Security New form of ransomware uses disk-level encryption to lock users out of their computers

midian182

Posts: 5,866   +48
Staff member

Ransomware is bad enough in its current form, but a new variant of the malware has been discovered that is possibly worse than what we've seen before. The malicious software, called Petya, doesn’t just target individual files, it encrypts entire hard drives.

While the majority of ransomware is spread via email attachments or is hosted in sites and delivered by exploit kits, Petya has been found in emails containing hyperlinks to a Dropbox storage location (since removed by the company), making it appear more legitimate.

According to a Trend Micro blog post, the email masquerades as an application letter from someone seeking employment in a company. One of the links supposedly points at the applicant's CV, but is actually a self-extracting executable file. This link downloads a Trojan which blinds any antivirus programs before downloading and executing Petya.

Once executed, Petya will overwrite the master boot record of the entire hard drive, triggering a critical Windows error – the dreaded Blue Screen of Death. When the machine is rebooted, the PC appears to perform a check disk operation but, during this time, Petya is actually encrypting the master file table (MFT), rendering the PC useless.

At this point, victims are presented with a lock screen and instructions on how to connect to TOR, visit a specific website and pay the fee, which is 0.99 bitcoins, or around $430. If the ransom is not paid within seven days the price doubles.

The attackers, who call themselves 'Janus Cybercrime Solutions,' say that attempting to fix the master boot record won’t decrypt the ransomware, and may result in the purchased decryption key not working.

So far, emails containing the Petya links have been aimed primarily at companies in Germany, but they could start reaching beyond the country’s borders. Researchers are still investigating this new form of ransomware, but there's still no fix available.

Permalink to story.

 

Evernessince

Posts: 5,184   +5,514
Backup your data folks!

One set of backups not connected to the computer and one in a remote location if possible.
 
This is a REALLY nasty one! A whole new type of punishment needs to be invented for them - something far worse than death.

If you catch THIS baby, it's either pay the bastards, hire a service to unlock the drive (which costs almost as much as a new drive would), or replace the drive - which is still cheaper than paying the bastards off...
 
  • Like
Reactions: SirChocula
You should creat an image on an external drive on a regular basis. That way, if the worst should happen you may have to buy a new drive but your system will be intact once recovered. I hope the authorities can catch these evil low life's and treat them accordingly.
 

G0DofPaiN

Posts: 80   +65
This is a REALLY nasty one! A whole new type of punishment needs to be invented for them - something far worse than death.

If you catch THIS baby, it's either pay the bastards, hire a service to unlock the drive (which costs almost as much as a new drive would), or replace the drive - which is still cheaper than paying the bastards off...
This is a REALLY nasty one! A whole new type of punishment needs to be invented for them - something far worse than death.

If you catch THIS baby, it's either pay the bastards, hire a service to unlock the drive (which costs almost as much as a new drive would), or replace the drive - which is still cheaper than paying the bastards off...
Easiest punishment would be to cut their fingers. Let's see them hack then.
 

MikeAcker

Posts: 39   +7
Download then execute is a recipe for disaster -- as has been demonstrated in a mountain of anecdotal evidence

the proper process is: download, AUTHENTICATE, then execute.

you should not grant anything execute permission until you have authenticated.
 

Darth Shiv

Posts: 2,047   +630
If the MFT is encrypted, can't you still just do a surface scan to recover data? Like using GetDataBack for NTFS?
 

agb81

Posts: 79   +38
If the MFT is encrypted, can't you still just do a surface scan to recover data? Like using GetDataBack for NTFS?
The problem is that even if IT dept is well aware of the situation, the average Joe would get a BSOD and then reset the pc after that, allowing the virus to encrypt the hard drive.
 

Darth Shiv

Posts: 2,047   +630
The problem is that even if IT dept is well aware of the situation, the average Joe would get a BSOD and then reset the pc after that, allowing the virus to encrypt the hard drive.
The article says
"When the machine is rebooted, the PC appears to perform a check disk operation but, during this time, Petya is actually encrypting the master file table (MFT), rendering the PC useless."
Emphasis mine. If it is only the MFT being encrypted, the data is recoverable using a surface scan util isn't it?
 

agb81

Posts: 79   +38
The article says
"When the machine is rebooted, the PC appears to perform a check disk operation but, during this time, Petya is actually encrypting the master file table (MFT), rendering the PC useless."
Emphasis mine. If it is only the MFT being encrypted, the data is recoverable using a surface scan util isn't it?
riiiiiight!, my bad.