[1st November 2017]
John Leyden for The Register: Bootkit ransomware baddy hops down BadRabbit hole in Japan – Spirited away…
Actually about ‘MBR-ONI, a new bootkit ransomware, relies on modified version of a legitimate open-source disk encryption utility called DiskCryptor for its encryption routines – the same tool abused by the Bad Rabbit ransomware last week.’
[26th October 2017]
The Register: Hop on, Average Rabbit: Latest extortionware menace flopped – The buck stops… somewhere in Ukraine, Turkey, Japan?
[25th October 2017]
The Register: Watership downtime: BadRabbit encrypts Russian media, Ukraine transport hub PCs – Ransomware breeds through Windows networks via SMB, fake Flash
ZDnet: Bad Rabbit ransomware: A new variant of Petya is spreading, warn researchers – Updated: Organisations in Russia, Ukraine and other countries have fallen victim to what is thought to be a new variant of ransomware.
[19th October 2017]
Josh Fruhlinger for CSO Online: Petya and NotPetya: The basics
[7th August 2017]
[3rd August 2017]
Catalin Cimpanu for Bleeping Computer: Ukrainian Firm Facing Legal Action for Damages Caused by NotPetya Ransomware.
‘The Juscutum Attorneys Association, a Ukrainian law firm, is rallying NotPetya victims to join a collective lawsuit against Intellect-Service LLC, the company behind the M.E.Doc accounting software, the point of origin of the NotPetya ransomware outbreak.’
[8th July 2017]
I’m not sure how much hope there really is for this approach, but Positive Technologies reckons that the people behind NotPetya/ExPetr etc made an implementation error in Salsa20 that reduces the keylength, but not enough to make decryption feasible at this point. However, the company is also exploring another route that may be of some use (counter-intuitively) when the malware was able to gain administrator privileges.
- Positive Technologies: Recovering data from a disk encrypted by #NotPetya with Salsa20
- BBC: Petya victims given hope by researchers
[7th July 2017]
Malwarebytes: The key to old Petya versions has been published by the malware author. Won’t help people/organizations affected by NotPetya/EternalPetya or whatever your name of choice is, but may be good news for victims of Petya/Goldeneye if they’ve retained disk images.
[6th July 2017]
[5th July 2017]
The Register: Cha-ching! NotPetya hackers cash out – but victims won’t ever see that data again – Plus, bonus ransomware strain found in bottom of source code. [John Leyden reported that ‘A new analysis by Kaspersky Lab reports that NotPetya was not the only ransomware pushed through the trojanised M.E.Doc update … Kaspersky Lab researchers … dub the malware “FakeCry”.’
[29th June 2017]
Not Petya, and not even ransomware, we’re now being told…
- The Register: ‘Janus’ resurfaces: I was behind the original Petya. I want to help with NotPetya – Ordinary decent cybercriminal… or?
- CBC: Paying Off ‘Petya-Variant’ Ransomware Won’t Unlock Your Files
- Bleeping Computer: Surprise! NotPetya Is a Cyber-Weapon. It’s Not Ransomware
- Comae: Petya.2017 is a wiper not a ransomware – Ransomware-as-a-service soon to be renamed Lure-as-a-Service
- Sophos: New Petya ransomware: everything you wanted to know (but were afraid to ask)
[27th/28th June 2017] Lots of media already responded re the new Petya version: this article from ESET points to a fair spread of them. Later information from The Register: Everything you need to know about the Petya, er, NotPetya nasty trashing PCs worldwide – This isn’t ransomware – it’s merry chaos. (I have to agree that there are many uncertainties at the time of writing.)
March 2017 – Anton Ivanov, Fedor Sinitsyn for Kaspersky: PetrWrap: the new Petya-based ransomware used in targeted attacks.
Added 8th February 2017: article by Raul Alvarez for Fortinet: Ransomware and the Boot Process
An article by Catalin Cimpanu for Bleeping Computer: It’s Almost 2017 and Users Are Still Getting Infected with Malware via Fake AV Software includes instances of a Remote Access Trojan and ransomware distributed as fake security software.
Added 24th October 2016:
- Summary by David Bisson, for FightRansomware.com.
- Report of testing the utility against Satana, Petya, and Petya/Mischa by Lawrence Abrams for Bleeping Computer
Here are some sources for commentary on the Petya ransomware, which, as Bleeping Computer puts it, skips the files and encrypts your hard disk instead. Note that repairing the Master Boot Record doesn’t recover your data.
Darren Pauli for the Register: Ransomware now using disk-level encryption – German firms fleeced by ‘Petya’ nastyware that performs fake CHKDSK . Cites discussion on KernelMode.info forums.
David Bisson for Graham Cluley’s blog: Petya ransomware goes for broke and encrypts hard drive Master File Tables – Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up… He cites Jasen Sumalapao, writing for Trend Micro.
Nice, clear Sophos summary: New ransomware with an old trick: “Petya” parties like it’s 1989
11th April 2016: A flaw in Petya – the current version, at least – has allowed an unidentified researcher to create a key generator to crack the encryption without paying 0.9 bitcoin to the criminals. BBC story: Petya ransomware encryption system cracked. Commentary by David Bisson for Graham Cluley’s blog: Infected by Petya ransomware? Use this tool to unlock your files… for nowThank goodness ransomware sometimes contains bugs too… And the website set up to help people with the generation: unfortunately, the average victim will have problems getting the information necessary to kickstart the process. Confirmed by Lawrence Abrams of Bleeping Computer.
[May 14th 2016] Lawrence Abrams for Bleeping Computer: Petya is back and with a friend named Mischa Ransomware. If a new installer for Petya is unable to gain the admin privileges it needs to modify the Master Boot Record (MBR), it now installs the more conventional Mischa ransomware instead.
July 18th 2016
Malwarebytes: Third time (un)lucky – improved Petya is out
July 31st 2016
David Bisson for Graham Cluley’s blog: Petya, Mischa ransomware-as-a-service affiliate system goes live – The more people you scare into paying the ransom, the more money you make. Kevin Townsend for Security Week: Ransomware-as-a-Service Lets Anyone be a Cybercriminal