Security researchers at Trend Micro have found a new type of ransomware that doesn’t encrypt specific files but makes the entire hard drive inaccessible. The malware has been named Petya and targets mainly companies.
As if encrypting files and holding them hostage is not enough, cybercriminals who create and spread ransomware are now resorting to causing blue screen of death (BSoD) and putting their ransom notes at system startup—as in, even before the operating system loads. Imagine turning on your computer and instead of the usual Windows icon loading, you get a flashing red and white screen with a skull-and-crossbones instead. Here is how it looks:
Here is a short Youtube video that shows it live.
Petya is distributed by sending spear phishing emails to Human Resources (HR) departments of companies with a link to Dropbox. The email states that the link is a resume (CV) but it’s actually an executable file. As soon as the file is opened the computer crashes and reboots. After the reboot, the user receives a message stating the computer is performing a disk analysis. In reality this is when the ransomware performs its job on the HDD.
The ransomware doesn’t encrypt the HDD but overwrites the Master Boot Record (MBR). After the disk analysis, a skull is shown together with a message stating the disk is encrypted. Through a Tor website it’s possible to purchase a decryption key for 0.99 Bitcoin ($412.50) which doubles after a week.
The overwritten MBR doesn’t allow starting the PC in safe mode and actual files don’t seem to be encrypted. It’s unclear whether it’s possible to restore the MBR to gain access to the HDD again. We will update this post when more data becomes available.
Hat Tip to Myce.
Get the most informative ransomware hostage rescue manual. This 20-page manual (PDF) is packed with actionable info that you need to prevent infections, and what to do when you are hit with malware like this. You also get a Ransomware Attack Response Checklist and Prevention Checklist.