What is the Petya ransomware?
The Petya ransomware is ransomware that infects a victim’s machine mostly via an email attachment and affects the Master Boot Record or MBR and Master File Table or MFT of the system. It also encrypts the files on the system and asks for a ransom of 0.99 Bitcoins from the victim.
How does the Petya ransomware infect a computer?
The Petya ransomware mostly infects a system via an email attachment. As per most of the reported cases, the victim first receives an attachment of an email that seems to be from some applicant seeking a job position. The attachment contains a link to the Dropbox storage location. The link purports to be to the CV and photo of the applicant.
However, the downloadable file contains an executable script. The photo seems to be a stock image that is used without the proper permission of the photographer. On downloading the archive, a malicious trojan starts execution. The trojan first rewrites the MBR of the system.
An MBR or Master Boot Record is an important data structure in the disk that contains a small amount of executable code called the boot loader. When the system starts, the bootloader eventually loads the installed operating system on the system.
The trojan rewrites the MBR. After rewriting the MBR, the malware triggers a critical Windows error and reboots the system. After the system reboots, the malware shows a fake Windows check disk operation. It purports to be correcting hard disk errors, but it actually encrypts the MFT of the system.
The MFT or Master File Table of a system is a file that contains information on every file in the file system. The information includes size, time, date stamps, permission, data contents, etc. Without this MFT, the file system cannot access any file on the system.
There is a trick here. If the attackers had chosen to encrypt the whole file system, it would have taken lots of time. So, they encrypted the MFT instead. Encrypting the MFT is less time-consuming. And it makes the file system inaccessible to the victim.
After the encryption is done, the malware displays a ransom message of 0.99 Bitcoins. It also displays a skull drawn with ASCII characters. The attackers also display on the screen the specific instructions on how to pay the ransom. The ransom message also says the ransom amount will be doubled on …
0 Comments