This Petya ransomware will kill the Master Boot Record making your hard disk useless. If this fails, it will then run a file-encypting program
Petya is an unusual ransomware threat that first popped up on security researchers’ radar in March. Instead of encrypting a user’s files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.
Before encrypting the MFT, Petya replaces the computer’s master boot record (MBR), which contains code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.
However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.
In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users’ files directly, an operation that doesn’t require special privileges.
The ransom that Mischa currently asks is approx 2 bitcoins, or around US$900
Another thing that sets Mischa apart is that it encrypts executable (.EXE) files in addition to documents, pictures, videos and other user-generated files typically targeted by ransomware programs. This has the potential to leave installed programs and the OS in a non-functional state, making it harder to pay the ransom from the affected system.
The installer for the Petya-Mischa combo is distributed via spam emails that pose as job applications.
These emails contain a link to an online file storage service that hosts a picture of the alleged applicant and a malicious executable file that masquerades as a PDF document.
If it’s downloaded and executed, the fake PDF file first tries to install Petya and if that fails, it installs Mischa.
There is currently no known way to restore files encrypted by Mischa without paying the ransom.