Jump to content

Recommended Posts

Posted

http://img.photobucket.com/albums/v708/starbuck50/petya-decryption-site_zpsclgqrpz7.jpg

 

Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts the files on the victim's hard drives.

This leaves the operating system working properly, but with the user unable to open the encrypted documents.

The Petya Ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows.

At the time of this writing, the ransom payments are at ~.9 bitcoins and there is no way to decrypt your drive for free.

 

This ransomware is currently being distributed via emails that are targeting the human resources departments of German companies.

These emails contain dropbox links to supposed applications that download a file that when executed will install the Petya Ransomware on the computer.

An example filename for the installer is Bewerbungsmappe-gepackt.exe.

 

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya.

Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection.

Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible.

Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

 

Back in January, there was another short-lived ransomware that was performing the same behavior, but was not as advanced.

 

The Petya Ransomware Encryption Process

 

When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader.

The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system.

It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive.

Once the MFT is corrupted, or encrypted in this case, the computer does not where files are located, or if they even exist, and thus they are not accessible.

 

http://img.photobucket.com/albums/v708/starbuck50/fake-chkdsk_zpsoanex1ri.jpg

Fake CHKDSK

 

Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment.

Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.

 

http://img.photobucket.com/albums/v708/starbuck50/lock-screen-2_zpsrt0m80y5.jpg

Lock Screen

 

Once a password is entered, the ransomware will decrypt the MFT and restore the original MBR.

This will then allow you to boot back into Windows and access your files again.

 

As already stated, there is currently no way to decrypt your drive for free at this time.

Researchers are analyzing this ransomware, though, so it may be possible in the future.

 

 

Source & Credit:

Lawrence Abrams

http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/

Member of:

UNITE

  • Replies 3
  • Created
  • Last Reply

Top Posters In This Topic

Top Posters In This Topic

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


×
×
  • Create New...