Petya ransomware encrypts files, disks, locks users out of computers

A new type of ransomware does not only encrypt the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader.

It makes the entire computer unusable until the ransom is paid or until the victims decide to cut their losses, repair the MBR themselves, and reinstall Windows.

The ransomware is called Petya, and is currently being delivered via spear-phishing campaigns aimed at German companies’ HR departments. The fake emails are made to look like they are coming from a legitimate job seeker, and instruct the recipient to download the sender’s CV from a Dropbox account.

If the recipient falls for the trick, downloads the file, fails to notice that it’s an executable and runs it, the computer will crash because Petya overwrites the MBR of the entire hard drive. The computer will then show the infamous “Blue Screen of Death,” and reboot.

The next thing the victim sees is a fake CHKDSK notice:

Petya ransomware
The notice is shown to prevent the victim from meddling with the file and MFT encryption process, which goes on in the background. Once it’s done, the victim is faced with a flashing red skull-and-bones image, and then with Petya’s lock screen, which instructs him to pay 0.99 BTC (approximately $430) in order to get the decryption key.

GData researchers have examples of the spear-phishing emails, and a video of Petya in action. Trend Micro researchers confirmed that the ransomware encrypts both part of the disk and victims’ files. They have also notified Dropbox of the fact that their service is being used to propagate the malware, and the company has removed the malicious file along with other links that stored the same file.

The malware doesn’t allow the user to restart the computer in Safe Mode. According to Bleeping Computer’s Lawrence Abrams, there is currently no way to restore the files without paying the ransom, nor to decrypt the MFT.

Users can repair the MBR and reinstall Windows, but all their files will be lost.

“Back in January, there was another short-lived ransomware that was performing the same behavior, but was not as advanced. At that time, though, a sample was not able to be retrieved. It is unsure if Petya is a redesigned version of the previous one shown below,” says Abrams.

As always, the best way to make sure your files will always be safe against ransomware is to back them up regularly – preferably every day.