The only constant in life is change, particularly if any part of your life is spent trying to keep malware out of your organization. Malware developers are constantly mutating their delivery methods and the underlying malware behavior. Petya and Mischa ransomware, which were both described in recent BleepingComputer articles, are good examples of this constant change, but digging into the details of these examples raises some interesting ideas about how to strengthen your defenses against ransomware and other malware.
According to a BleepingComputer article from March, Petya ransomware initially targeted HR departments and was delivered in an email containing a Dropbox link to a ransomware installer disguised as an employment application. If the Petya installer was able to gain admin privileges on the victim’s computer, it would replace the computer’s master boot record and force a reboot to invoke a program which would encrypt portions of the victim’s hard drive, rendering the computer useless. A lock screen would then be displayed with instructions to make a ransom payment in Bitcoin in return for a decryption key.
In a more recent article from BleepingComputer, they described how the malware developers behind Petya recently morphed their approach. They still targeted HR departments by email, but the link to the ransomware installer (still disguised as an employment application) was to a different cloud storage app called MagentaCloud. The developers also added a second payload to the installer to install another ransomware program – Mischa – if it was unable to gain admin privileges on the victim’s machine. Mischa is a more common type of ransomware which scans a computer for specific file types and encrypts those files. After encryption, the computer still operates but access to these files is not possible. Text and HTML files are left behind containing instructions to make payment and decrypt the affected files.
Considering the changes that the Petya/Mischa developers made for their second version, what lessons can we take away?
Starting with the ransomware payload, the developers modified the installer to deliver two different ransomware variants based on whether they were able to gain admin privileges on the host machine. Our interpretation of this move is that their first installer was being defeated on host machines where the end users did not have local admin privileges (or by users who were smart enough not to click yes at the Windows UAC prompt). What’s the lesson here? If possible, restrict local admin privileges, and also do your best to educate users not to automatically click yes when prompted to install something in Windows.
The second change is more interesting to our team here at Netskope. Both the original Petya installer and modified Petya/Mischa installer were delivered using links to cloud storage apps – in these two cases, Dropbox and MagentaCloud. We found it interesting that they shifted from Dropbox, a very popular cloud app worldwide, to MagentaCloud, a more obscure one that is used primarily in Germany. Perhaps they thought that organizations were limiting access to popular cloud apps like Dropbox and that a more obscure app would be more likely to get through?
At Netskope, we’ve found that cloud storage apps are frequently used to spread malware and that these apps can also amplify the damage caused by a malware infection, particularly from file-encrypting ransomware like Mischa. In an earlier post, we described the Malware Fan-out Effect, which talks about both of these effects in greater detail.
What is the lesson here about cloud storage and sharing apps? It’s clear that setting policies about the use of these apps in your organizations can reduce your exposure to malware like Petya and Mischa. Here are some ideas to consider: