Security Case Study 2016: Petya - taking ransomware to the low level

PETYA – taking
ransomware to the low
level
Hasherezade

View Slide

Agenda
•Ransomware – introduction and overview
•Petya – what is different?
•Brief analysis
•Walk throught the evolution
•Defeating the first version
•Defeating the second version
•Status for today

View Slide

Ransomware – introduction and overview
General idea:
Forcing a victim to pay the
ransom by blocking access to
the files
The most popular type of malware this year

View Slide

0
50000
100000
150000
200000
250000
300000
350000
Ransomware detections per month
Petya 5887
Cerber 357462

View Slide

What is a typical ransomware?
Example: Cerber
Original file Encrypted file

View Slide

Instructions for the victim are displayed on the screen as a ransom note:

View Slide

So many types! Easy to get lost...
https://id-ransomware.malwarehunterteam.com

View Slide

Almost all the ransomware encrypts files
one by one
Petya attacks bootloader, and then
encrypts low-level structures on the
disk (Master File Table) – making files
inaccessible
Petya – how is it different?

View Slide

Infection process
•Dropper (Windows EXE),
overwrites the disk’s beginning
•Petya kernel – perform the disk
encryption (but: not the full disk
as the authors claim)

View Slide

Low-level infection
MBR is overwritten by a custom, Petya’s bootloader

View Slide

Low-level infection
Ransom note is written straight on the disk (not as a file)

View Slide

Low-level infection
NOT full disk is encrypted. Still we can find readable elements

View Slide

Infection steps
Attachment with
the malicious
dropper
Run with the Administrator priviledges
Disk encryption

View Slide

• Generates 16 byte long random key – it will be used for disk encryption
• Encrypts that random key by a hardcoded public key
• Converts encrypted content into Base58
• Encrypts MBR by XOR z 0x7 (0x37 in version 1) and moves it into another sector
• Overwrites disk’s beginning with Petya’s code
• Overwrites MBR with custom bootloader
• Prepares verification sector
• Prepares data sector storing: generated random key and it’s encrypted form (will be displayed later as the user ID), etc
Stage 1: dropper

View Slide

Stage 1: dropper
Sector with data written to the disk by the dropper (at Stage 1):

View Slide

Stage 2: kernel
• Fetches to the memory the key generated in the Stage 1
• Erase that key from the data sector
• Encrypts verification sector and the next part of the disk (MFT) with the help of
given key and the algorithm Salsa 20

View Slide

Stage 2: kernel
Sector with data after the Stage 2:

View Slide

Stage 2 completed

View Slide

•Walk throught the evolution
•24 March – version 1 (Red), first
publication: GData
•12 May - version 2 (Green), paired with
ransomware Mischa
•15 June - version 3 (looks like 2, but
improved)

View Slide

Defeating the first version
•Mistakes in implementation of Salsa20 (publications: TG Soft,
Checkpoint)
•Tool for cracking the key, author: @leo_and_stone
•A clone of Leo’s tool, working as Live CD (authors: me, AlexWMF,
m0rb)
•Cracking takes from few seconds to few minutes
„ Petya uses only 8 on 16
Byte entered for the initial
key, this will permit to
obtain a way more easy
the key used to cipher the
MFT.”
source:
http://www.tgsoft.it/engli
sh/news_archivio_eng.asp
?id=718
@VirITeXplorer (TG Soft)
https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/

View Slide

Mistakes in Salsa20 - v 1
Detailed analysis:
https://blog.malwarebytes.com/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/
static uint16_t rotl(uint16_t value, int16_t shift)
{
return (value << shift) | (value >> (32 - shift));
}
ERROR! Units should be 32 bit long, not 16 bit
long!
AH AL
8 bits 8 bits 8 bits 8 bits
AX=16bits
EAX=32bits

View Slide

Detailed analysis:
long!
void s20_hash(uint8_t seq[64])
{
int i;
uint16_t x[16];
uint16_t z[16];
for (i = 0; i < 16; ++i)
x[i] = z[i] = s20_littleendian16(seq + (4 * i));
for (i = 0; i < 10; ++i)
{
s20_doubleround(z);
}
for (i = 0; i < 16; ++i) {
z[i] += x[i];
s20_rev_littleendian_orig(seq + (4 * i), z[i]);
}
}

View Slide

Detailed analysis:
long!
static uint16_t s20_littleendian(uint8_t *b)
{
return b[0] +
(b[1] << 8);
}

View Slide

hpLehdbjdcVaMDGj
hxLxhxbxdxVxMxGx
Every second character matters
8 characters to crack
(out of 54 character set)

View Slide

Cracking the key - v 1
•Brutforce possible, but...
•Leo_and_Stone found a better solution:
genetic algorithms
54^8 = 72301961339136
vs
54^16 = 5.2275736134859E+27
Challenge:
Find the key: 8 characters out of 54
character set

View Slide

Cracking the key - v 1
https://www.youtube.com/watch?v=OllHO6J6zvA
file:///home/tester/Documents/found_key.png

View Slide

Defeating the second version
•Mistake in implementation of Salsa20 (found by
me)
•GPU-based bruteforce decoder implemented by
@procrash
•Cracking takes about 3 days

View Slide

Mistake in Salsa20 - v 2
static int16_t s20_littleendian(uint8_t *b)
{
return b[0] +
(b[1] << 8);
}
Detailed analysis:
Size of the unit didn’t changed – it’s only
extended by the sign bit (unint16_t -> int16_t)

View Slide

static int16_t s20_littleendian(uint8_t *b)
{
return b[0] +
(b[1] << 8);
//...
}
static uint32_t s20_littleendian(uint8_t *b)
{
return b[0] +
(b[1] << 8)} +
(b[2] << 16) +
(b[3] << 24);
Version form Petya #2:
From the valid Salsa20:

View Slide

sHbGrSTkpCrhoKRt
sHxxrSxxpCxxoKxx
Every second PAIR of characters
matters
8 characters to crack
(out of 54 character set)

View Slide

Cracking the key v 2
•No longer the genetic approach works... 
•Let’s try brutforce then...
•Implementation: @procrash
54^8 = 72301961339136
vs
54^16 = 5.2275736134859E+27
Challenge:
Find the key: 8 characters out of 54
character set

View Slide

Status for today
•The current version (3) uses valid Salsa20
• https://blog.malwarebytes.com/threat-analysis/2016/07/third-time-unlucky-
improved-petya-is-out/
•Autor rents Petya to other criminals by an affiliate
program
•Recently deployed in Poland
• https://www.cert.pl/news/single/kolejna-odslona-kampanii-komornika-
sadowego-ransomware-petya-mischa/

View Slide

Status for today: chances to brutforce the v 3?
Version 1 & 2:
8 characters matters, i.e.
Version 3:
16 characters matters, i.e.
hxLxhxbxdxVxMxGx
sHxxrSxxpCxxoKxx
https://password.kaspersky.com/
https://www.betterbuys.com/estimating-password-cracking-times/

View Slide

Copycats: Satana ransomware
https://blog.malwarebytes.com/threat-analysis/2016/06/satana-ransomware/

View Slide

Solutions?
Better to prevent rather than to cure!

View Slide

Questions? Remarks?
More:
https://blog.malwarebytes.com/?s=petya
https://hshrzd.wordpress.com/?s=petya

View Slide

Thank you!

View Slide

Security Case Study 2016: Petya - taking ransomware to the low level

Security Case Study 2016: Petya - taking ransomware to the low level

hasherezade

More Decks by hasherezade

Other Decks in Research

Featured

Transcript