The cybermafia behind the Petya/Mischa ransomware just launched their RaaS offering July 25th. It pays "distributors" a part of the ransom that gets extorted from victims and increases payouts up to 85 percent of the ransom if they haul in more than 125 bitcoins. Conversely, if a "distributor" only rakes in 5 bitcoins, they get to keep a paltry 25% -- the carrot and the stick indeed.
Larry Abrams explains in a new bleepingcomputer blog post:
"Unlike other ransomware services, the Petya & Mischa RaaS requires potential affiliates to send in a small amount of bitcoins, which equates to ~$1.00 USD, in order to register. Though this is not a lot of money, the RaaS states it is being done to 'discourage timewasters and kiddies'. They further state that this money will be refunded in the affiliates first revenue share payment."
Remember, Petya only arrived on the ransomware scene March this year. This strain needs admin rights to run, it replaces the Master Boot Record and encrypt the Master File Table which makes the machine completely unaccessible. However, you get a two-for-one because the malware dropper will load two unique malware versions on the box.
One is the MBR/MFT Petya, but the other one is Mischa which is run of the mill crypto-ransom and demands 1.9 Bitcoin -- much more than the modest Petya who "only asks" for 0.9 Bitcoin.
As we write this, there is a decryption tool available for the Petya side of this strain, lucky for us that these cyber criminals also have bugs in their code. Unfortunately they update their code regularly so this may only be a temporary relief.
Here Are 8 Things To Do About It (apart from having weapons-grade backup)
- From here on out with any ransomware infection, wipe the machine and re-image from bare metal
- If you have no Secure Email Gateway (SEG), get one that does URL filtering and make sure it's tuned correctly
- Make sure your endpoints are patched religiously, OS and 3rd Party Apps
- Make sure your endpoints and web-gateway have next-gen, frequently updated (a few hours or shorter) security layers
- Identify users that handle sensitive information and enforce some form of higher-trust authentication (like 2FA)
- Review your internal security Policies and Procedures, specifically related to financial transactions to prevent CEO Fraud
- Check your firewall configuration and make sure no criminal network traffic is allowed out
- Deploy new-school security awareness training, which includes social engineering via multiple channels, not just email
Since phishing has risen to the #1 malware infection vector, and attacks are getting through your filters too often, getting your users effective security awareness training which includes frequent simulated phishing attacks is a must.
KnowBe4's integrated training and phishing platform allows you to send attachments with Word Docs with macros in them, so you can see which users open the attachments and then enable macros!
See it for yourself and get a live, one-on-one demo.
PS: Don't like to click on redirected buttons? Cut & Paste this link in your browser: