New ransomware uses disk-level encryption to hold your computer hostage

by Ryan Whitwam on March 30, 2016

Encryption can be used to secure your personal communication from prying eyes, keep your banking details secure, and plenty of other great things. However, it’s also the key to an increasingly common form of malware called ransomware. When a computer is hit by a piece of ransomware, the user’s files are encrypted, and only paying a ransom in Bitcoin will get you the key to unlock. There’s a new variant of ransomware floating around, and it takes things to the extreme. Rather than just encrypting files, the Petya malware encrypts your entire hard drive.

Petya is actually very clever with the way it goes about locking up a computer. After it is installed, the system will spontaneously reboot. Instead of booting normally, the computer loads what appears to be a system CHKDSK. As one would expect, this screen makes it very clear that shutting off the PC in the middle of this operation would be a very bad idea. That’s all just a smokescreen, though. In reality, Petya is using disk-level encryption to lock the system down. The PC’s master boot record has already been compromised at this point, so shutting down won’t do any good.

When the process is complete, the user gets the classic ransomware sales pitch: your files are encrypted — pay up if you ever want to see that data again. In this case, the hard drive itself (including the OS) is inaccessible until the proper decryption key is entered. A number of German businesses have been targeted by Petya already, but the amount requested is surprisingly low at just 0.9 Bitcoins (about $380). The payment must be submitted to a Tor hidden service, which then provides the necessary key.

This approach to ransomware is especially devious in a few ways. With the system disabled, there’s little to no chance for the user to retrieve additional data from the drive. The PC’s original master boot record is also encrypted, so there’s no way to restore it to normal working order without the decryption key. Many pieces of ransomware have to pick and choose what to encrypt, usually going for files in the user’s personal directory. However, it’s possible the important things are elsewhere on the hard drive. That’s not a problem for Petya as it just locks down the whole disk.

The good news is that Petya can’t install itself silently. Because it’s making changes to the boot environment, Windows will pop up a security warning. Users have to click through that in order for Petya to gain control of the system. People will still do that, but at least you have a chance to stop Petya before it’s too late.

Annexure;

Petya Ransomware skips the Files and Encrypts your Hard Drive Instead

Lawrence Abrams

March 25, 2016

Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts the files on the victim's hard drives. This leaves the operating system working properly, but with the user unable to open the encrypted documents. The Petya Ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows. At the time of this writing, the ransom payments are at ~.9 bitcoins and there is no way to decrypt your drive for free.

This ransomware is currently being distributed via emails that are targeting the human resources departments of German companies. These emails contain dropbox links to supposed applications that download a file that when executed will install the Petya Ransomware on the computer. An example filename for the installer is Bewerbungsmappe-gepackt.exe.

It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya. Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible. Only repair the MBR if you do not care about any lost data and want to reinstall Windows.

Back in January, there was another short-lived ransomware that was performing the same behavior, but was not as advanced. At that time, though, a sample was not able to be retrieved. It is unsure if Petya is a redesigned version of the previous one shown below.

The Petya Ransomware Encryption Process

When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system. It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.

Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment. Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.

How the Petya Ransomware encrypts your drive is illustrated in the video below.

Getting your password in 5 steps on the Petya Decryption Site

When a victim visits the site they will be presented with a CAPTCHA page. Once a captcha is entered they will be shown the first page of the decryption site, which provides information on what has happened to the computer.

If a user clicks on the Start the decryption process they will be walked through a 5 step process where they learn how to make a payment and eventually retrieve a password. These steps are displayed below.

The fifth and final step becomes available when a ransom payment is sent to the associated address. It is assumed that the fifth step will display a page that contains the password you must enter into the lock screen on the victim's computer. Once a password is entered, the ransomware will decrypt the MFT and restore the original MBR. This will then allow you to boot back into Windows and access your files again.

As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future.