Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

Petya Ransomware Encrypts Entire Hard Drives

A new piece of malware dubbed Petya is making the rounds, and taking the threat of ransomware beyond simple file encryption activities.

A new piece of malware dubbed Petya is making the rounds, and taking the threat of ransomware beyond simple file encryption activities.

The new ransomware family appears to be the first of its kind to encrypt entire hard drives, an unusual behavior compared to that of other malware families such as Locky, CryptoWall or TeslaCrypt, which encrypt individual files. However, similar to other ransomware, the new malicious application still prompts users to pay a ransom to regain access to their files.

G DATA SecurityLabs researchers, who discovered the new threat, explain that the Petya ransomware appears to be aimed mainly at companies. They observed it being distributed via a Dropbox download link to an alleged job application portfolio, included in an email sent to human resources departments.

However, the job application portfolio downloaded via the link is instead an executable file which causes the computer to crash with a bluescreen and reboot. Upon reboot, the malware manipulates the Master Boot Record (MBR) in order to take over the reboot process.

The malware then displays a message during the boot process, claiming to run a system check and to be repairing corrupted files on the system. Instead, the ransomware is locking the user out of the system and encrypting the hard drive, after which it displays a flashy warning message on the screen (you can see the malware in action in the following video).

<>

However, G DATA security researchers suggest that the user files are not encrypted at all, but that the malware only blocks file access. On the other hand, the ransom note displayed on the infected system claims that the computer has been encrypted using a “military grade encryption algorithm.”

In addition to informing users they have been compromised, the ransom note provides them with details on how they can obtain a decryption key and how they can pay for it. The malware operators are also instructing users to download and install the Tor browser and to pay the ransom using it, allowing the perpetrators to maintain their anonymity.

Advertisement. Scroll to continue reading.

Petya creators provide users with a 7 days window to pay the ransom, after which they have to pay double the original amount to regain access to their files. Since this type of ransomware is new, researchers are still looking into the nefarious activity it performs on the compromised systems.

According to G DATA, HR department employees are advised to pay additional attention to the files types offered via Dropbox links, especially if they are not documents, as one would expect. The researchers also advise users to disconnect the PC from the network if they get infected, thus ensuring that other computers remain safe, and say that victims should not pay the ransom.

Tim O’Brien, Director of Threat Research at cloud security automation company Palerra, told SecurityWeek that the new threat proves again that user awareness and training are critical to ensuring the security of a company’s network. He also noted that, while Box and Dropbox have been used in malware campaigns before, the targeting vector and having the malware encrypt the entire drive are new.

“Knowing what activity goes in and out of a company’s networks is critical; knowing what cloud services your company uses – and the amount of, and types of, activity [associated] with them is important for deciphering such suspicious events. The capability of analysis file downloads and attachments, as well as motoring (or blocking) execution of such files from abnormal places in the file system, is essential in discovering malicious files. Leveraging DNS blackholes, while monitoring for abnormal DNS requests and replies, is critical for discovering the associated command and control (C&C) traffic,” he said.

“Above all else, end-user awareness and training regarding the screening of emails and downloading of files is the first line of defense. Leveraging technology to automate the business process while minimizing the associated risks helps facilitate operations and negatethe issues described in this blog post,” O’Brien added.

Related: It’s Official, Ransomware Has Gone Corporate

Related: Why Ransomware Is Not Going Away Any Time Soon

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.