Petya Ransomware Encrypts Master File Table


The Petya ransomware encrypts a compromised computer’s master file table.

First ransomware locked your desktop. Then it encrypted your files. Not long after, webservers, shared drives and backups were targeted. Now?

Introducing Petya, ransomware that targets the Master Boot Record.

Spotted in email campaigns sent to human resources offices in German companies, the malware encrypts the compromised computer’s master file table and demands .9 Bitcoin in return for the decryption key; that total amounts to about $380 USD.

Researchers at BleepingComputer said on Friday that the malware is spreading in emails that contain a Dropbox link that will lead to a file that installs the ransomware. The malware replaces the boot drive’s Master Boot Record with a malicious loader. The malware forces Windows to reboot and displays a phony check disk (CHKDSK) operation to the victim while the malware executes in the background and encrypts the master file table.

“During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive,” BleepingComputer wrote in its analysis. “Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.”

The victim will then see a ransom note displayed before Windows boots explaining that the hard drive is encrypted and provides the victim with directions on how to download Tor in order to access the attacker’s payment website and how to pay the ransom in Bitcoin.

The appearance of Petya is just the latest ransomware strain to arrive with new functionality to frustrate analysts and security countermeasures.

Just last week, a new sample called PowerWare was found on a healthcare network. The malware spreads in spam campaigns and uses social engineering to entice the victim to enable macros in order to view a supposed invoice in an attached Word document. The macro opens a command line and executes the native Windows PowerShell to download a malicious script. The malware is fileless, meaning that it does not load its binaries onto the hard drive. By leveraging PowerShell, it not only writes malware files to the hard drive, but the activity looks like legitimate activity on the machine.

The discovery of PowerShell came on the heels of another Locky attack that took a Kentucky hospital network offline. Locky also relies on the user to enable macros in order to download the malware and encrypt hard drives.

Suggested articles