Typically, when a user becomes infected by a crypto-ransomware, the infection targets and encrypts the files on the victim's hard drives. This leaves the operating system working properly, but with the user unable to open the encrypted documents. The Petya Ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows. At the time of this writing, the ransom payments are at ~.9 bitcoins and there is no way to decrypt your drive for free.
This ransomware is currently being distributed via emails that are targeting the human resources departments of German companies. These emails contain dropbox links to supposed applications that download a file that when executed will install the Petya Ransomware on the computer. An example filename for the installer is Bewerbungsmappe-gepackt.exe.
It is important to note that there is a lot of bad information on the web about how how to fix your computer when it has been encrypted by Petya. Many of these sites state that you can use the FixMBR command or repair your MBR to remove the infection. Though this will indeed remove the lock screen, it will not decrypt your MFT and thus your files and Windows will still be inaccessible. Only repair the MBR if you do not care about any lost data and want to reinstall Windows.
Back in January, there was another short-lived ransomware that was performing the same behavior, but was not as advanced. At that time, though, a sample was not able to be retrieved. It is unsure if Petya is a redesigned version of the previous one shown below.
The Petya Ransomware Encryption Process
When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system. It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.
Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment. Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.
How the Petya Ransomware encrypts your drive is illustrated in the video below.
Getting your password in 5 steps on the Petya Decryption Site
When a victim visits the site they will be presented with a CAPTCHA page. Once a captcha is entered they will be shown the first page of the decryption site, which provides information on what has happened to the computer.
If a user clicks on the Start the decryption process they will be walked through a 5 step process where they learn how to make a payment and eventually retrieve a password. These steps are displayed below.
The fifth and final step becomes available when a ransom payment is sent to the associated address. It is assumed that the fifth step will display a page that contains the password you must enter into the lock screen on the victim's computer. Once a password is entered, the ransomware will decrypt the MFT and restore the original MBR. This will then allow you to boot back into Windows and access your files again.
As already stated, there is currently no way to decrypt your drive for free at this time. Researchers are analyzing this ransomware, though, so it may be possible in the future.
Comments
Wolfnet - 8 years ago
If you were to use data recovery software that ignores the MFT and looks through the disk would that still work to retrieve the files? I've had success in the past with drives with a corrupt MFT getting files off using this type of software. IIRC I used "Spinright" or something like that.
Lawrence Abrams - 8 years ago
Unfortunately, that is outside my level of knowledge when it comes to repairing an MFT. If its possible to recreate an MFT based on other data on the drive, then I see no reason why this would be a problem. Not sure if this is possible though.
Wolfnet - 8 years ago
Cool, thanks for the reply. The amount of ransomware out there is getting a bit crazy.
Demonslay335 - 8 years ago
Really is getting hectic. I'd say it's becoming a "byte" crazy. :D
fearnothing - 8 years ago
I used to be a forensic analyst (now a security analyst).
If the ransomware encrypts only the MFT, then the majority of the files would be recoverable even by simple file recovery tools - if a file is contiguous on the disk then all you have to do is read the disk block by block and check for matches against known magic bytes (and then figure out where the end of the file is - usually not too difficult). Fragmented files would be a lot trickier, I'd have to go back and do some reading about NTFS to find out if it was at all possible. I think it highly unlikely that you could return the OS to a working state, but you should be able to get most user data back without paying.
ScathEnfys - 8 years ago
In my experience, such programs are fairly good. Never tried to recover an entire drive of data from them though. In any case, filenames will be lost and guesswork may be required to determine the file type.
natepiano - 8 years ago
What about if you had bitlocker or some sort of protection that doesn't allow access to the MBR?
Lawrence Abrams - 8 years ago
If a software can prevent another program from overwriting the MBR, then this malware would not affect the computer.
CKing123 - 8 years ago
Some BIOS/EFI/UEFI do have an option to prevent the MBR or GPT from being changed. This can pose a problem when installing or upgrading an OS, so you go into the BIOS to disable it, and then install it, but for the most part, it doesn't cause any other problems.
DownGrader - 8 years ago
I've actually seen this feature in BIOS of various computers since the late 90s. It was even called "Anti-Virus Protection", for what it's worth.
CKing123 - 8 years ago
Back during the DOS days, boot viruses were pretty common
Ron_ - 8 years ago
I found this article hxxp:// nabzsoftware.com/types-of-threats/petya-ransomware and the solution they offer is simple as hell. If you dont want to go there, i copied the first thing you should do in order to boot into windows. " the infected person needs to power down their machine, turn it back on and repeatedly hit the F2, ESC or DEL key to enter BIOS configuration. Then, the victim should proceed to the Boot tab, select the correct boot device, save the changes and exit the interface. The OS should now launch like it usually does." Is that possible?
Lawrence Abrams - 8 years ago
What they propose makes absolutely no sense to me.
The MBR has been overwritten with a malicious loader. How does changing the boot device help ?
Then they are having people download programs that you need to get into Windows for that cost money to actually fix anything?
In my opinion, that whole guide screams "I never actually tested this ransomware, have no idea what I am talking about, and am just going to try sell people software when they are vulnerable.".
Demonslay335 - 8 years ago
Those were my exact thoughts. Plus its software I consider junkware anyways. Another guide that pretends like it has the solution to decrypt your data, only to say "restore from backups"... Amazing how quick these cookie-cutter articles appear before I even see the legit info posted on the ransomwares this week.
Lawrence Abrams - 8 years ago
"Amazing how quick these cookie-cutter articles appear before I even see the legit info posted on the ransomwares this week."
Sketchy isn't it?
I forgot to mention that even if you replace the mbr, the drive would still be encrypted, so no luck there.
ScathEnfys - 8 years ago
Hang on a second... if it ONLY encrypts the file table, then the files themselves are NOT encrypted and can be easily recovered with a "undelete" tool, no? This ransomware's strength may also be its weakness...
Do we have a VM malware sample to test this method on? Filenames may be lost but that's a small price to pay.
EDIT: Just realize I restated what @Wolfnet said. I really need to get to sleep...
Lawrence Abrams - 8 years ago
Correct, but its still a nightmare as I believe the files will not be named correctly. You would then need to go through each file to determine what it was.
tuankiet65 - 8 years ago
Since this only encrypts the MFT, not the files, one could use PhotoRec to recover the files, as PhotoRec bypasses the file system layer and finds files by comparing bytes to a database of file signatures instead (although the original file structure can't be recovered because they're in the encrypted MFT)
ScathEnfys - 8 years ago
The problem is that, like previously mentioned recovery software, one would have to look through each file to determine what it was. You can compare hashes for programs and system files, but personal info would take forever to sift through.
jbasile - 8 years ago
But what if you just take your hd out and put it in an enclosure and access it from another computer? Are the files themselves encrypted? Or just the MBR? Could you just copy your files off the HD as an external and just re-image the drive?
----Nevermind I see. It messes with the MFT---- that sucks....
robby501 - 8 years ago
I currently have MWB Anti-Exploit and MWB AntiRansomware (beta) installed and running on my notebook courtesy of the free downloads available on B.C. (which I am very thankful to B.C. for, of course!). My question is, how effective are these suites likely to be against this 'new' (and other) types of Ransom/Cryptoware?
Also, one more question....I am purely a recreational pc user who only has music files stores on my pc which are all backed up to disc. If this 'new' harddisc-attacking Rware gets on my pc, will I simply be able to reset my pc back to factory settings at the expense of having to re-install everything including Windows10, or would my entire device be rendered completely useless?
Lawrence Abrams - 8 years ago
No, it only affects your data. If you don't care about the data, you can wipe the drive, and reinstall windows on it.
robby501 - 8 years ago
Thanks for your prompt reply. All I need to know.
QQQQ - 8 years ago
Sounds kinda stupid to me, how can you pay them (if you wanted to) if your computer won't boot? Some people only have 1 computer.
Lawrence Abrams - 8 years ago
At the time of this writing the ransomware was currently targeting German companies.
robby501 - 8 years ago
"Sounds kinda stupid to me, how can you pay them (if you wanted to) if your computer won't boot? Some people only have 1 computer."
I'm no expert, but it seems like this is targeted more towards big corporations where the criminals know there will be multiple amounts of computer terminals on site and where the data is likely to be more precious and important. If private users like myself get infected, I don't really think they care if we pay or not - and whether or not we are able to is of no concern to them! Having read lately about Rware showing up at hospitals, it really makes me shudder that lives are being put at risk if data regarding things like patients' blood types. medication records, allergies, medical history etc etc etc is being encrypted in this manner. These cyber criminals are quite literally using sick patients as pawns to get their ransom money! When and if they ever get caught, it should be treated as attempted murder - or worse!
ajac63 - 8 years ago
""Sounds kinda stupid to me, how can you pay them (if you wanted to) if your computer won't boot? Some people only have 1 computer."
I'm no expert, but it seems like this is targeted more towards big corporations where the criminals know there will be multiple amounts of computer terminals on site and where the data is likely to be more precious and important. If private users like myself get infected, I don't really think they care if we pay or not - and whether or not we are able to is of no concern to them! Having read lately about Rware showing up at hospitals, it really makes me shudder that lives are being put at risk if data regarding things like patients' blood types. medication records, allergies, medical history etc etc etc is being encrypted in this manner. These cyber criminals are quite literally using sick patients as pawns to get their ransom money! When and if they ever get caught, it should be treated as attempted murder - or worse!"
I thought the same. Some part of Windows must boot; if not all of it, to be able to access the Internet. Also as soon as I saw 'don't turn your computer off....', I would do just that and then the same for the router.
David Lemler - 8 years ago
Would a good antivirus like Bitdefender or Emsisoft or an anti ransomware program like WinAntiRansom be able to block something like this without signatures? I know Bitdefender Antiransomware would catch any ransomware that encrypts your files after Windows has loaded, but because it does the encrypting before Windows loads, would a good antivirus or anti ransomware program be able to block it? Also, would something like Comodo sandbox or Sandboxie or a system change control like DeepFreeze or TimeFreeze be able to stop or revert the encryption?
xXToffeeXx - 8 years ago
Emsisoft blocks the malware.
lac8383 - 8 years ago
This technique has been used in the past when a drive was inaccessible from a viral infection or other means. I have not tested it with a PETYA attack but may be worth a try for someone who doesn't want to pay the ransom but wants to attempt saving their files.
1. Go to http://www.knoppix.org/
2 Select English and download Knoppix ISO
3. Burn Knoppix ISO to CD
4. Boot computer from the Knoppix (Linux) CD
5. Enter "boot knoppix" at prompt
6. Now you will be presented with a Linux desktop and should be able to browse the hard drive (disk icon shown on desktop)
From here, you can attach a USB external drive and try to copy any files from the affected system. Hope this may be a workaround to salvage files from a PETYA attack. Let me know.
CKing123 - 8 years ago
Unfortunately, it encrypts the MFT, which stores which file it is, and where it is located. If MFT wasn't encrypted, repairing the MBR would be all that is needed
That said, does Petya encrypt the MFTMirror too?
If it doesn't, we can rebuild the MFT from its mirror
http://www.cgsecurity.org/wiki/Advanced_NTFS_Boot_and_MFT_Repair
Lawrence Abrams - 8 years ago
Yes, it appears to encrypt the mirror as well in some manner.
LConstantin - 8 years ago
Does this affect computers using UEFI with GPT and/or SecureBoot?
xXToffeeXx - 8 years ago
No, only if you are using BIOS and MBR.
turtletwi - 8 years ago
By some random chance your end user happens to ID this as a virus that is about to encrypt itself on their HDD I would HOPE that they shut that PC off before it has a chance to reboot.
At least then you can always slave the drive and pull the data. All ransomware software needs time to encrypt.
I'm curious to know if someone were to pay the ransom if it actually restores the data. My guess would be a HUGE NOOOO!!! Why would they? There's no such thing as an honest thief.
Lawrence Abrams - 8 years ago
Actually, these people typically do restore your files if you pay, but I would still advise against if at all possible.
DarthBhane - 8 years ago
Since the information its is saved in the MBR I wonder by doing a hard reset removing the bios battery and the ram could help or removing the hard drive and opening on a different computer could fix the problem. Have you tried this before?
Lawrence Abrams - 8 years ago
As you long as you do not start your computer with the malicious MBR installed, the encryption will not occur. So if you can power off your computer before it turns on that first time after the MBR is installed, you can take the hard drive, boot off a recovery cd, or any other bootable device and repair the mbr on the disk.
DavisMcCarn - 8 years ago
If Petya actually encrypts the MFTs, a simple unerase of basic data recovery program is not going to work. I think you would have to tell even GetDataBack to ignore the MFTs and to perform a raw, low level, recovery.
Does anyone know firsthand if it also destroys the partition structures? I'm concerned that if the recovery and system partitions are missing afterwards, it could be a real mess!
vanahjem - 8 years ago
There is a program called 'testdisk' that finds files on a disk without a partitiontable and extracts them as file000000001, file000000002 ...
You then have to find out what kind of file it is and what name i had - not pratical for many files, but if you have a few very important.
DavisMcCarn - 8 years ago
In general and for over 30 years now, if you find the parent folder on a Dos/Windows hard disk drive, all of the subfolders and files are recovered with their names intact. This; however, can be seriously affected if the partition structure has been damaged especially with manufacturers dividing the drive into three or more partitions.
TheWizardOfOz - 8 years ago
I watched the video but it's not clear whether it immediately reboots the computer? Or does it perform the encryption on the next reboot?
Lawrence Abrams - 8 years ago
Triggers a reboot automatically.
TheWizardOfOz - 8 years ago
Yeah, I was just looking it up and saw that it apparently crashes the system in order to trigger a reboot.
Lawrence Abrams - 8 years ago
Yup..uses an undocumented API call from what I understand.
ImranTahir - 8 years ago
Hi Grinler, I thought I have solution :)
can you send me Petya?
can anyone help?
leostone - 8 years ago
Petya encryption has been broken!!!
You can retrieve your keys here: https://petya-pay-no-ransom.herokuapp.com/
Read more here: https://twitter.com/leo_and_stone
And here: https://github.com/leo-stone/hack-petya
Lawrence Abrams - 8 years ago
Leo, how long should it typically take for the genetic solver to produce the key? I also assume we are waiting to get to a score of 0, which would indicate the correct key?
Lawrence Abrams - 8 years ago
Got it working..took 7 seconds.
thomas1568 - 8 years ago
my pc is infisziert with petya in the input of the data that I have read from the HDD in : https : //petya-pay-no-ransom-mirror1.herokuapp.com/
starts the proceeding but after hours without success occurs an error . please help pointing unable to continue
Lawrence Abrams - 8 years ago
Unfortunately the new version is not crackable at this time.
DavisMcCarn - 8 years ago
Did you try to open a PDF attachment purporting to be a resume?
https://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/
Can you check some folders for the YOUR_FILES_ARE_ENCRYPTED files?
thomas1568 - 8 years ago
No, I think it was Microsoft Word but I" m not sure,
the System is locked, I have no chane to do anything.....
there is absolutely no possibility ...
thomas1568 - 8 years ago
Yes it was a PDF.exe attachment ...
DavisMcCarn - 8 years ago
This really should have been in the forums; but, you need to take the hard disk drive out of the PC and connect it to a working PC so you can see what is really going on. If Petya was successful, you'll need a data recovery tool to get the files back. If it was not, there will be two YOUR_FILES_ARE_ENCRYPTED files in a whole bunch of folders.
thomas1568 - 8 years ago
DavisMcCarn
If it was not , there will be two YOUR_FILES_ARE_ENCRYPTED files in a number of folders .
how to get to the data on the HDD can NOT be accessed , which are system restore points deleted by PETYA .
DavisMcCarn - 8 years ago
As I already said, you need to take that hard disk drive physically out of the original PC and connect it as a second drive to a working one. Then, if the PC reports the drive is raw or unformatted, PETYA was successful and none of the files themselves were encrypted. You'll need a program like GetDataBack for NTFS which will scan the drive and find your stuff. It isn't free; but, you can run the scan, check a picture or document, then activate it to copy your files to someplace else.
If PETYA failed to install, all of your folders will be visible; but, all of the files will be encrypted and your sunk.
thomas1568 - 8 years ago
GetDataBack for NTFS can not read the crypted HDD !
DavisMcCarn - 8 years ago
Yes it can; but you need to change the options in step 2 to include an exhaustive search and to not use only valid MFT's. You should also choose extensive damage in the beginning.
thomas1568 - 8 years ago
It doesn`t work:
error : convert Error
no argument for format
% / Dt Appexc
DavisMcCarn - 8 years ago
GetDataBack gives numeric errors generally. Did you get one?
thomas1568 - 8 years ago
No !
Only Appecex and 00409598
thomas1568 - 8 years ago
is there any other Software....
NBN-Alex - 7 years ago
By chance, is there any group that's looking at the Pre-Petya infection? We just got hit with that infection and trying to see if TestDisk will recover the MFT. We have working backups as well, but we also have a possible sample to send in if there's any groups looking for it.
DavisMcCarn - 7 years ago
Recently, I had a LaCie 4TB NAS which LaCie, by default, configured as a 4GB boot partition and then creates a spanned drive for the public access. In the process of the first drive failing, it corrupted the database used for spanning and GetDataBack could not find anything to recover on the second drive (It reported no MFT's found which was true, they were on the first drive). Because of that, I might suggest trying a different program; namely PhotoRec because it ignores the filesystem and, instead, finds files by their signature bytes.
http://www.cgsecurity.org/wiki/PhotoRec