Scarier news from the fun and exciting world of IT Security. A new form of ransomware. This new bad actor is called, “Petya” and it encrypts the entire hard drive, not just selected files as some of it’s predecessors such as Cryptolocker and Locky and in addition previous ransomware in the Crypto family have just targeted certain types of documents that are most likely to contain data (Word docs, Excel docs, PDFs, etc.) and leaves the operating system intact and bootable. Petya encrypts the entire hard drive, rendering the computer unbootable and a total loss unless the ransom is paid.
Petya primarily works by replacing the hard drive's Master Boot Record (MBR) with its own code. The MBR tells the computer where to find boot files on the hard drive. Petya then forces a reboot to activate its payload on the next boot. It presents information that a Chkdsk needs to be run to fix errors on the hard drive. Petya then proceeds to encrypt every file on the computer while claiming it is doing a Chkdsk. Once complete, the ransom message is displayed.
Just like its predecessors, once encryption occurs there is no way to recover the files except by restoring from backup or paying the ransom. However, Petya adds the extra little special task of having to rebuild the entire workstation or server.