{"id":5388,"date":"2016-03-30T07:54:02","date_gmt":"2016-03-30T11:54:02","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=5388"},"modified":"2020-02-26T18:59:57","modified_gmt":"2020-02-26T14:59:57","slug":"petya-ransomware","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/petya-ransomware\/5388\/","title":{"rendered":"Petya ransomware eats your hard drives"},"content":{"rendered":"<p>It looks like 2016 should be declared a year of ransomware, as new families and new versions are popping up every now and then like mushrooms after the rain.<\/p>\n<p>Ransomware is evolving \u2014 fast. The new versions of ransomware use strong asymmetrical encryption with long keys so that files cannot be decrypted without the key. The bad guys have started using TOR and payments in bitcoins for the sake of staying totally anonymous. And now there is Petya ransomware which in a certain sense encrypts the whole hard drive all at once instead of encrypting files one by one.<\/p>\n<h3>How Petya gets his hands on your PC<\/h3>\n<p>Petya is a piece of ransomware\u00a0<a href=\"https:\/\/blog.gdatasoftware.com\/2016\/03\/28213-ransomware-petya-encrypts-hard-drives\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">discovered by G Data SecurityLabs<\/a>. It targets mostly business users, as it is distributed in spam emails that pretend to contain job applications. The standard infection scenario looks like this:<\/p>\n<p>An HR employee receives an email from some person seeking a position in the company. The email contains a Dropbox link to a file which pretends to be their curriculum vitae but in reality it\u2019s an EXE file.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Petya <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> encrypts master file table via <a href=\"https:\/\/twitter.com\/threatpost?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">@threatpost<\/a> <a href=\"https:\/\/t.co\/kCpbUcT1kV\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/kCpbUcT1kV<\/a> <a href=\"https:\/\/t.co\/9e6YjTkEVV\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/9e6YjTkEVV<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/714547644492824576?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 28, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>They click on the file, but never get a CV that they are supposed to find there. Instead they get a\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Blue_Screen_of_Death\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Blue Screen of Death<\/a>. That means Petya has made its way into the user\u2019s PC and started its dirty work.<\/p>\n<h3>Your hard drive belongs to us<\/h3>\n<p>Common ransomware usually encrypts files of certain types \u2014 pictures, Office documents and so on \u2014 and leaves the operating system unharmed so that the victim could use the PC to pay the ransom. But Petya is much more brutal as it aims to block access to the whole hard drive.<\/p>\n<p>In a nutshell, no matter how your hard drive is organized, whether there is only one partition or more, there\u2019s always some disk space invisible for you called\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/Master_boot_record\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Master Boot Record (MBR)<\/a>. It contains all the data on the number and organization of partitions, and it also contains a special code used to start booting the OS \u2014 it\u2019s called boot loader.<\/p>\n<p>This boot loader always runs BEFORE the operating system. And this is exactly what Petya infects: it modifies boot loader so that it loads Petya\u2019s malicious code instead of any operating system installed on the PC.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Researchers Learning More About <a href=\"https:\/\/twitter.com\/hashtag\/Petya?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Petya<\/a> Ransomware: <a href=\"https:\/\/t.co\/WwOQ1mEsRb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/WwOQ1mEsRb<\/a> <a href=\"https:\/\/t.co\/O4TaS593ta\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/O4TaS593ta<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/714911391795322880?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 29, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>For the user it looks like Check Disk is running, which is pretty much OK after an operating system crash. But what Petya actually does at this moment is it encrypts\u00a0<a href=\"https:\/\/en.wikipedia.org\/wiki\/NTFS#Internals\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Master File Table<\/a>. That is yet another hidden part of your hard drive\u2019s personal life. This table contains all the information about how files and folders are allocated.<\/p>\n<p>Think of your hard drive as a vast library which contains millions or even billions of items. And the Master File Table is a library index. Well, that explanation is greatly simplified, let\u2019s make it more realistic: on your hard drive \u2018books\u2019 are rarely stored as detached items, but rather as single pages or even scraps of paper. In heaps. No, not in any particular order, it\u2019s pretty much random.<\/p>\n<p>Perhaps now you have a general idea how uneasy it would be to find a single \u2018book\u2019 if someone had stolen this \u2018library index \u2013 this is exactly what Petya ransomware does.<\/p>\n<p><span class=\"embed-youtube\" style=\"text-align:center; display: block;\"><iframe class=\"youtube-player\" type=\"text\/html\" width=\"640\" height=\"390\" src=\"https:\/\/www.youtube.com\/embed\/yfCt35RTR-U?version=3&amp;rel=1&amp;fs=1&amp;showsearch=0&amp;showinfo=1&amp;iv_load_policy=1&amp;wmode=transparent\" frameborder=\"0\" allowfullscreen=\"true\"><\/iframe><\/span><\/p>\n<p>Once it\u2019s done, Petya reveals its true face that looks like a skull built with ASCII symbols. Then the usual routine begins: the malware requires that the user has to pay a ransom (0.9 bitcoins which is about $380) if you want to decrypt the hard drive and get your files back.<\/p>\n<p>The only difference from other ransomware is that Petya is completely offline, which is no surprise since it had \u2018eaten\u2019 the operating system. So the user has to find another computer in order to pay the ransom and get their data back.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">Let's talk <a href=\"https:\/\/twitter.com\/hashtag\/Ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#Ransomware<\/a>. Would you pay the <a href=\"https:\/\/twitter.com\/hashtag\/hackers?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#hackers<\/a> ransom?<\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/714874484910632960?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">March 29, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<h3>Fighting Petya<\/h3>\n<p>Unfortunately, as with other recent types of ransomware, researchers still haven\u2019t found a way to decrypt information encrypted by Petya. However, there are still a few thing you can do to protect yourself and your data and some good news regarding Petya\u2019s distribution.<\/p>\n<p>The good news is that Dropbox has removed the malicious archives with Petya from its cloud storage. So now the bad guys have to find some other way of distribution. The bad news is that it probably won\u2019t take them long to do that.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\">10 tips to protect your files from ransomware <a href=\"https:\/\/t.co\/o0IpUU9CHb\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/o0IpUU9CHb<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/iteducation?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#iteducation<\/a> <a href=\"https:\/\/t.co\/I47sPIiWFF\" target=\"_blank\" rel=\"noopener nofollow\">pic.twitter.com\/I47sPIiWFF<\/a><\/p>\n<p>\u2014 Kaspersky (@kaspersky) <a href=\"https:\/\/twitter.com\/kaspersky\/status\/671348678607642624?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">November 30, 2015<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>So, let\u2019s get back to protection. What can you do?<\/p>\n<p>1. When the user sees the Blue Screen of Death, all their data is still not corrupted, since Petya hasn\u2019t started to encrypt the Master File Table. So if you see that your computer shows you a BSOD, reboots and starts the Check Disk \u2014 immediately shut it down. At this point you still can remove your hard drive, connect it to another computer (but don\u2019t use it as a boot device!) and recover your files.<\/p>\n<p>2. Petya encrypts only the MFT leaving the files themselves untouched. Files still can be recovered by specialists in hard drives recovery. This procedure would be intricate and time-consuming and it will cost you a pretty penny, but basically it is doable. However don\u2019t try to do it at home \u2014 a mistake can make your files gone forever.<\/p>\n<p>3. The best way is to protect yourself proactively using a good security solution.\u00a0<a href=\"https:\/\/me.kaspersky.com\/en\/free-trials\/multi-device-security?redef=1&amp;reseller=me-en_kismdtribuild_trd_ona_smm__onl_b2c__lnk_______\" target=\"_blank\" rel=\"noopener noreferrer\">Kaspersky Internet Security<\/a>\u00a0won\u2019t get the spam emails through, so you probably won\u2019t even see the email containing the link to Petya. Even if Petya somehow sneaks in, it would be detected as Trojan-Ransom.Win32.Petr and Kaspersky Internet Security would block all its activities. And so would all the other our anti-virus solutions.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>It looks like 2016 should be declared a year of ransomware, as new families and new versions are popping up every now and then like mushrooms after the rain. Ransomware<\/p>\n","protected":false},"author":696,"featured_media":5389,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[1153,1154,433,1155,1156],"class_list":{"0":"post-5388","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-hospital-ransomware","10":"tag-petya","11":"tag-ransomware","12":"tag-what-is-ransomware","13":"tag-year-of-ransomware"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/petya-ransomware\/5388\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/petya-ransomware\/3772\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/petya-ransomware\/6941\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/petya-ransomware\/6956\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/petya-ransomware\/6915\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/petya-ransomware\/8044\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/petya-ransomware\/7827\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/petya-ransomware\/11447\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/petya-ransomware\/5481\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/petya-ransomware\/7375\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/petya-ransomware\/10875\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/petya-ransomware\/11447\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/petya-ransomware\/11715\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/petya-ransomware\/11715\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/hospital-ransomware\/","name":"hospital ransomware"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5388","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/696"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=5388"}],"version-history":[{"count":3,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5388\/revisions"}],"predecessor-version":[{"id":16022,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/5388\/revisions\/16022"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/5389"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=5388"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=5388"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=5388"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}