Tuesday, March 29, 2016

Petya Ransomware

Petya Ransomware is a ransomware which infects a victim's machine mostly via an email attachment and affects the Master Boot Record or MBR and Master File Table or MFT of the system. It also encrypts the files in the system and asks for a ransom of 0.99 Bitcoins from the victim to recover the encrypted files.

How does Petya Ransomware infect a computer ?

Petya Ransomware mostly infects a system via an email attachment. As per most of the reported cases, the victim first receives an attachment of an email which seems to be from some applicant seeking for a job position. The attachment contains a link to Dropbox storage location, which purports to be the CV and photo of the applicant.

But, the downloadable file actually contains an executable script and the photo seems to be a stock image most likely used without proper permissions of the photographer.

On downloading the archive, a malicious trojan starts executing. The trojan first rewrites the MBR of the system.

An MBR or Master Boot Record is an important data structure in the disk which contains a small amount of executable code called boot loader. At the time of system start, the boot loader eventually loads the installed Operating System in the system.

After rewriting the MBR, the malware triggers a critical Windows error and reboots the system.

On rebooting the system, the malware shows a fake Windows check disk operation. It purports to be correcting hard disk errors, but what it actually does is encrypting the MFT of the system.

MFT or Master File Table of a system is a file which contains information on every file in the file system. The information includes size, time, date stamps, permission, data contents etc. Without this MFT file system cannot access any file from the file system.

There is a trick here. If the attackers had chosen to encrypt the whole file system, it would have taken lots of time, which the attackers might not have. So, they encrypted the MFT instead which is less time consuming. And, it solved their purpose of making the file system inaccessible to the victim.

After the encryption is done, the malware displays a ransom message of 0.99 Bitcoins which is worth about $430. It also displays a skull drawn with ASCII characters.

The attackers also display on the screen the specific instructions on how to pay the ransom. The decryption site looks to be professionally designed and it says the ransom amount will be doubled on missing the said deadline.

Please note that, as the MBR gets overwritten by the malware, it does not allow the system to restart in safe mode.

How to prevent Petya Ransomware ?

If your system is affected by Petya Ransomware, never ever pay ransom to the attackers. Paying the ransom does not at all guarantee the retrieval of the encrypted data. And, extorting ransom from the victims is the main motivation of the attackers behind these attacks. Acceding to their demands will only worsen the situation.

There are a number of anti-malware programs that are providing solutions. Please make sure to take help of those.

And, please be careful about opening email attachments from unknown senders or downloading any software from untrusted sources.

So, beware about various malware programs and how to fight with them, so that you can protect your systems in a better way. And, stay safe, stay secured.

Read More

What is Next Generation Anti Virus or NGAV ?

Infographic : Some simple ways to back up data

How to prevent ransomware ?

What is Next Generation Firewall or NGFW ?

Infographic : How to prevent ransomware ?

No comments:

Post a Comment