Israeli Companies Protect against the Ransomware Petya

Two Israeli companies, Cyber DriveWare and Bufferzone, have already managed to provide real-time protection against the new ransomware family Petya, using their existing product lines

A new ransomware named Petya bypasses all protection layers of the operating system Windows, as it causes the computer to reboot and load an alternative and malicious bootloader. The ransomware modifies the MBR, and rather than loading the regular Windows OS, it loads its own proprietary OS. Then it encrypts the file system, disables the computer and requires ransom to allow the computer to reboot. The ransom fee is 1 bitcoin, which is about $382 per computer.

Despite the high bar which the ransomware Petya sets to the cyber security industry, two Israeli companies already provide protection, which is based on their existing product lines: Cyber DriveWare and Bufferzone.

"If either Driveware or Bufferzone are in place, then execution of the Petya malware leads simply to nothing. The computer continues to work flawlessly. In contrast, executing Petya on computers which are not protected with either solution, leads to a blue screen. As soon as the computer restarts, the file system will be encrypted, requiring ransom to decrypt”, explains Guy Edri, an independent malware researcher and incident response examiner whom analyzed Petya.

"If you run Windows Task Manager, you can see that Petya tries to operate for about 20 seconds. It consumes 50% of the CPU power (i.e. consumes a CPU thread) as it tries to corrupt the OS. However, if either Bufferzone or Cyber DriveWare are installed, they prevent the blue screen (BSoD). The malicious process aborts and is then removed from the memory."

While Bufferzone utilizes a “containers” technology to protect against Petya, Cyber DriveWare uses a unique technology and approach of monitoring and blocking traffic in the I/O layer.

"The Petya ransomware does not encrypt the MBR, though it modifies it. Petya forces the computer to restart, as running it leads to a blue screen. Once the computer reboots, Petya’s proprietary operating system which is based on Tiny kernel loads. It is designed to encrypt the file system and then ask for ransom”, explains Haggai Yedidya, founder and CEO of the Israeli startup company Cyber DriveWare, which develops solutions to protect ransomware as well as other types of malware (e.g. bootkits, stealthy malware, firmware virus, destructive malware, etc.).

"By loading its own proprietary OS (based on Tiny Linux kernel), Petya manages to bypass all protection layers which might have been installed in Windows. At this stage, Petya can encrypt the file-system, or do whatever it likes, as it has full access to the drive."

In addition to modifying the MBR and encrypting the file-system, Petya also encrypts other drives which are connected to the computer. Whether the additional drives are connected directly through a SATA port or through USB, Petya will take a good care of them, encrypting them just as well. It is unclear at this stage how Petya behaves with regard to network storage devices (e.g. NAS).

How would Bitlocker or such encryption solution affect Petya?

"As far as the attacker is concerned (i.e. Petya), Bitlocker or such solutions has no impact over its behavior. Whether the original files are encrypted or not, Petya will simply perform its proprietary encryption cycle on top of whatever was the stage of the files prior to that”, explains Yaniv Bitton, VP R&D at Cyber DriveWare. Before modifying the MBR and booting the computer, Petya learns the locations of sensitive areas in the drive, such as location of various partitions (VBR), location of the file systems (MFT) and more. Petya stores information of such critical areas in the drive, and then it modifies the MBR in order to crash the computer and load its own proprietary OS executing the encryption."

"In order to pay the ransom, the user has to follow Petya’s instructions, which include installing a TOR browser on a different computer. Following to payment, the user receives the decryption key, which then has to be typed into the encrypted computer."

"So far ransomware has encrypted user data, rather than the operating system itself. Therefore, as long as the user was willing to give up its encrypted files (such as if the user has a recent and accessible backup), there is no reason to pay the ransom. However, Petya disables the entire computer. In cases where business continuity is a factor, the incentive to pay ransom is clear. Other than paying ransom, the alternative would be to reinstall the operating system, which consumes quite much time."

“Think about a hospital or a critical infrastructure. Files might not be the key issue here, considering the availability of equipment or services. Therefore, Petya targets either users which their data or content are important for them, or users which are sensitive to business continuity."

Denying MBR modification

When Petya is executed, before it encrypts the data, DriveWare detects its potentially malicious activity as soon as it accesses sensitive areas in the drive, including VBR and MFT. Once Petya tries to modify the MBR, DriveWare blocks it in real-time. Moments afterwards, the ransomware process is killed.

DriveWare explains that their solution detects and blocks not only Ransomware, but also other malware types and even other types of cyber attacks other than malware or Trojan based. “We’ve designed a protection layer which is effective against various attack vectors, regardless of where the attack is originated”, explains Haggai. “Standard technologies are designed to protect Windows, and therefore Petya will overcome their protection as it reboots to Tiny Linux. As DriveWare protects the MBR and other sensitive areas of the DriveWare, it will probably block all future variations and generations of the ransomware Petya.

"Furthermore, DriveWare provides significant added values for sandboxes as well as for forensics teams whom analyze Petya, making it much easier to contain and handle Petya."