Petya is a relatively new crypt-ransomware that has been spreading in recent months (March – April 2016). When the user executes the PETYA .exe, the Petya then proceeds to overwrite the master boot record and encrypt the entire hard drive, holding the user’s data as hostage until a ransom is paid. However it was discovered that Petya uses a Salsa20 (the 16 bit variation of the salsa stream cipher) to encrypt the hard drive, and ultimately Infestor is a python project dedicated to performing cryptoanalysis on Petya.
Online transactions through Tor (5) using anony-mous cryptocurrencies allow for a certain level of privacy when it comes to payments, but also allow themselves to be used in a malicious fashion. Since Bitcoin, the most popular form of cryptocurrency, makes it extremely hard to track the transactions, Bitcoin has become the de facto standard for ran-somware, malware which infects the victim’s com-puter, holds les hostage through encryption, and extorts the victims for money in return for the les. Petya is one such ransomware, except rather than targeting the les of the victim, it targets the mas-ter boot record (MBR) and master le table (MFT) (10). In our experiment, we used a Windows 7 SP1 Home Basic Edition within a VM of 1 processor core and 1 GB of RAM.
Petya is a relatively new ransomware variant, only starting to appear within the early months of 2016. In order to bypass the lengthy process of encrypting each le on the victim’s hard drive, Petya simply seeks to write malicious code to the start of the disk. This code overwrites the MBR of the hard drive with a small kernel that then encrypts the MFT (4).
you can download source complete here, or using git:
git clone https://github.com/peixian/Infestor && cd Infestor
pip2 install z3
+ A live petya sample can be found in the petyaSample folder, exercise caution with this, courtesy of https://github.com/ytisf/theZoo.
+ VMDKTemplate is meant to be used with 010Editor, slightly changed to only display the first grain.