A new piece of malware dubbed Petya is making the rounds, and taking the threat of ransomware beyond simple file encryption activities.
The new ransomware family appears to be the first of its kind to encrypt entire hard drives, an unusual behavior compared to that of other malware families such as Locky, CryptoWall or TeslaCrypt, which encrypt individual files. However, similar to other ransomware, the new malicious application still prompts users to pay a ransom to regain access to their files.
G DATA SecurityLabs researchers, who discovered the new threat, explain that the Petya ransomware appears to be aimed mainly at companies. They observed it being distributed via a Dropbox download link to an alleged job application portfolio, included in an email sent to human resources departments.
However, the job application portfolio downloaded via the link is instead an executable file which causes the computer to crash with a bluescreen and reboot. Upon reboot, the malware manipulates the Master Boot Record (MBR) in order to take over the reboot process.
The malware then displays a message during the boot process, claiming to run a system check and to be repairing corrupted files on the system. Instead, the ransomware is locking the user out of the system and encrypting the hard drive, after which it displays a flashy warning message on the screen (you can see the malware in action in the following video).
However, G DATA security researchers suggest that the user files are not encrypted at all, but that the malware only blocks file access. On the other hand, the ransom note displayed on the infected system claims that the computer has been encrypted using a “military grade encryption algorithm.”
In addition to informing users they have been compromised, the ransom note provides them with details on how they can obtain a decryption key and how they can pay for it. The malware operators are also instructing users to download and install the Tor browser and to pay the ransom using it, allowing the perpetrators to maintain their anonymity.
Petya creators provide users with a 7 days window to pay the ransom, after which they have to pay double the original amount to regain access to their files. Since this type of ransomware is new, researchers are still looking into the nefarious activity it performs on the compromised systems.
According to G DATA, HR department employees are advised to pay additional attention to the files types offered via Dropbox links, especially if they are not documents, as one would expect. The researchers also advise users to disconnect the PC from the network if they get infected, thus ensuring that other computers remain safe, and say that victims should not pay the ransom.
Tim O'Brien, Director of Threat Research at cloud security automation company Palerra, told SecurityWeek that the new threat proves again that user awareness and training are critical to ensuring the security of a company’s network. He also noted that, while Box and Dropbox have been used in malware campaigns before, the targeting vector and having the malware encrypt the entire drive are new.
“Knowing what activity goes in and out of a company’s networks is critical; knowing what cloud services your company uses - and the amount of, and types of, activity [associated] with them is important for deciphering such suspicious events. The capability of analysis file downloads and attachments, as well as motoring (or blocking) execution of such files from abnormal places in the file system, is essential in discovering malicious files. Leveraging DNS blackholes, while monitoring for abnormal DNS requests and replies, is critical for discovering the associated command and control (C&C) traffic,” he said.
“Above all else, end-user awareness and training regarding the screening of emails and downloading of files is the first line of defense. Leveraging technology to automate the business process while minimizing the associated risks helps facilitate operations and negatethe issues described in this blog post,” O'Brien added.