Month: March 2016
Till now we have heard of ransomware’s targeted computers files will be encrypted, in this scenario users are allowed to login to the Operating System but won’t be able to open encrypted files. The newly discovered PETYA Crypto-Ransomware has crossed one more step and it overwrites the MBR itself to lock users out of their computers.
Petya is still distributed via email. Victims would receive an email tailored to look and read like an applicant applying for a job in a company. It would present users with a hyperlink to Dropbox storage location, which would let users download the above said user’s CV.
The file downloaded is actually a self-extracting executable which will unleash the trojan into the system.
Once executed, Petya overwrites the MBR of the entire hard drive, causing windows to crash and display a blue screen. When the user tries to reboot the system the modified MBR will stop him to boot into the operating system, and will be greeted with an ASCII skull and an ultimatum: pay up with a certain amount of bitcoins or lose access to your files and computer.
Fig1: Petya’s red skulls-and-crossbones warning
This modified MBR even disable booting to safe mode also. The user is then given explicit instructions on how to do this, just like any crypto-ransomware currently making the rounds: a list of demands, a link to the Tor Project and how to get to the payment page using it, and a personal decryption code.
Fig 2: Petya’s decryption and ransom payment instructions
Drown stands for Decrypting RSA using Obsolete and Weakened eNcryption, and it provides a way for attackers to decrypt HTTPS communications from servers that are still supporting SSLv2. Most of us think supporting SSLv2 protocol on server is not a problem because most of the modern client software’s just don’t use it.
But looks like the mere existence of SSLv2 help attackers to crack a connection’s encryption, and initiate what is effectively a MITM attack.
According to the researchers, a server is vulnerable to the DROWN vulnerability (also known as CVE-2016-0800) if:
It allows SSLv2 connections. This is surprisingly common, due to misconfiguration and inappropriate default settings. Our measurements show that 17% of HTTPS servers still allow SSLv2 connections.
Its private key is used on any other server that allows SSLv2 connections, even for another protocol. Many companies reuse the same certificate and key on their web and email servers, for instance. In this case, if the email server supports SSLv2 and the web server does not, an attacker can take advantage of the email server to break TLS connections to the web server. When taking key reuse into account, an additional 16% of HTTPS servers are vulnerable, putting 33% of HTTPS servers at risk.
If you want to check whether a particular site is vulnerable, the researchers have helpfully provided an online tool.