First reported in the Heisse Security board, this new threat calls itself “Petya Ransomware”. What makes it different from other ransomware viruses is the fact that it uses a brand new method to infect computers and totally lock down the machine from the user. Since 2010, the most popular way used by ransomware to extort money has been to remain hidden on the victim’s computer for an amount of time long enough to encrypt all of their files. Very high-grade encryption algorithms are usually employed. User’s options to recover their files without paying the ransom boiled down to basically having a backup copy or using a program that restores deleted files.
The Petya ransomware differs from traditional ransomware viruses in two major ways:
1.The virus is distributed via the Dropbox network.
2.The virus will actually overwrite boot files required to load Windows, thus completely locking the user out of his ability to use his computer.
The victim usually first receives a business-related email from an applicant that is supposedly applying for a job. The victims are lured into opening a Dropbox storage location, which contains the CV and other details of the applicant. When the user tries to open the relevant files a self-extracting executable file will be run on their PC, which contains a Trojan horse virus. The virus will then blind any anti-virus programs installed and remotely download the Petya ransomware.
Once inside the machine, Petya will overwrite the master boot record (MBR) of the entire drive and then cause Windows to crash by causing a blue screen of death (BSoD). When the user tries to reboot his PC the modified MBR will prevent him from loading Windows normally. Instead, a message containing the ransom demand will be created. It will open with a red “pirate” skull rendered in ASCII art and then deliver the instructions. The Petya ransomware claims to have encrypted the user’s files using military-grade encryption algorithm and demands payment in BitCoins to a remove TOR site, a behavior typical for ransomware viruses.
Some users also reported that Petya does actually start encrypting files. Unlike traditional ransomware viruses it doesn’t wait hidden until the user‘s files get encrypted – it first enforces the lockdown and then begins the encryption process unperturbed. Don’t allow this to happen – immediately power down your computer!
