In general, when a user gets infected by a crypto-ransomware, the infection encrypts the files on the victim’s hard drive. In this case, the operating system works properly, however, the user cannot open the encrypted documents.
Petya ransomware (Petya is a Bulgarian female given name) encrypts portions of the hard drive instead of files, so the user is unable to access anything on the drive, including Windows. In such cases, users should know that currently the ransom payments are at ~0.9 bitcoins and there is no way to decrypt the drive for free.
Presently, Petya ransomware is being distributed via emails which are targeting the human resources departments of German companies. The emails contain Dropbox links to supposed applications which download a file that when executed will install the Petya ransomware on the computer. For instance, a filename for the installer is Bewerbungsmappe-gepackt.exe.
Users should also be aware that there is a lot of bogus data on the web about how how to fix your PC when it has been encrypted by Petya. Plenty of the fake websites state that users can use the FixMBR command or repair their MBR in order to remove the infection. However, this will remove the lock screen instead, and it will not decrypt the MFT. For that reason, the users’ files and Windows will remain inaccessible. Repair the MBR just in case you do not care about any data loss and want to reinstall Windows.
In January, there was another short-lived ransomware which was performing the same behavior, but it was not as advanced. However, at the same time, a sample was not able to be retrieved. It is still not certain whether Petya ransomware is a modified version of the previous one.
Once installed on the attacked machine, Petya ransomware will replace the boot drive’s existing Master Boot Record, or MBR, with a malicious loader. At the very beginning, the MBR is information placed on a hard drive which tells the computer how it should boot the operating system. After that, it will make Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the hard drive. As soon as the MFT is encrypted, the PC does not know where files are located, or if they even exist, therefore they are not accessible by the user.
As soon as the fake CHKDSK is completed, the victim will be presented with a lock screen which displays instructions on connecting to a TOR site and a unique ID you must use on the website in order to make the ransom payment. After the ransom payment has been made, the victim will receive a password which he/she can enter into this screen to decrypt the infected machine.
When a user visits the website, they will be presented with a CAPTCHA page. After the captcha is entered, they will be shown the first page of the decryption website, which provides information on what has happened to the infected machine.
In case a user clicks on the ‘Start the decryption process’, they will be walked through a 5 step process where they learn how to make a payment and eventually retrieve a password.
After a ransom payment is sent to the associated address, the fifth and final steps becomes available. Supposedly, the fifth step will display a page which contains the password the victim must enter into the lock screen on their PC. As soon as the password is entered, the ransomware will decrypt the MFT and restore the original MBR. After that, the user will be able to boot back into Windows and access their files again.
Currently, there is no way for decrypting an infected hard drive for free, though security experts keep working on solving the issue.
