User avatar
abedalkareem
Experienced DR Tech
Posts: 203
Joined: Mon Aug 31, 2015 12:57 pm
Location: Amman - Jordan
Contact: Website

The New Petya Ransomware

Tue Mar 29, 2016 5:37 am

This ransomware is different the the others that are currently being distributed as it targets the master boot record of the victim's hard drive. This allows it to show a ransom note before Windows starts.

Note that restoring the MBR will not fix this as the hard drive will still be encrypted. Please wait till Petya is analyzed further in the event that it can be decrypted.


https://www.youtube.com/watch?v=3YXYnAiSYrY#t=264.289478

User avatar
pclab
Forum Moderator
Posts: 1648
Joined: Tue Jan 13, 2015 4:55 pm
Contact: Website Facebook

The New Petya Ransomware

Tue Mar 29, 2016 7:50 am

Another crap ....
This is starting to get very dangerous...
www.pclab.com.pt
facebook.com/PCLAB.Assistencia.Tecnica

User avatar
Jared
Forum Admin
Posts: 3584
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

The New Petya Ransomware

Tue Mar 29, 2016 9:49 am

I like the idea of encrypting the MBR, could lead to a lot of work for us if they just stopped there. Too bad they had to go and encrypt the rest of the drive :lol: .

User avatar
Jared
Forum Admin
Posts: 3584
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

The New Petya Ransomware

Tue Mar 29, 2016 10:12 am

Judging by how fast that virus works, it can't be encrypting the entire volume.... I'm guessing it's just the MBR & $MFT that it's encrypting. I'd bet you could still get most everything recovered in RAW, just without much for file names.

User avatar
Jared
Forum Admin
Posts: 3584
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

The New Petya Ransomware

Tue Mar 29, 2016 10:17 am

Yep, that's what it does: https://www.grahamcluley.com/2016/03/petya-ransomware/

MBR and MFT. Though with NTFS, you may actually get a good chunk of data back by scanning with R-Studio. Sounds like it doesn't actually touch the rest of the data. Anyone have a copy of this virus I can play with?

Jidaj
Data Recovery Noob
Posts: 1
Joined: Wed Apr 13, 2016 3:40 am

The New Petya Ransomware

Wed Apr 13, 2016 5:09 am

http://www.bbc.com/news/technology-36014810 BBC says they have finally cracked the encryption system :ugeek: .
I cannot open the links to recovery software, though. perhaps, the problem is my IP or to be fixed soon. If I needed to recover my data in bulk, I would rather apply the recovery tools that work without decryption like those available e.g. at http://nabzsoftware.com/types-of-threat ... -decrypted
Besides, the method advised by BBC seems to target files on case-b-case basis, which may take ages. Anyway, great news, I hope the malicious encryption is soon to die away, anyway))))

User avatar
Jared
Forum Admin
Posts: 3584
Joined: Mon Jan 12, 2015 12:32 pm
Location: Providence, RI
Contact: Website Facebook Twitter Skype YouTube Google+

The New Petya Ransomware

Wed Apr 13, 2016 8:35 am

I have a tutorial here: https://www.data-medics.com/data-recove ... s-5-steps/

The issue is likely Windows defender blocking the download. And the fact that he included the word "petya" in the name of the contained exe makes even the browser go crazy. See if following my guide works.

User avatar
I'm good
Data Recovery Noob
Posts: 2
Joined: Mon Oct 24, 2016 5:26 am

The New Petya Ransomware

Mon Oct 24, 2016 5:37 am

Jidaj wrote:http://www.bbc.com/news/technology-36014810 BBC says they have finally cracked the encryption system :ugeek: .


Oh, I read this article. Thank you!

Return to “Cyber Security & Malware”

Who is online

Users browsing this forum: No registered users and 0 guests