A new strain of ransomware replaces the Master Boot Record (MBR) and encrypts the Master File Table on an infected Windows computer’s hard drive, thereby essentially locking a victim out of all of their files.
Jasen Sumalapao, a malware analyst at Trend Micro, explains in a blog post that attackers were distributing the ransomware, which has been dubbed Petya, via a malicious email campaign targeting the human resource departments of German companies:
“Victims would receive an email tailored to look and read like a business-related missive from an applicant seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s CV.”
Abusing a legitimate file-sharing service like Dropbox to serve up malware is fairly unusual. Most other crypto-ransomware samples including Locky either come embedded in malicious Microsoft Word email attachments or as the payloads of various exploit kits.
In the campaign observed by Sumalapao, the Dropbox folder came with two files: a stock photograph .JPG and a self-extracting executable.
The latter file loaded a trojan onto the machine that surreptitiously downloaded Petya onto a user’s machine.
Once fully installed, Petya begins by replacing the Master Boot Record – the code stored on a hard drive that provides a computer with instructions on how to boot-up an operating system. This process prevents the computer from loading the OS correctly and disables booting up in Safe Mode.
The Petya ransomware then sets its sights on encrypting not individual files but the Master File Table (MFT), a file on NTFS partitions that contains critical information about every other file, including their name and size.
Lawrence Abrams of Bleeping Computer provides more details:
“Petya causes Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.”
A YouTube video of this process can be viewed below:
With the MFT encrypted, the ransomware presents a ransom message to the user, instructing them to visit a site via the Tor browser where they are instructed to pay 0.99 BTC (approximately US $418) in ransom.
If the victim fails to pay in a week’s time, the attackers’ demand doubles in value.
Tim O’Brien, Director of Threat Research at cloud security automation company Palerra, told SecurityWeek there are a number of measures sysadmins and security personnel can take to check this threat.
When it comes to protecting an organization against ransomware, however, O’Brien stresses that emphasis should be firmly placed on user awareness:
“Above all else, end user awareness and training regarding the screening of emails and downloading files is the first line of defense. Leveraging technology to automate the business process while minimizing the associated risks helps facilitate operations and negate issues described in this blog post.”
After being informed of the ransomware, Dropbox removed the folder and all other linkable locations to the malware. The company issued the following statement:
“We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox. Although this attack didn’t involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens.”
For those who have been exposed to Petya, there is no way to recover one’s information without paying the ransom if a secure backup isn’t available. Abrams notes that affected organizations can use the FixMBR command or repair their MBR to remove the locked screen, but that will not restore access to one’s files. Those steps should therefore be taken only in situations where the encrypted data is inconsequential.
All organizations should implement some form of security awareness training with their employees, which should include anti-phishing exercises. They should also maintain regular back-ups of their business-critical data.