Petya ransomware Impact On Hard Drives

It’s quite surprizing that these days, ransomware programs are on the top of the stairs leaving other malwares to the back. It’s fast evolving rate is seriously become a frustrating matter for the PC users and by seeing this, it’s on the everyone’s mouth that 2016 is year of ransomware. And the most serious part is that new families and versions are coming just one after another.

The developers of ransomware is using high algorithm and encryption method so as to encrypt files and it’s just like impossible to restore all that files without decryption key. Actually, they begins to use TOR and payments in bitcoins so that they could stay incognito.  And the most harassing part is that, there is Petya ransomware that has been recently found as one of the extremely harmful and destructive ransomware program that do have capability to encrypts entire hard drive instead of  injecting or encrypting one or more files. Means, unlike others, it in place corrupting data files and leaving rest part of the PC, it assent user’s data unhurted, but corrupt hard drive index preventing windows from sensing of it. Your disk sectors will still remain untouched, but metadata which is used by windows in order to turn your raw data into useful information get deleted.

How Petya Ransomware Slips Into PC :  Mostly targeting to business users, Petya ransomware by using various unethical ways, mutely distributes into the PC without letting you know. Among various ways, junk mails is found to be its most favorite methods for infiltrating into the targeted computer ans then performs:

  • Generates User Account Control (UAC) security prompt with the hope that you will that it hopes you will license.
  • Creates a one-time encryption key usually of 16 bytes, along with a human-readable “personal decryption code” that cyber hackers further use to diagnose you.
  • Uses its exemption to write data-encrypting code and the encryption key to MBR  (Master Boot Record) and other disk sectors situated outside the place alloted to your C: drive.
  • Restart your PC.

Recently, a Spanish user faces this Petya ransomware and has shared his experience. Have a look on it.

¡¡Amigos!! Petya ransomware no merece totalmente su confianza. Sin embargo, es mi buena suerte, porque antes de que pudiera dañar mi coche, me encontré y fui thorugh Internet para obtener más familiarizados con ella. Y, por último, tengo la solución de uno de los sitios web que se – http://es.allcopts.com

On the hard disk or any older PC, MBR is the primary sector after alleged BIOS firmware  that executes while startup process. And this along with running before Windows loads also executes while running computer and known as a “1980s-mode.”

Some security features like priviledge levels and memory protection came build-ed along with processor itself and are not yet activated.

Screenshot from 2016-05-10 18:30:28

Actually, windows and other newly operating operating system rely on these features in order to stop unauthorized access so as to run some of the captious system resources for instance hard disk.

And the surprizing part is that, even on a multi-core 64-bit CPU posing RAM in gigabytes, the system booting from MBR is just same 16-bit mode that usually MS-DOS does since 30 years via 1 MB of RAM. Unluckily, just a small code of hundred bytes is capable to implement uncorrectable  encryption and damage to sensitive part hard disk. And if anyhow,  Petya ransomware encrypted  hard disk indexes, immediately rewrites its own data to delete encryption key that it just used preventing you from repairing the compromised disk.

As, we have stated above, Petya doesn’t bustle  trying to encrypt directories and files. It instead of that, simply corrupt the MFT ( Master File Table) of your C: drive. It’s very easier to fine Master File table,  preferably for low-level code like a boot sector as compared to other files.

1mft-720
And, it’s only because MFT is the core data required to required to portray rest of the disk and unfortunately, rest of the data is not more useful without the MFT. Hopefully, Windows holds MFT’s second copy, but that’s also easy to find.

Have a look on fake CHKDSK screen affianced to depress you from pulling the plug and this will be happened until you will  not kill malware.

2petya-chkdsk-7201
Just like 1980s malware style, look at 80×25 ASCII art:

 

3petya-skull-720
After pressing the key recommended by them, “pay page” page will be generated.

4petya-key-720

Actually, there is not any type of requirement for network access to Petya as, it  don’t have to call you at home. It in really depends upon you for performing network call-home by entering one of the “dark web” URLs off  your PC screen that later will redirect you to a CAPTCHA:

 

5petya-captcha-720
Undoubtedly, any other PC is required to get online, but after doing that also, you feel yourself in the same condition with some file-based ransomware programs like Locky or TeslaCrypt :

6petya-crypted-720
Good And Bad News Related To Petya ransomware

Guys!! the good news is that you’re unlikely to face this malware. And the bad news is that, like  lot of 1980s boot sector malware, it also get fail devastatically by making incorrect guessing about your hard disk layout.

Fighting Petya

Unluckily, any of the ideal method for decrypting the files encrypted by Petya ransomware has not been found and it’s really quite misearble. But, thare are some preventive tips that you can adopt in order to stay away from all such harassing issues.

  1.  Actually, if you sees the Blue Screen of Death, and all your data can still remianing proper and accessible (since Petya yet has not begins to encrypt the Master File Table). So, if incase your computer shows a BSOD, also restart and starts the Check Dis, then it’s highly recommended to shut it down. As because at this point, still there is chnace to protect your data. Remove your hard drive from your PC and insert or connect it with another PC and recover your data. But, remember, never use your disk as a boot device.
  2.  The fact is that, Petya only encrypts MFT leaving other files untouched. That files can even recovered by professionals or experts in hard drives recovery. Although, it may be time taking and intricate process and can cost you  and time-consuming and it will cost you a highly, but it’s a feasible. Never try to perform this process at home as a silly mistake can lead to data loss forever.

Source : https://nakedsecurity.sophos.com/2016/04/04/new-ransomware-with-an-old-trick-petya-parties-like-its-1989

Leave a Reply

Your email address will not be published. Required fields are marked *