Reversing the petya ransomware with constraint solvers

[Extreme Coders]

Ransomware is very common these days. Once it installs on a user machine it begins encrypting files.
When the user comes to know about the ransomware attack it is already too late. Unless the user has a backup, he/she must must pay the ransom to recover the files.
Luckily there has been cases where due to a faulty implementation of cryptography breaking such malware becomes feasible.
The recently discovered petya ransomware is an example.

This blog post is a short walk through on breaking the petya ransomware with a constraint solvers. Hope you like it & find useful.

http://0xec.blogspot.com/2016/04/reversing-petya-ransomware-with.html

[kao]

Hehe, just last week I said to myself - "how is it possible that Extreme Coders doesn't have a blog? He surely has lots of interesting things to write about!" 

Keep on writing, I'll keep on reading!

[Extreme Coders]

Thanks man.
Your works are a source of inspiration for many.

5 hours ago, kao said:

Hehe, just last week I said to myself - "how is it possible that Extreme Coders doesn't have a blog?

Hmm, that looks like telepathy. Blogging was not a priority for me, but decided to give it a go & it's not bad either.

[whoknows]

These are some links stored @ 13 April 2016

Get your petya encrypted disk back, WITHOUT paying ransom!!! - generator @:

 https://petya-pay-no-ransom.herokuapp.com/

howto use generator - 

http://www.bleepingcomputer.com/news/security/petya-ransomwares-encryption-defeated-and-password-generator-released/

generator author - visit his dad - 

https://github.com/leo-stone/hack-petya/tree/master/vendor/github.com/handcraftsman/GeneticGo

--

Debugging Petya bootloader with IDA

https://www.youtube.com/watch?v=7rtMX9zS55I

-----------------

 

 0day - Ransomware 

 

CryptXXX Ransomware Will Now Steal Your Passwords as Well

http://news.softpedia.com/news/cryptxxx-ransomware-will-now-steal-your-passwords-as-well-504898.shtml

New Cerber Ransomware Variants Morph Every 15 Seconds

http://news.softpedia.com/news/new-cerber-ransomware-variants-morph-every-15-seconds-504896.shtml
http://i1-news.softpedia-static.com/images/news2/new-cerber-ransomware-variants-morph-every-15-seconds-504896-2.png

 

 

 

 

Edited June 8, 2016 by whoknows

[ormik]

New version of "Petya.C"  

https://qz.com/1015755/ukraine-cyber-attack-the-petyapetrwrap-ransomware-with-similarities-to-wannacry-is-now-going-global/

http://www.telegraph.co.uk/news/2017/06/27/ukraine-hit-massive-cyber-attack1/

"Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe on Tuesday afternoon. 

In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack."

New version is use vulnerability:

• MS17-010 (used Wanna Cry);
• CVE-2017-0199 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)
• CVE-2017-0144, EternalBlue (https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144)

More peoples already paid for a purse (Bitcoin):

https://blockchain.info/address/1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX

 

[ormik]

 Technical details:

https://blogs.technet.microsoft.com/mmpc/2017/06/27/new-ransomware-old-techniques-petya-adds-worm-capabilities/

Edited June 28, 2017 by ormik