Summary
Petya is ransomware that encrypts the Master Boot Record on a computer and demands payment of a ransom in order to obtain the decryption key needed to restore normal access to the affected machine.
Removal
F-Secure detects ransomware using a variety of signature and generic detections. Once detected, the F-Secure security product will automatically remove the file.
If the ransomware uses encryption to take files or an entire system hostage, the encryption may be sufficient to make it very difficult to decrypt the files without the necessary decryption key. In such circumstances, the recommended course of action is to report the crime to the relevant authorities and restore the affected data from a recent clean backup.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First, check if your F-Secure security program is using the latest updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note: You need administrative rights to change the settings.
Technical Details
Unlike most other crypto-ransomware, Petya will encrypt the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.
Arrival via email
Users typically first encounter Petya ransomware through email messages. The emails contain legitimate-looking business content, such as an application for a job opening, and a link to a file stored on a legitimate cloud storage service. The link is designed to appear to be for a resum document, but is actually an executable program. Once the disguised file is downloaded and run, it downloads the actual ransomware and runs it on the user's machine.
At the time of writing, the disguised file has been removed from the cloud storage service. Cases of Petya infection are currently mostly reported targeting companies in Germany.
Encrypting the MBR
Technically speaking, the disguised file is a packer that is compiled in Visual C++. The packer code is obfuscated and uses multiple layers of encryption to hide its malicious payload - a DLL file that is executed in memory-allocated space, so that no files are dropped on the system.
The DLL file is responsible of fetching the machine's MBR, encrypting it using the XOR cipher. The DLL then replaces it with the malware's own MBR and the original, now-encrypted MBR is written on the next sector after the malware's code.
More technical details of how Petya performs the encryption are available at:
Displaying the ransom demand
The ransomware will then trigger an error that causes the system to crash, displaying what is known as a 'blue screen of death' (BSOD). To do this, the DLL file will call NtRaiseHardError to trigger "0xC0000350 Error", leading the system to BSOD and restart. When it tries to start again, the malicious MBR is loaded and executes the malware code written on the "\\.\PhysicalDrive0" sectors.
A red screen (complete with skull illustration) is then displayed, containing the ransom text. From this point onwards, the user's machine is inaccessible without the decryption key.
More
For more about this threat, see:
- PCWorld (Mar 28 2016): This nasty ransomware overwrites your PC's master boot record
Protect your devices from malware with F‑Secure Total
Protecting your devices from malicious software is essential for maintaining online security. F‑Secure Total makes this easy, helping you to secure your devices in a brilliantly simple way.
Award‑winning antivirus and malware protection
Online browsing, banking, and shopping protection
24/7 online identity and data breach monitoring
Unlimited VPN service to safeguard your privacy
Password manager with private data protection
Choose how many devices you want to protect to get started.
Free customer support
Cancel anytime
The trial does not obligate you to buy the product
After 30 days your subscription will renew automatically for one year at €69.99.
)
)
More Support
Community
Ask questions in our Community.
User guides
Check the user guide for instructions.
Contact Support
Chat with with or call an agent.
Submit a Sample
Submit a file or URL for analysis.