Petya Ransomware encrypts the MBR (Mar 30, 2016)

By

The Dell Sonicwall Threat Research team has received reports of yet another ransomware called Petya. Over the past year, Ransomware has proven to be an inceasingly lucrative business for cybercriminals and has become very widespread that victims have resorted to paying to get their data back. Petya is no different, but instead of just encrypting files it overwrites the system’s master boot record (MBR) effectively locking the victim out and rendering the machine unusable unless payment is made.

Infection Cycle:

Upon execution, Petya replaces the boot drive’s MBR with a malicious loader which will cause Windows to crash. On reboot, it will display a fake CHKDSK screen.

The victim is then greeted with a flashing skull.

After pressing any key, the instructions on how to pay to get their data back is then displayed.

At this point, the victim is locked out of their machine and renders it useless. Rebooting into safe mode is also not possible. Victims can reformat their computers but will obviously lose all of their data.

Below are the screenshots from the cybercriminal’s well crafted website on the onion network where further instructions are given on how to submit payment in bitcoins. It appears that the group behind Petya Ransomware is calling themselves “Janus Cybercrime Solutions” and are demanding victims to send them 0.95865300 Bitcoins or an equivalent to $395 with the current exchange rate.

Petya Ransomware Step 1</a></td>
<td width = FPetya Ransomware Step 2
Petya Ransomware Step 3</a></td>
<td width = FPetya Ransomware Step 4

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

Dell SonicWALL Gateway AntiVirus provides protection against this threat with the following signatures:

  • GAV: Petya.AB (Trojan)
  • GAV: Petya.AC (Trojan)
  • GAV: Petya.AD (Trojan)
Security News
The SonicWall Capture Labs Threat Research Team gathers, analyzes and vets cross-vector threat information from the SonicWall Capture Threat network, consisting of global devices and resources, including more than 1 million security sensors in nearly 200 countries and territories. The research team identifies, analyzes, and mitigates critical vulnerabilities and malware daily through in-depth research, which drives protection for all SonicWall customers. In addition to safeguarding networks globally, the research team supports the larger threat intelligence community by releasing weekly deep technical analyses of the most critical threats to small businesses, providing critical knowledge that defenders need to protect their networks.