To achieve its goal, the attacker sends out innocuous looking email that purports to be from a job applicant, with instructions to download a CV hosted in a Dropbox folder. When following the link, an EXE file is downloaded. When running the exe file, the PC crashes with a bluescreen and reboots. Prior to the reboot, the Master Boot Record (MBR) of the system is manipulated in a way which allows Petya to control the boot process.
Petya sets itself apart by the volume of data it tries to encrypt. While most ransomware are content encrypting single files, usually documents that seem important, Petya goes for the entire hard drive instead. After the user unwittingly runs the ransomware carrying program, Petya takes over the bootloaded and restarts the computer. Then it will display a screen informing the user that Windows is performing a check disk operation when, in fact, it is already tying to encrypt the entire disk in the process. Once done, it reveals its true colors, literally, directing the victim to browse to a specific website using TOR for anonymity. The website, in turn, contains instructions on how to pay the ransom. The ransom doubles in price after 7 days.
We recommend not paying the requested ransom and as soon as you read this blog, ensure that all your data is backed up. That way, you can just copy that image back across, should the worst happen.
This is by no means the first ransomware online, it’s part of a worrying trend that seems to line up businesses as more lucrative victims than individuals – one hospital this year has already paid $17,000 in bitcoins after it was locked out of its network.
As with many of these attacks, Petya relies on computer users clicking links sent in emails before really considering what they are, or the potential implications. One sure-fire way to cut down on these is just to simply refuse to open random files from people you don’t know. Be careful , do not open any attachments of click on any links that you have no concern about or not expecting.