Warning: Job applications distribute ransomware

The latest ransomware to plague German companies is, a malware program called, Petya which overwrites the master boot record (MBR) of infected computers, leaving the operating systems in an un-bootable state.

Typically the master boot record code is stored in the first sectors of a hard disk drive. This code contains information about the disk’s partitions and enables the launching of the operating system’s boot loader. Without the MBR, the computer doesn’t recognize which partition contains the OS and how to start it.

Why is Petya ransomware different?

Petya is being distributed through spam emails that are camouflaged as job applications, suggesting that the ransomware targets businesses, particularly human resources departments.

Petya emails can be recognized by the included link to a shared Dropbox folder that contains a self-extracting archive posing as the applicant’s CV and a fake photograph. If the archive is downloaded and executed, the ransomware is installed. To be safe delete any job applications that contain any links to Dropbox.

The Petya malware will rewrite the computer’s MBR and trigger a critical Windows error that will cause the computer to reboot.

After the initial reboot, a fake Windows check disk operation will be displayed. During this step, the ransomware encrypts the master file table. This contains information about every other file and they are mapped to the hard disk segments.

After the MFT encryption is done, Petya will display the ransom message accompanied by a skull drawn in ASCII characters. The message instructs victims to access a decryption site on the Tor anonymity network and provides them with a unique code that identifies their PC.

The ransom for the key to decrypt the master file table is currently set at 0.99 bitcoins, approximately $430.

Currently the Petya ransomware seems to be targeting companies in Germany, but the likelihood of it remaining localized in low, most ransomware attacks begin in a country or region and grow to a global scale as the attacker’s resources grow.

Retrieving data without the ransom

It is important to note that while Petya does not encrypt the file data, it holds it hostage by making the computer unable to locate the data. The file data can still be read with data recovery software, but rebuilding the files would take a long time and they could be corrupted, especially in the case of fragmented files that are spread across different storage blocks in different regions of the disk.

Protecting against Petya & other ransomware

Ransomware can be notoriously difficult to detect until it is too late, some even manage to fool sandboxes. The best way to protect your business data against ransomware is to backup and protect the data on all user computers. This ensures that data is retrievable and encrypted in the case of an attack ensuring that your data is not leaked and that your business data is not held at ransom. Cibecs does this automatically so that IT does not need to worry about users missing backup schedules, total control is in IT’s hands from the central dashboard that allows monitoring as well as the management of user data such as restoring data, revoking encryption key access and remotely wiping computers.