand, sector 0x21 will also result encrypted, as we can see in the following image: |
In sector 0x23 we can find the number of encrypted clusters, as we can see in the following image: |
Connecting with the Tor-Onion browser to the previously specified addresses it's possible to discover the amount of the ransom that has to be paid. On the first page, the ID of the victim is requested. |
|
On the second page, the total amount that has to be payed is displayed and quantified in Bitcoin currency: |
On the third page we can view the address of the wallet on which to transfer the funds in Bitcoin. |
It is also possible to send a message to the creators of the fraud that uses Petya Goldeneye: |
Petya:
|
Mischa: |
Name | Date | Notes |
Petya 1. 0 Red version | March 2016 | It's possible to decrypt the MFT with genetic or metaeuristic algorithms such as "Cuckoo Search" |
Petya 2.0 Green version + Mischa | May 2016 | Petya or Mischa get run. It's possible to decrypt the MFT through Brute Force (num. of combinations 548) |
Petya 3.0 Green version + Mischa | July 2016 | Petya or Mischa get run. It's possible to decryopt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT. |
Petya Goldeneye Yellow version + Mischa | December 2016 | First, the data files are encrypted by Mischa, afterwards the MBR gets infected bypassing the intermediate level of the UAC. It's possible to decrypt the MFT during phase 1. After this phase it becomes impossible to decrypt the MFT. |
The necessary cookies help make the website usable by enabling basic functions such as page navigation. The website cannot function properly without these cookies.
Cookie necessary to make certain specific contents usable such as: access to protected areas of the site, sending requests or subscribing to newsletters. The specific features of these sections will not be usable without this cookie.