Petya ransomware goes for broke and encrypts hard drive Master File Tables

Chances are you’ll notice you’ve got a problem when the red skull appears during boot-up…

Petya skull

A new strain of ransomware replaces the Master Boot Record (MBR) and encrypts the Master File Table on an infected Windows computer's hard drive, thereby essentially locking a victim out of all of their files.

Jasen Sumalapao, a malware analyst at Trend Micro, explains in a blog post that attackers were distributing the ransomware, which has been dubbed Petya, via a malicious email campaign targeting the human resource departments of German companies:

"Victims would receive an email tailored to look and read like a business-related missive from an applicant seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s CV."

Abusing a legitimate file-sharing service like Dropbox to serve up malware is fairly unusual. Most other crypto-ransomware samples including Locky either come embedded in malicious Microsoft Word email attachments or as the payloads of various exploit kits.

In the campaign observed by Sumalapao, the Dropbox folder came with two files: a stock photograph .JPG and a self-extracting executable.

Petya archive

The latter file loaded a trojan onto the machine that surreptitiously downloaded Petya onto a user's machine.

Once fully installed, Petya begins by replacing the Master Boot Record - the code stored on a hard drive that provides a computer with instructions on how to boot-up an operating system. This process prevents the computer from loading the OS correctly and disables booting up in Safe Mode.

The Petya ransomware then sets its sights on encrypting not individual files but the Master File Table (MFT), a file on NTFS partitions that contains critical information about every other file, including their name and size.

Lawrence Abrams of Bleeping Computer provides more details:

"Petya causes Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible."

A YouTube video of this process can be viewed below:

With the MFT encrypted, the ransomware presents a ransom message to the user, instructing them to visit a site via the Tor browser where they are instructed to pay 0.99 BTC (approximately US $418) in ransom.

If the victim fails to pay in a week's time, the attackers' demand doubles in value.

Petya website

Tim O'Brien, Director of Threat Research at cloud security automation company Palerra, told SecurityWeek there are a number of measures sysadmins and security personnel can take to check this threat.

When it comes to protecting an organization against ransomware, however, O'Brien stresses that emphasis should be firmly placed on user awareness:

"Above all else, end user awareness and training regarding the screening of emails and downloading files is the first line of defense. Leveraging technology to automate the business process while minimizing the associated risks helps facilitate operations and negate issues described in this blog post."

After being informed of the ransomware, Dropbox removed the folder and all other linkable locations to the malware. The company issued the following statement:

"We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox. Although this attack didn’t involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens."

For those who have been exposed to Petya, there is no way to recover one's information without paying the ransom if a secure backup isn't available. Abrams notes that affected organizations can use the FixMBR command or repair their MBR to remove the locked screen, but that will not restore access to one's files. Those steps should therefore be taken only in situations where the encrypted data is inconsequential.

All organizations should implement some form of security awareness training with their employees, which should include anti-phishing exercises. They should also maintain regular back-ups of their business-critical data.

Have you ever been hit by ransomware?

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

6 Responses

  1. coyote

    March 29, 2016 at 7:19 pm #

    Quite an ingenious way to install ransomware. But wouldn't hardware prevention of writing to the MBR prevent this? (Not to say everyone has this set up). And are there not ways to prevent software from writing to the MBR even under Windows? I actually backup the lower level parts of my disks but many wouldn't know how. But I don't use Windows so: I presume in order to backup the MFT you would have to use a low level disk utility? Or is it possible to do this in Windows in general? (I don't know anything about the MFT so maybe this is moot)

    Regardless of that it's still a brilliant (albeit scary) idea. I liken this to a multipartite virus but instead of infecting files it encrypts them (or the FS rather). Let's hope it doesn't trap a certain interrupt (and maybe I've said too much there already .. but those who understand my meaning would think of this anyway .. if Graham or anyone else feels it shouldn't be said then by all means edit it out! I'm on the fence about it; it seems to me that you generally need not give criminals ideas for they will think it themselves – although I wouldn't go out of my way to tell these kinds of people how they could 'improve' their implementation there are many occasions where I could if I had no ethics).

  2. The Gray Adder

    March 30, 2016 at 3:17 pm #

    The $64,000 question is, why would anyone submit a resume as a .exe? It sure would behoove sysadmins to educate Pam in HR that normal people don't do this.

  3. Mark Jacobs

    March 30, 2016 at 3:40 pm #

    What fool would run an unknown .exe file on their computer system because of some email? As far as I am concerned, you'd have to be mad to run any .exe from an unknown source, without downloading it first and running it through virustotal.com, at the very least. I despair of these idiots!

    • Graham Cluley in reply to Mark Jacobs.

      March 30, 2016 at 10:56 pm #

      I'm not sure it's fair to call people idiots for running an unknown EXE on their computers.

      Yes, if you've been taught about computer security and dangerous files then you'll know that that's not a good idea – but just because *we* know that, it doesn't mean that the great unwashed public are as clued up about the threat…

      And I suspect a much smaller percentage of computer users are aware of sites like VirusTotal.

      The problem, I believe, is that computers are sold and portrayed as a consumer-friendly, easy-to-use product – but they're not always like that. Sometimes they are more like the classic car that Uncle Mervyn keeps in the shed, and has been tinkering with for years to get to work properly. They need specialist knowledge – knowledge that most people simply do not have.

      I drive a car, but I know next to nothing about them. I just expect it to work, and with my minimum knowledge weave my way from place to place.

      Why should computer users have to be experts? Isn't it understandable if they are under the apprehension that security software will just 'handle' any potential complicated nasty stuff that might happen and protect them from coming to harm?

      • Mark Jacobs in reply to Graham Cluley.

        March 31, 2016 at 1:49 pm #

        Much of what you say is true. I tip my hat. However, running applications willy-nilly on your PC is like chucking all sorts of objects into the running engine on your car – you shouldn't be expecting nothing at all to go wrong!

        • coyote in reply to Mark Jacobs.

          April 1, 2016 at 3:29 am #

          Question: What is sorely lacking in this world ? Awareness.

          And let's not forget that Windows (stupidly I might add) hides (by default) last I knew the extension so that:

          file.txt.exe

          would be displayed as file.txt … ask yourself what happens if they double click on that (I don't know about in email but the point is still valid) ?

          And Graham touches on an important point: computer users don't care how it works as long as it works! That's all they care about! You can argue against this all you want and you can say that people are right in saying schools are right to teach programming (or as they call it 'coding' which isn't the same thing) because just like maths and reading are important so too is knowing how computer software is created. Except it isn't and to those people I say the following: they've never been a developer of software with many users – if any users at all (and writing it for their friend or next door neighbour doesn't count). They probably haven't been asked by friends and family to help them with their computers very often. So perhaps those who have should educate these people who think they know best? I would offer except I have little patience for people like them (and I am admittedly not the best teacher). The only thing users care about is it works – they don't care how or why; all they care about is it works. Nothing else. This is incontrovertible.

Leave a Reply