UPDATED 23:12 EDT / JUNE 27 2017

INFRA

Petya is being sold as a ransomware as a service offering on the darknet

Petya, the malware that is a creating headlines as it infects computers worldwide, is being offered as a ransomware as a service product.

The software, also known as Petrwrap and Diskcoder.C, even comes complete with an affiliate program on the darknet, the hidden part of the web only reachable through special software, according to two security experts who contacted SiliconANGLE. (Update: By Wednesday, security researchers had concluded that the malware was neither traditional ransomware nor the variety called Petra.)

“One of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model which gives distributors a share of up to 85 percent of the paid ransom amount, while 15 percent is kept by the malware authors,” Jakub Kroustek, Threat Lab Team lead at Avast Software s.r.o. told SiliconANGLE. “The malware authors provide the whole infrastructure, command and control servers and money transfer method.”

A spokesman for Israeli security firm IntSights Cyber Intelligence Inc. confirmed that Petya was being offered on a RaaS basis. He told SiliconANGLE that Janus, the organization behind the ransomware, “created an affiliate program by which amateur hackers can help to distribute ransomware and get paid for that service, in return for 85 percent of the ransom payments (Janus keeps the rest).”

Petya, along with a variant called Mischa, are not new despite suddenly making headlines. A report on the darknet site Deep.Dot.Web (the link requires Tor software to view) described in detail the marketing strategies used by Janus in October last year. “Malware has changed from a ‘hobby’ to a business opportunity in the past few years,” the report notes. “Gangs of cybercriminals are selling updated and sophisticated malicious software on the darknet.”

027_service-png“Janus has its own affiliate program. They created a simple web interface where affiliates can view the latest infections, set ransom prices, recrypt their binaries, generate bitcoin addresses and keys for the payment system,” the report added. “Compared to other ransomware creators, Janus’ payment system seems to be quite professional. They keep their business up by taking a percentage of the affiliates’ profits. For example, if you earn 125 BTC with Petya, Janus will give you 85 percent of the profit, which is over $60,000.”

The spokesman from IntSights added that while still early as the Petya ransomware still spreads, so far the bitcoin wallet address provided by the attackers has already collected 1.378 BTC ($3,155) in 11 transactions.

All Windows users are advised to make sure they have installed the latest update, given that Microsoft patched the vulnerability exploited by Petya months ago. “It is amazing to me that after the huge media coverage and rapid spread of WannaCry that we are seeing another successful attack that uses the same vulnerability again,” Richard Henderson, global security strategist at Absolute Software Corp., told SiliconANGLE. “I’m not sure what else we can do to get the message out there to companies: You need to get your machines patched, and today. This can’t wait any longer.”

The fact that people aren’t updating their Windows installs has others more skeptical. “I believe the broad message is that the current approaches to security with respect to patching and updates is severely broken,” said Mike Kail, chief technology officer at Cybric Inc. “Unfortunately, critical infrastructure technology has been ignored for too long, and now we’re seeing the repercussions of that complacency. Companies need to rapidly adopt a much more continuous strategy around patching and security testing, along with a robust disaster recovery plan that gets tested frequently.”

Images: Deep.Dot.Web

A message from John Furrier, co-founder of SiliconANGLE:

Your vote of support is important to us and it helps us keep the content FREE.

One click below supports our mission to provide free, deep, and relevant content.  

Join our community on YouTube

Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.

“TheCUBE is an important partner to the industry. You guys really are a part of our events and we really appreciate you coming and I know people appreciate the content you create as well” – Andy Jassy

THANK YOU