Tech

New ransomware skips files, encrypts your whole hard drive

If Petya infects your computer, you will not be able to access your operating system whatsoever -- and there's no cure.

Written by Charlie Osborne, Contributing Writer March 30, 2016 at 3:08 a.m. PT

A strain of ransomware which encrypts your systems from the ground up and renders operating systems useless has been discovered in the wild.

Ransomware infections can be amongst the most devastating. This particular breed of malware encrypts system files, locks systems and restricts access to user files, before demanding a ransom payment in virtual currency.

If users refuses or is unable to pay and no unlocking software is available, they may lose access to their files for good.

While most ransomware focuses on infecting systems in order to lock files, a new breed called Petya goes further -- by completely removing access to hard drives and operating systems.

Security researcher Lawrence Abrams from Bleeping Computer explored the malware's path in a blog post last week.

Abrams says that the ransomware has been detected targeting the HR departments of German companies. Phishing emails are being sent to targeted firms containing Dropbox links to applications which install Petya on systems when executed.

When the ransomware is installed, the master boot record (MBR) is replaced with a malicious loader and the system is then forcefully rebooted. This then causes Windows machines to load the malicious code rather than the operating system.

A screen then appears which pretends to be the system tool check disk (CHKDSK) and runs a 'scan.' As this fake scan proceeds, Petya is encrypting the Master File Table on the drive.

"Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible," the researcher notes.

The infection is complete and user discs are now unaccessible. Users are then presented with a lock screen demanding a payment in Bitcoin and containing instructions on how to connect to the Tor network, visit a specific .onion page and pay the fee.

At the time, victims must use their unique user ID to ensure their systems are then unlocked.

A video demonstrating how Petya encrypts drives is below:

Security

There are no current solutions to this infection, and with a steep ransom price of 0.9 BTC ($370), users have few options. The researcher says that even using the FixMBR command or attempting to fix the master boot record through other means is useless, as "it will not decrypt your MFT and thus your files and Windows will still be inaccessible."

In other words, repairing the MBR is only an option if users do not mind losing data and going back through the installation process for Windows.

Dropbox has removed the malicious link and a spokesman told ZDNet:

"We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox. Although this attack didn't involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens."

There is some good news, however. A number of researchers including a security professional from Malwarebytes who operates under the handle Hasherezade and Fabian Wosar from Emisoft are on the case.