EternalPetya and the lost Salsa20 key

Credit to Author: Malwarebytes Labs| Date: Thu, 29 Jun 2017 16:39:24 +0000

We have recently been facing a huge outbreak of the new version of Petya-like malware armed with a infector in WannaCry-style. The research is still in progress, and the full report will be published soon.

In this post we will focus on some new important aspects that the current malware has. The low level attack works in the same style as in the first Petya described here. As before, the beginning of the disk is overwritten by the malicious Petya kernel and bootoader. When the malicious kernel is booted, it encrypts the Master File Table with Salsa20 and by this way, makes the disk inaccessible.

The code from Petya’s kernel didn’t change much but the new logic implemented in the high level part (the Windows executable) caused the change in the malware’s mission. In the past, after paying the ransom, the Salsa key from the victim was restored and with its help, the Petya kernel was able to decrypt the Master File Table. Now, the necessary key seems to be lost for eternity. Thus, the malware appears to have only damaging intentions.

Let’s have a look at the implementation and discuss the details.

How is the disk encrypted?

The low level attack, affecting the Master File Table didn’t change since Goldeneye. It is executed by the Petya kernel.

The Salsa20 algorithm, that was implemented incorrectly in the early versions of Petya and caused it to be cracked, has been fixed in the version 3 (read more here). Now it looks almost the same as in Goldeneye (that was the 4-th step in the evolution) and it  does not seem to have any bugs. Thus, once the data is encrypted. having the valid key is the only way to restore it.

Comparison of the changes in the code between the current version and the Goldeneye one:

Looking inside the code we can see, that the significant changes has been made only the elements responsible for displaying the screen with information, i.e.:

How is the Salsa key generated?

Generating the Salsa key and the nonce, as before, is done by the PE file (in the higher level of the infector), inside the function that is preparing the stub to be written on the disk beginning:

In all versions of Petya, a secure random generator was used. In the current version we can find it as well – it uses CryptGenRandom:

The generated Salsa key and nonce are stored in the dedicated sector, for further use by the kernel during encryption.

Example of the stored data:

The byte at the offset 0x4000 is the flag. 0 means that the disk is not encrypted yet, 1 means encrypted.

From the offset 0x4001 the Salsa20 key starts. It is 32 bytes long. After that, at offset 0x4021 there is the random Salsa20 nonce.

What happens with the Salsa key after the encryption?

After being read and used for the encrypting algorithm, the stored Salsa key is erased from the disk. You can see the comparison of the disk image before and after the encryption phase:

As we can see, after use the key is erased.

What is the relationship between the victim ID and the Salsa key?

In the previous versions of Petya, the victim ID was, in fact, the victim’s Salsa20 key, encrypted with attackers public key and converted to Base58 string. So, although the Salsa key is erased from the disk, still there was a backup – accessible only for to the attackers, who had the private key to decrypt it.

Now, it is no longer true. The victim ID is generated randomly, BEFORE the random Salsa key is even made. So, in the current version, the relationship of the Salsa key and the victim ID is none. The victim ID is just ‘trash’. You can see the process of generating it on the video:

Conclusion

According to our current status of knowledge, the malware is intentionally corrupt in a way that the Salsa key was never meant the be restored. Nevertheless, it is still effective in making people to pay ransom. We can observe, that to the bitcoin account new payments are being made. You can see the link to the bitcoin address here: https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

If you are a victim of this malware and you are thinking about paying the ransom, we warn you – don’t do this. It is scam and most probably you will never get your data back.

We will keep you posted with the updates about our findings.

Appendix

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/ – Microsoft’s report about the new version of Petya

About the previous version (Goldeneye):

Goldeneye Ransomware – the Petya/Mischa combo rebranded

 


This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec. She loves going in details about malware and sharing threat information with the community. Check her out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.

The post EternalPetya and the lost Salsa20 key appeared first on Malwarebytes Labs.

https://blog.malwarebytes.com/feed/