Petya ransomware targets entire drives, not just files

JC Torres - Mar 28, 2016
1
Petya ransomware targets entire drives, not just files

Ransomware is quickly becoming the new darling among hackers looking to make a quick buck. Although it doesn’t exactly jump from one infected computer to another, given how it works, it is actually more destructive and possibly more profitable than a common trojan or virus. We’ve seen recently what is probably the worst ransomware out in the wild. Now we’re being told there’s a potentially more destructive one as well. Called Petya, the ransomware tries to encrypt your entire hard drive for maximum damage and maximum profit.

Most ransomware work the same way. Via social engineering methods, users are deceived into download a file, usually a program, that they then run. While the visuals and screens may vary, they all work the same way, encrypting a user’s files. And then they display a message demanding a ransom in exchange for the key to decrypt the files and restore access. Whether or not the culprits actually hand over the key after payment has been made depends on the source and degree of malicious intent.

Petya sets itself apart by the volume of data it tries to encrypt. While most ransomware are content encrypting single files, usually documents that seem important, Petya goes for the entire hard drive instead. After the user unwittingly runs the ransomware carrying program, Petya takes over the bootloaded and restarts the computer. Then it will display a screen informing the user that Windows is performing a check disk operation when, in fact, it is already tying to encrypt the entire disk in the process. Once done, it reveals its true colors, literally, directing the victim to browse to a specific website using TOR for anonymity. The website, in turn, contains instructions on how to pay the ransom. The ransom doubles in price after 7 days.

There is still some hope. G DATA is still investigating the rather young ransomware but they believe that, at least at this stage, no files are actually encrypted yet. The malware simply blocks access to the hard drive right from booting the computer. If their investigation proves fruitful, victims might not have to pay a single sent. That is, until Petya ransomware writers wise up and do actual damage.

SOURCE: G DATA


Must Read Bits & Bytes