1. TechSpot is dedicated to computer enthusiasts and power users. Ask a question and give support. Join the community here.
    TechSpot is dedicated to computer enthusiasts and power users.
    Ask a question and give support.
    Join the community here, it only takes a minute.
    Dismiss Notice

New form of ransomware uses disk-level encryption to lock users out of their computers

By midian182 ยท 18 replies
Mar 30, 2016
Post New Reply
  1. Ransomware is bad enough in its current form, but a new variant of the malware has been discovered that is possibly worse than what we've seen before. The malicious software, called Petya, doesn’t just target individual files, it encrypts entire hard drives.

    While the majority of ransomware is spread via email attachments or is hosted in sites and delivered by exploit kits, Petya has been found in emails containing hyperlinks to a Dropbox storage location (since removed by the company), making it appear more legitimate.

    According to a Trend Micro blog post, the email masquerades as an application letter from someone seeking employment in a company. One of the links supposedly points at the applicant's CV, but is actually a self-extracting executable file. This link downloads a Trojan which blinds any antivirus programs before downloading and executing Petya.

    Once executed, Petya will overwrite the master boot record of the entire hard drive, triggering a critical Windows error – the dreaded Blue Screen of Death. When the machine is rebooted, the PC appears to perform a check disk operation but, during this time, Petya is actually encrypting the master file table (MFT), rendering the PC useless.

    At this point, victims are presented with a lock screen and instructions on how to connect to TOR, visit a specific website and pay the fee, which is 0.99 bitcoins, or around $430. If the ransom is not paid within seven days the price doubles.

    The attackers, who call themselves 'Janus Cybercrime Solutions,' say that attempting to fix the master boot record won’t decrypt the ransomware, and may result in the purchased decryption key not working.

    So far, emails containing the Petya links have been aimed primarily at companies in Germany, but they could start reaching beyond the country’s borders. Researchers are still investigating this new form of ransomware, but there's still no fix available.

    Permalink to story.

  2. seefizzle

    seefizzle TS Evangelist Posts: 415   +288

    These viruses are terrifying.
    crocography and Reehahs like this.
  3. Reehahs

    Reehahs TS Guru Posts: 729   +472

    The hackers behind this should be publicly punished.
    stewi0001 and SirChocula like this.
  4. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,401   +5,021

    Good thing my backups are on a disconnected external. The encryption will not stop a format and system recovery.
    In my opinion that is putting it mildly.
  5. Evernessince

    Evernessince TS Evangelist Posts: 4,008   +3,499

    Backup your data folks!

    One set of backups not connected to the computer and one in a remote location if possible.
  6. trparky

    trparky TS Evangelist Posts: 534   +428

    To quote cliffordcooley...

    These hackers should be given "5 to death"; 5 years to reflect as they journey to the gas chamber. And then give a public statement just before the end, as to whether they think their decision was worth it..
    agb81 and SirChocula like this.
  7. N4RPS

    N4RPS TS Rookie

    This is a REALLY nasty one! A whole new type of punishment needs to be invented for them - something far worse than death.

    If you catch THIS baby, it's either pay the bastards, hire a service to unlock the drive (which costs almost as much as a new drive would), or replace the drive - which is still cheaper than paying the bastards off...
    SirChocula likes this.
  8. Colin in tassie

    Colin in tassie TS Rookie

    You should creat an image on an external drive on a regular basis. That way, if the worst should happen you may have to buy a new drive but your system will be intact once recovered. I hope the authorities can catch these evil low life's and treat them accordingly.
  9. SirChocula

    SirChocula TS Maniac Posts: 174   +183

    I find it funny in the instructions portion of the scam, it uses the word "please".
    wastedkill and cliffordcooley like this.
  10. G0DofPaiN

    G0DofPaiN TS Addict Posts: 78   +58

    Easiest punishment would be to cut their fingers. Let's see them hack then.
  11. MikeAcker

    MikeAcker TS Enthusiast Posts: 37   +6

    Download then execute is a recipe for disaster -- as has been demonstrated in a mountain of anecdotal evidence

    the proper process is: download, AUTHENTICATE, then execute.

    you should not grant anything execute permission until you have authenticated.
  12. stewi0001

    stewi0001 TS Evangelist Posts: 2,200   +1,625

    These ransomware people need to target Hollywood. Then the governments would start caring about stopping and punishing them.
    SirChocula and wastedkill like this.
  13. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,963   +577

    If the MFT is encrypted, can't you still just do a surface scan to recover data? Like using GetDataBack for NTFS?
  14. agb81

    agb81 TS Booster Posts: 79   +38

    The problem is that even if IT dept is well aware of the situation, the average Joe would get a BSOD and then reset the pc after that, allowing the virus to encrypt the hard drive.
  15. Darth Shiv

    Darth Shiv TS Evangelist Posts: 1,963   +577

    The article says
    "When the machine is rebooted, the PC appears to perform a check disk operation but, during this time, Petya is actually encrypting the master file table (MFT), rendering the PC useless."
    Emphasis mine. If it is only the MFT being encrypted, the data is recoverable using a surface scan util isn't it?
  16. agb81

    agb81 TS Booster Posts: 79   +38

    riiiiiight!, my bad.
  17. AnonymousSurfer

    AnonymousSurfer TS Guru Posts: 456   +40

    They've targeted hospitals before, and IMO that's far worse than Hollywood.
  18. cliffordcooley

    cliffordcooley TS Guardian Fighter Posts: 11,401   +5,021

    The sarcasm from stew was there never seems to be anything done, unless someone wrongs a movie studio.
    stewi0001 likes this.
  19. thelatestmodel

    thelatestmodel TS Addict Posts: 157   +73

    This is a nasty one. Straight up '80s style destruction.

Add your comment to this article

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...