Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

4/1/2016
03:35 PM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail
100%
0%

Ransomware Authors Break New Ground With Petya

Instead of encrypting files on disk, Petya goes for the jugular by encrypting the entire disk instead, says F-Secure.

Ransomware developers appear to have come up with a new way of making life miserable for victims of their extortion campaigns, even as federal officials in the US and Canada Thursday issued an alert on the scourge.

Security vendor F-Secure on Friday issued an alert on Petya, a new ransomware sample that locks the entire hard disk of a computer instead of simply encrypting files on disk like other ransomware tools.

According to F-Secure, Petya encrypts the filesystem’s master file table (MFT) ensuring that the operating system is unable to locate needed files, thereby rendering the computer completely unusable.

“It installs itself to the disk’s master boot record (MBR) like a bootkit. But instead of covert actions, it displays a red screen with instructions on how to restore the system,” F-Secure senior security researcher Jarkko Turkulainen wrote.

Attacking the MFT takes less time than encrypting files on disk while yielding the same results, F-Secure security advisor Sean Sullivan added in comments to Dark Reading.

“Many of the other crypto-ransomware families require time and CPU,” Sullivan says. Victims of ransomware attacks, in fact, often report their computers slowing down significantly during an attack. While home users may not know quite what to make of the slowdown, employees at enterprises sometime have time to get help in preventing a full compromise, Sullivan says.

With Petya that is not an option. “Petya is able to hit the MFT in seconds before crashing the system and forcing a restart. In an enterprise environment, there would be no time to call for help.”

For victims, Petya introduces problems that other ransomware tools typically do not. Because Petya infects the master boot record, it disables the entire system. So the victim would need to find another computer with Internet access in order to pay off the ransom and regain access to their compromised system. While this may not, by itself, present a problem for business users, home users could find it challenging, Sullivan said.

Petya also leaves it pretty much up to the user to download the Tor browser to access the hidden service URL for paying the ransom.  “Petya doesn’t attempt to provide proxy links to the Tor hidden service,” suggesting that the malware authors either, do not care about the difficulties of installing the Tor browser, or they haven’t incorporated that feature yet, he said.

Somewhat ironically, in making it harder for victims to pay a ransom, Petya’s authors may have also lowered their own chances of profiting from it, says Sullivan. As a result, the likelihood of the same technique being used more widely will depend on the success malware authors have in monetizing Petya.

“That will depend on whether or not people figure out how to pay,” Sullivan says. “It does definitely have some advantages in how it hits its victims. So, we’ll likely see more, but it is too soon to say if it will become common.”

News of Petya comes amid heightening concerns about a major increase in ransomware samples and in ransomware attacks in recent months. Many believe that the success that malware authors have had in extorting money from victims is attracting more criminals, including organized cybercrime groups into the ransomware space. In recent months, ransomware samples like Locky, TeslaCrypt and Samas, have victimized numerous individuals and organizations, including several major hospitals.

The surge in attacks prompted the U.S Department of Homeland Security to issue an alert in conjunction with the Canadian Cyber Incident Response Centre, warning consumers and businesses of the seriousness of the threat. The alert, issued late Thursday, warned consumers and businesses about the “devastating” consequences of a ransomware attack. “Recovery can be a difficult process that may require the services of a reputable data recovery specialist,” the alert noted in offering some precautions.

The recommendations include the need for individuals and organizations to employ a data backup and recovery plan for crucial information and the use of whitelisting to ensure that only approved applications are allowed to run on a system. Other advice included the need for people to jeep their software properly updated and patched and to limit the ability for users to install and run applications on their systems

Related stories:

 

Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Click here for pricing information and to register.

Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
theb0x
50%
50%
theb0x,
User Rank: Ninja
4/6/2016 | 12:09:23 PM
Re: proofreader required?
My Jeep is still unpatched running an irc daemon on port 6667.
iani540
50%
50%
iani540,
User Rank: Apprentice
4/5/2016 | 8:55:42 PM
proofreader required?
"the need for people to jeep their software properly updated"


I think you need a proof reader
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
4/4/2016 | 7:44:04 AM
Anti-encryption argument?
As much as Ransomware worries me, I'm more concerned that politicians will get the wrong end of the stick (either deliberately or not) and use ransomware as an example of why they want to break encryption and weaken security. 

Do you think they might take that tack?
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: I told you we should worry abit more about vendor lock-in.
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .