Knowledge Hub Whitepaper

Petya Ransomware Goes Low Level

Fri 7 Aug 2020

Executive Summary

The new Petya ransomware seems to have been built with speed in mind, as to expedite the encryption process. While traditional ransomware encrypts files one by one, Petya encrypts the location containing all information about disk files, such as size, permissions, and data content, essentially preventing users from accessing all their data.

While this low level approach allows for the same file-restricting outcome as traditional ransomware, it’s a lot
faster in terms of encryption time, as the ransomware no longer has to encrypt each file at a time. Instead,
it only encrypts the NTFS MFT (Master File Table). However, this approach makes cryptography extremely
difficult to implement, increasing the probability of making mistakes in the cryptographic functions.

Bitdefender was able to analyze the Petya ransomware and offer potential victims a tool that intercepts the
encryption process and offers the decryption key, free of charge. Most importantly, the tool needs to be installed
prior to being infected – not afterwards – in order to perform its function correctly.

Key Findings

· Potentially same developers as the ones behind Chimera and Rokku ransomware families;
· Works faster – Petya doesn’t encrypt files; it encrypts the NTFS Master File Table (MFT);
· Features its own bootloader and Kernel – few ransomware families have that;
· Reverse engineered by Bitdefender to offer a free tool that assists in decryption of NFTS MFT (thirdparty tools have become available, but they’re more difficult to use).

Download the report today by clicking on the button to the right-hand side.

Error: Contact form not found.

Send us a correction Send us a news tip