First reported in the Heisse Security board, this new threat calls itself “Petya Ransomware”. What makes it different from other ransomware viruses is the fact that it uses a brand new method to infect computers and totally lock down the machine from the user. Since 2010, the most popular way used by ransomware to extort money has been to remain hidden on the victim’s computer for an amount of time long enough to encrypt all of their files. Very high-grade encryption algorithms are usually employed. User’s options to recover their files without paying the ransom boiled down to basically having a backup copy or using a program that restores deleted files.
Petya – a new threat on the horizon
The Petya ransomware differs from traditional ransomware viruses in two major ways:
- The virus is distributed via the Dropbox network.
- The virus will actually overwrite boot files required to load Windows, thus completely locking the user out of his ability to use his computer.
The victim usually first receives a business-related email from an applicant that is supposedly applying for a job. The victims are lured into opening a Dropbox storage location, which contains the CV and other details of the applicant. When the user tries to open the relevant files a self-extracting executable file will be run on their PC, which contains a Trojan horse virus. The virus will then blind any anti-virus programs installed and remotely download the Petya ransomware.
Once inside the machine, Petya will overwrite the master boot record (MBR) of the entire drive and then cause Windows to crash by causing a blue screen of death (BSoD). When the user tries to reboot his PC the modified MBR will prevent him from loading Windows normally. Instead, a message containing the ransom demand will be created. It will open with a red “pirate” skull rendered in ASCII art and then deliver the instructions. The Petya ransomware claims to have encrypted the user’s files using military-grade encryption algorithm and demands payment in BitCoins to a remove TOR site, a behavior typical for ransomware viruses.
Is Petya really a ransomware virus or just a screen locker?
This is a very interesting question, as this virus appears to behave in a manner very similar to classical screen locker. However, it also threatens (and promotes itself) as a ransomware virus that uses the RSA (4096 bit) and AES (256 bit) encryptions. So far the facts about the virus remain inconclusive, but we’ll share everything we know until this point.
Initial reports from the Heisse Security board indicate that the PC lock can be successfully removed if the MBR file is repaired. You can find detailed instruction on how to do that in our removal guide found here link. However, the best idea is probably to turn off your computer now! Why? Read below!
Some users also reported that Petya does actually start encrypting files. Unlike traditional ransomware viruses it doesn’t wait hidden until the user‘s files get encrypted – it first enforces the lockdown and then begins the encryption process unperturbed. Don’t allow this to happen – immediately power down your computer!
Since knowledge of how exactly the virus operates is pretty scarce at this point we strongly recommend everyone affected by Petya Ransomware to immediately shut down their PCs, so all virus processes can be halted. Encrypting the whole drive can take a very long time and most of your files are probably still intact. Keeping the computer turned off will freeze all virus activity inside. We recommend that you postpone dealing with this problem. As soon as we have more concrete information we’ll update this news article and our removal guide accordingly.