German company discovered a new type of extortionist
The German company heise Security has discovered a new type of crypto-extortionist, and the main bad news is that in this case the user loses access not to individual files, but to the disk partition (volume) as such. The malicious program Petya chose not individual files as a target, but the NTFS file allocation table, known as MFT. In this case, disk operations at a low sector level are used for encryption operations, thus completely losing access to all files on the volume.
Another bad news is that the Petya dropper uses a special disguise to hide its malicious activity. Since the extortionist needs extended privileges to interact with the disk at a low level, he warns the user, using his phishing badge, to activate UAC when he asks the user to provide extended dropper privileges in the system. ESET anti-virus products detect Petya as Win32 / Diskcoder.Petya .
')
Fig. Petya dropper badge with painted UAC shield. ( Malwarebytes data )
After launching the dropper on the system, Windows crashes into the BSOD, and after a reboot, the extortionist displays the fake window of the standard Windows tool for working with the disk called chkdsk to the user. At this time, Petya encrypts partition data.
Fig. Fake chkdsk window after system reboot. ( Malwarebytes data )
After performing its malicious functions, the user will see the following screen.
Fig. Extortionist displays the screen to the user. ( Malwarebytes data )
Fig. A ransom demand screen that appears after the previous one. ( Malwarebytes data )
Fig. The look and feel of a website where you can pay for a ransom (owned by an anonymous TOR network). ( Malwarebytes data )
To implement its functions without the participation of Windows at the earliest loading stage, the ransomware uses its bootstrap-code, which is written instead of the standard one, and also uses its own loader, which places in the first sectors of the disk partition. The original contents of the sectors are encrypted with a simple XOR operation and stored on disk.
Demonstration of Petya.
To protect against extortionist, we recommend using antivirus software, as well as not following links received from untrusted sources. ESET anti-virus products detect Petya as Win32 / Diskcoder.Petya .
Another bad news is that the Petya dropper uses a special disguise to hide its malicious activity. Since the extortionist needs extended privileges to interact with the disk at a low level, he warns the user, using his phishing badge, to activate UAC when he asks the user to provide extended dropper privileges in the system. ESET anti-virus products detect Petya as Win32 / Diskcoder.Petya .
')
Fig. Petya dropper badge with painted UAC shield. ( Malwarebytes data )
After launching the dropper on the system, Windows crashes into the BSOD, and after a reboot, the extortionist displays the fake window of the standard Windows tool for working with the disk called chkdsk to the user. At this time, Petya encrypts partition data.
Fig. Fake chkdsk window after system reboot. ( Malwarebytes data )
After performing its malicious functions, the user will see the following screen.
Fig. Extortionist displays the screen to the user. ( Malwarebytes data )
Fig. A ransom demand screen that appears after the previous one. ( Malwarebytes data )
Fig. The look and feel of a website where you can pay for a ransom (owned by an anonymous TOR network). ( Malwarebytes data )
To implement its functions without the participation of Windows at the earliest loading stage, the ransomware uses its bootstrap-code, which is written instead of the standard one, and also uses its own loader, which places in the first sectors of the disk partition. The original contents of the sectors are encrypted with a simple XOR operation and stored on disk.
Demonstration of Petya.
To protect against extortionist, we recommend using antivirus software, as well as not following links received from untrusted sources. ESET anti-virus products detect Petya as Win32 / Diskcoder.Petya .
Source: https://habr.com/ru/post/280746/
All Articles