PETYA ransomware: encrypts the entire hard disk and locks the user's computer

PETYA ransomware: encrypts the entire hard disk and locks the user's computer

Recently, security experts have discovered a new type of ransomware, Petya, which can cause a computer blue screen crash (BSoD) and before the operating system is loaded, replace the regular Windows icon with a blinking, red, and white image, for example:

 

 

Petya not only can overwrite the primary Boot Record (MBR) of the affected system, but also lock the user, and it is infected by a legitimate cloud storage service (for example, through Dropbox ).

During the analysis, the researchers found that although this was not the first time that malware abused legal services to achieve its goal, it was the first time that crypto-ransomware was infected. This method deviates from the typical infection chain by attaching malicious files to emails or hosting them on a website and spreading them through sdks.

Infection procedure

Most Petya files are sent via email. The victim will receive a business-related email that appears to be from an external work applicant, containing a hyperlink to the Dropbox storage location. Once the victim clicks the link, the "Applicant's resume" will be downloaded ".

By analyzing a large number of samples, we found that the link to the Dropbox folder contains two files: a self-decompressed Executable File disguised as a resume, and a photo of the applicant. Deep Mining finds that this photo is an unauthorized inventory image.

 

 

Content in the Dropbox folder

Of course, the downloaded file is not a resume, but a self-extracted executable file that will release the Trojan horse to the system. This trojan will prevent the virus killing tool from detecting Petya.

Infection "Symptom"

Once the Petya system is infected, it will overwrite the whole hard disk MBR, causing Windows to crash and display a blue screen. When the user restarts the computer, the modified MBR will prevent Windows from loading normally, instead, an ASCII skeleton image and prompt are displayed: pay a certain amount of bitcoin; otherwise, access to files and computers will be lost.

In addition, the modified MBR will also disable restart in Safe Mode.

Next, the user operation instructions will be displayed: A required list, links to the Tor Project, how to enter the payment page and private decryption key.

 

 

Decryption and payment of PETYA

Looking at its professional Tor website, we found that the current ransom price is 0.99 bitcoin (BTC) or US $431. If you miss the screen display deadline, the ransom price will double.

 

 

PETYA website

Security suggestions

Enterprise organizations and individual users can use some terminal solutions (such as Smart Protection Suites) to detect malicious files or email messages and block all related malicious URLs.

In addition, due to PETYA's short detection time, many security detection software have not responded in a timely manner. This requires users to carefully check the email content, especially anonymous emails, when viewing emails, avoid clicking links in emails.

SHA1 of Related Files

39B6D40906C7F7F080E6BEFA93324DDDADCBD9FA

B0C5FAB5D69AFCC7FD013FD7AEF20660BF0077C2

755f2652638f87ab517c608a363c4aefb9dd6a5a