Petya Ransomware: a new approach to messing up your files

A new kind of ransomware has been noticed recently. It’s called Petya (according to Wikipedia this is a Bulgarian female given name or a Russian diminutive for the male given name Piotr). The Petya ransomware takes a whole new approach to messing up your computer.

Unfortunately this new crypto takes matters very seriously and aims to not just prevent you from accessing your files (like the usual cryptostuff) but simply ruins your whole disk by tampering with the MBR and encrypting the MFT.

Delivery

The Petya ransomware is delivered by sending e-mails with links to malicious files on Dropbox. An e-mail from an unknown applicant who is interested in a position in the victim’s company would arrive containing a link to a Dropbox file. The fact that such a legitimate cloud storage service as Dropbox is abused for these kinds of practices is very rare. Upon being informed about the shenanigans Dropbox fortunately took the reported files down, but the damage was already done and the malware will probably turn up elsewhere very soon.

 

The Dropbox folder contains 2 files: a self-extracting executable file (the resume) and the applicant’s picture (which turns out to be a stock photo). Once downloaded the “resume” extracts itself and start the Trojan activities. This Trojan manages to blind any antivirus program before downloading and executing the Petya ransomware

Execution

Once the Petya ransomware is executed, it replaces the existing Master Boot Record on the boot drive with a malicious loader. The Master Boot Record is the very first sector of the boot drive and contains the information about how the partitions and the file systems are organized on the disk, as well as executable code which loads the operating system. It is this executable code that is overwritten by the ransomware to make it point to the Petya code instead of the operating system.

The malware causes a system crash (Blue Screen of Death) and a system reboot.

If the system boots with this malicious loader, the Petya code which was inserted will be loaded and executed. This code will show a screen which resembles CHKDSK (a Windows functionality which is used to repair errors on a disk). During this CHKDSK stage the Petya will encrypt the MFT on the drive. The MFT is a vital part of the filesystem since it maps which files are located where on the disk. Without the MFT the system will not be able to locate any file. It will essentially seem like the whole disk has been wiped.

checkdisk

fake CHKDSK screen

 

So with a simple MBR rewrite and MFT encryption the ransomware manages to make the whole disk inaccessible and prevents you from booting up the normal operating system.

Ransom

As all ransomware the Petya provides an “easy way” to unlock your data. Simply visit a designated web page and pay the ransom (currently about 0.99 BTC or 360 EUR)

petya

Response

There are currently no known ways to decrypt the information without the decryption key you receive from the Petya crew. Since the MFT of the boot disk is encrypted, your files can no longer be found by the system and are now seen as unallocated space.

The first step is to get your system to boot the operating system again. This means repairing the MBR. If you’re using Windows you can try startup repair by using a Windows DVD (or repair CD). There is a very interesting guide available here¬†and here.

With this restore your operating system should be able to boot again.

If you can’t seem to get your Windows installation repaired you can opt to do a complete reinstall.

The files are however still lost in unallocated space either way (since the MFT is unreadable). There are tools available to recover lost files and partitions on HDD’s. You can find a bunch of recovery applications with a lovely interface, but unfortunately most of them are either quite weak or not free. An interesting option is TestDisk. This is a text based application for partition recovery which is quite powerful and above all free of charge. Another option is Photorec for file carving + recovery.¬†There is also professional software available wich can recover a lot more, but the pricing is often pretty steep.

Please note that Petya currently only attacks the boot disk. Other disks should remain untouched. More recent versions could however extend the attack to other disks.

If your Windows was installed on an SSD drive (as is the case more and more these days) you will not be able to recover any information from this SSD. SSD technology works with a trim function which removes any unused (deleted) information from the disk. In this case the Petya ransomware encrypts the MFT. It’s impossible to decrypt this information so it’s essentially lost if you decide not to pay. This means that your computer thinks the disk contains no information. It will therefore be wiped clean by the trim function.

Prevention

The Petya malware first causes a system crash and then reboots the computer to load its malicious code. It shows a screen that resembles CHKDSK. While it is showing this screen it is encrypting the MFT. This means that your data can still be saved if you stop the encrypting process (or prevent it from happening). There is an option in Windows, automatic restart after system crash, which is enabled by default. By turning this off you can prevent the computer from automatically rebooting (and starting the encryption process) after the crash. You can then remove the disk and mount the disk in another computer as a second disk. Make sure however not to boot from your disk when you start that other computer! Simply mount the disk, access it and retrieve your files. You can also use for example a bootable usb drive (just make sure to boot from the correct device or else the malicious code on the disk will be executed and will encrypt the MFT!!).

Another option is to avoid the consequences of the infection entirely by not using MBR. Petya only attacks a very specific target: the MBR of the boot disk. This means that you will not be affected if your computer is not using MBR.

MBR (Master Boot Record) is the partitioning scheme which is coupled with the use of BIOS (Basic Input Output System). There is however a newer standard available instead of BIOS which is called UEFI (Unified Extensible Firmware Interface). UEFI has a lot of advantages over BIOS and provides for example more security. The UEFI is coupled with the GPT (GUID Partition Table) partitioning scheme.

Recent Windows versions (8, 8.1 and 10) use UEFI by default and therefore have GPT instead of MBR. This makes them immune to the current Petya malware.

Older Windows versions use BIOS+MBR by default but can be “persuaded” to use UEFI+GPT if the hardware supports it. You can’t however simply change a setting on your computer to switch from BIOS+MBR to UEFI+GPT: you need a complete reinstall.

The following guide shows you how you can force Windows 7 to install with UEFI + GPT. It is however extremely important to make sure your hardware (motherboard) supports UEFI. If it does not support UEFI it will not work.

Since Malware keeps evolving it is not impossible that the Petya will eventually target GPT as well. Fortunately UEFI provides some extra features which can increase security. By using Secure Boot or Trusted Boot for example the system can prevent malicious code from being injected into the Windows boot process.

sources:

http://blog.trendmicro.com/trendlabs-security-intelligence/petya-crypto-ransomware-overwrites-mbr-lock-users-computers/

http://www.bleepingcomputer.com/news/security/petya-ransomware-skips-the-files-and-encrypts-your-hard-drive-instead/

Leave a Reply

Your email address will not be published. Required fields are marked *