Crime Group Behind ‘Petya’ Ransomware Resurfaces to Distance Itself From This Week’s Global Cyberattacks – Gizmodo
Janus Cybercrime Solutions, the author of Petya—the ransomware initially attributed with Tuesday’s global cyberattacks—resurfaced on Twitter late Wednesday, seemingly offering to help those whose files can no longer be recovered.
The altruistic gesture, even if it does prove fruitless, is uncharacteristic of the criminal syndicate that launched an underworld enterprise by placing powerful exploits in the hands of others to deploy as they see fit. It may also simply indicate that Janus would prefer not to be tagged with the spread of “NotPetya”—so named by Kaspersky Lab, which has itself sought to differentiate between Janus’ ransomware and that which worked havoc across Europe this week.
There’s consensus now among malware experts that NotPetya is actually a wiper—malware designed to inflict permanent damage—not ransomware like Petya, which gave its victims’ the option of recovering their data for a price.
The earliest analysis of this was offered on Tuesday by security researcher the grugq, who wrote: “The superficial resemblance to Petya is only skin deep. Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This is definitely not designed to make money. This is designed to spread fast and cause damage, with a plausibly deniable cover of ‘ransomware.’”
In a tweet late Wednesday, the public face of Janus came to life after seven months of silence, suggesting that files locked by NotPetya might be recovered using a Janus private key. At time of writing, they’ve yet to elaborate any further.
In early 2016, Janus launched a darknet website based on a black-market business model called Ransomware-as-a-Service (RaaS). Simply put, they offered other criminals access to a sophisticated ransomware-distribution platform. Its customers, after paying a nominal registration fee, could use the platform and in exchange Janus received a cut of all ransom paid. The customers tracked infection rates via a simple web interface, which also allowed them to adjust the ransom amounts. Janus, which has presented itself as a “professional cybercriminal” organization, even offered technical support, mitigating bug reports and fielding requests for new features to its beta platform.
The revenue model was designed specifically to benefit customers who pulled in the most ransom payments. Those who collected fewer that 5 bitcoin in ransom per week, for example, received only a 25 percent cut, while those collecting more than 125 bitcoin received an 85 percent share.
In the past, RaaS dealers mostly limited commercial access to ransomware that exploited well-known and widely-patched vulnerabilities. Janus, however, wasn’t fucking around. The group is fairly unique in that its product was sophisticated and, at the time, still very much effective.
Petya, the malware which was not behind Tuesday’s outbreak—despite widespread reports of this in the media—only made up half of Janus’ payload.
Unlike most ransomware, which leaves the operating system intact while encrypting individual files, Petya encrypts entire portions of its victim’s hard drive. Petya, instead, replaces the computer’s Master Boot Record, locking the user out of the operating system. The Master File Table is then encrypted leaving the computer unable to locate any of the victim’s files. The user is offered a unique code which can be entered into a decryption website in order to submit a payment. The instructions are always offered in clear and concise terms—the more complex the process, the fewer payments will be received.
Once Petya is downloaded—in the past, it was distributed by emails with the help of a spambot—the user is prompted to give the malware user account control. If the user clicks “Yes,” Petya initiates and the aforementioned process begins. If they click “No” instead, backup malware, known as Mischa, executes. This malware is of the more typical variety and encrypts individual files before prompting the victim with payment instructions from inside the operating system.