Petya Ransomware:
Description:
It’s not all
over with wannacry. A new variant of
the petya ransomware was discovered by security researchers which is spreading
rapidly by the help of same Windows SMBv1 vulnerability and brings into
confusion worldwide by shutting down computers at corporates, power supplies,
and banks across Russia, Ukraine, Spain, France, UK, India, and Europe and
demanding $300 in bitcoins.
What is Petya?
Petya has been
in existence since 2016. It differs from typical ransomware as it doesn’t just
encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, the
following ransom note is displayed on infected machines, demanding that $300 in
bitcoins be paid to recover files:
How it works:
By taking inspiration from
wannacry ransomware petya appears to have same SMB work based on the NSA's
ETERNALBLUE exploit. Unlike other traditional ransomware, Petya does not
encrypt files on a targeted system one by one.
Instead, Petya reboots victim’s
computers and encrypts the hard drive's master file table (MFT) and rendering the master boot record (MBR) inoperable, restricting access to the full system by seizing
information about file names, sizes, and location on the physical disk.
Petya replaces the computer's MBR
with its own malicious code that displays the ransom note and leaves computers
unable to boot. Once it is done you will be able to observe a text stating:
"If you see this text, then
your files are no longer accessible, because they are encrypted. Perhaps you
are busy looking for a way to recover your files, but don't waste your time.
Nobody can recover your files without our decryption service."
Targeted file extensions:
.3ds.7z.accdb.ai.asp.aspx.avhd.back.bak.c.cfg.conf.cpp.cs.ctl.dbf.disk.djvu.doc.docx.dwg.eml.fdb.gz.h.hdd.kdbx.mail.mdb.msg.nrg.ora.ost.ova.ovf.pdf.php.pmf.ppt.pptx.pst.pvi.py.pyc.rar.rtf.sln.sql.tar.vbox.vbs.vcb
.vdi.vfd.vmc.vmdk.vmsd.vmx.vsdx.vsv.work.xls.xlsx.xvd.zip.
