ransomware Archives – Sterling IT

This Petya ransomware will kill the Master Boot Record making your hard disk useless. If this fails, it will then run a file-encypting program

Petya is an unusual ransomware threat that first popped up on security researchers’ radar in March. Instead of encrypting a user’s files directly, it encrypts the master file table (MFT) used by NTFS disk partitions to hold information about file names, sizes and location on the physical disk.

Before encrypting the MFT, Petya replaces the computer’s master boot record (MBR), which contains code that initiates the operating system’s bootloader. Petya replaces it with its own malicious code that displays the ransom note and leaves computers unable to boot.

However, in order to overwrite the MBR after it infects a computer, the malware needs to obtain administrator privileges. It does so by asking users for access via the User Account Control (UAC) mechanism in Windows.

In previous versions, if Petya failed to obtain administrator privileges, it stopped the infection routine. However, in such a case, the latest variant installs another ransomware program, dubbed Mischa, that begins to encrypt users’ files directly, an operation that doesn’t require special privileges.

The ransom that Mischa currently asks is approx 2 bitcoins, or around US$900

Another thing that sets Mischa apart is that it encrypts executable (.EXE) files in addition to documents, pictures, videos and other user-generated files typically targeted by ransomware programs. This has the potential to leave installed programs and the OS in a non-functional state, making it harder to pay the ransom from the affected system.

The installer for the Petya-Mischa combo is distributed via spam emails that pose as job applications.
These emails contain a link to an online file storage service that hosts a picture of the alleged applicant and a malicious executable file that masquerades as a PDF document.

If it’s downloaded and executed, the fake PDF file first tries to install Petya and if that fails, it installs Mischa.
There is currently no known way to restore files encrypted by Mischa without paying the ransom.

Cryptolocker is a particularly nasty type of ransomware that criminals have used to encrypt files on a victim’s computer before demanding a ransom for the encryption key to unlock the files. Without the key, the encryption renders the victim’s files useless so many people lost files or paid the ransom.

Two security firms, Fireeye and Fox IT have partnered to provide a solution which may help many people. The website Decrypt Cryptolocker can now be used to try and unlock files encrypted by the Cryptolocker malware.

Use of the Decrypt Cryptolocker service is free and simply requires you to upload a sample encrypted file to the website. If the website is able to decrypt your files, you can then download its recovery program and receive the unlocking master key by email.

Please note that this tool may not be able to decrypt some affected files.

Petya Ransomware, worst than Cryptolocker as will try and encrypt whole drive or most files.

How to decrypt, unlock and restore Cryptolocker malware for free