The new ransomware which has been dubbed Petya (after the notification it shows to the user) is the first of its kind to encrypt entire hard drives.
The researchers at the G DATA SecurityLabs discovered a set of files which is associated with this new type of ransomware. Ransomware families such as Locky, CryptoWall or TeslaCrypt usually encrypt individual files. Petya targets the entire hard drive instead of individual files or file types.
This malware campaign is obviously aiming at companies. In an email application which is sent to the HR department, a Dropbox download link is referenced where allegedly a ‘job application portfolio’ can be downloaded.
When following the link, an EXE file is downloaded. The German file name translates to ‚application_portfolio-packed.exe’.
When running the exe file, the PC crashes with a bluescreen and reboots. Prior to the reboot, the Master Boot Record (MBR) of the system is manipulated in a way which allows Petya to control the boot process. When the system restarts it displays the following:
This dialog claims to run a system check, but in fact this is the point where files on the PC are made inaccessible to the user. As of this writing we assume that the files are not encrypted but that only the file access is blocked but the files itself are not encrypted.
You finally notice that you made a mistake when Petya shows its true colors after the supposed system check is completed.
After pressing a key, further instructions are displayed.
To cover its tracks, the attackers behind Petya makes use of TOR.
On the website it is further claimed that the hard drive was encrypted using a „military grade encryption algorithm“. Further information shows how to obtain a decryption key and how to pay for it. After seven days the price for the decryption key doubles.
As of this writing we assume that only the file access is blocked but the files themselves are not encrypted. Experts at the G DATA SecurityLabs are still analyzing this new type of ransomware.
G DATA Customers are protected.
Petya is detected as ‚Win32.Trojan-Ransom.Petya.A‘; the associated URLs have already been blocked. More information will be made available pending the completion of the analysis.
How to stay safe:
A new Petya wave has been rolling for the past four hours. The malicious file is again stored in a Dropbox. An analysis is already underway.