Technology Blog »

Petya, A New Scarier RansomWare

Petya Ransomware Encrypts Your Entire Hard Drive
Petya Ransomware Encrypts Your Entire Hard Drive

Hi Folks,

Scarier news from the fun and exciting world of IT Security.  A new form of ransomware. This new bad actor is called, “Petya” and it encrypts the entire hard drive, not just selected files as some of it’s predecessors such as Cryptolocker and Locky and in addition previous ransomware in the Crypto family have just targeted certain types of documents that are most likely to contain data (Word docs, Excel docs, PDFs, etc.) and leaves the operating system intact and bootable. Petya encrypts the entire hard drive, rendering the computer unbootable and a total loss unless the ransom is paid.

Petya primarily works by replacing the hard drive's Master Boot Record (MBR) with its own code. The MBR tells the computer where to find boot files on the hard drive. Petya then forces a reboot to activate its payload on the next boot. It presents information that a Chkdsk needs to be run to fix errors on the hard drive. Petya then proceeds to encrypt every file on the computer while claiming it is doing a Chkdsk. Once complete, the ransom message is displayed.

Just like its predecessors, once encryption occurs there is no way to recover the files except by restoring from backup or paying the ransom. However, Petya adds the extra little special task of having to rebuild the entire workstation or server.

Since Petya is in most cases an email borne threat that disseminates through an infected email attachments follow these few safety rules: 

  1. Never open any email attachments from anyone you do not know and aren't expecting. If your buddy from highschool suddenly emails you with an attachment like "Invoice Attached" Don't open it.
  2. Do not open any attachments if you weren't expecting them, even from a trusted source.
  3. Avoid untrusted or unknown web sites.
  4. THINK before you click.

DCS Clients are protected pretty well from these types of threats as we employ a layered security defense or defense in depth approach but NO SOLUTION IS A %100 MAGIC BULLET.  Think before you click.  If you suspect you have been infected, disconnect your computer from the network and/or shut it down immediately and call us.