PETYA ransomware targets enterprise users via the cloud and overwrites MBRs
Crypto-ransomware is the malware du jour, and the likes of TelsaCrypt 4 and KeRanger are just some of the names to hit the headlines recently. One of the latest examples of ransomware, PETYA, is taking a slightly different and more worrying approach -- it not only targets enterprise users, but also encrypts entire hard drives rather than just a selection of files.
PETYA -- also known as RANSOM_PETYA.A -- goes to some lengths to make sure that victims know that their computers are infected, overwriting the MBR (Master Boot Record) to display a ransom note during the boot process. The malware uses a "military grade encryption algorithm" to lock users out of their files, and victims are directed to venture onto the dark web using the Tor browser to make a Bitcoin ransom payment.
Security experts at Trend Micro have shard details of PETYA, highlighting the eye-catching skull and crossbones warnings that victims are faced with. The ransomware is spread using a combination of email and the cloud, targeting enterprise users by emailing fake job applications to targets. The victim is encouraged to click a link to download a file from Dropbox -- this is an executable which installs PETYA and causes a BSoD.
Once infection has taken place, the victim is completely locked out of their computer thanks to the fact that the MBR has been overwritten. As Trend Micro points out, the attack vector means that booting into safe mode is not possible meaning users are left with a choice between paying the ransom or losing access to their files -- although, presumably, enterprise users will have backups in place.
The ransom price starts at 0.99 Bitcoins (around $431), but a countdown timer on the Onion site used to accept payment warns that unless money is handed over quickly, the price will go up. This scare tactic is used to encourage victims to cough up the cash.
With no removal tool available, the advice is -- once again -- to take care when opening attachments or following links.