Unlike most other crypto-ransomware, Petya will encrypt the Master Boot Record (MBR), a special section of a computer's hard drive that runs first and starts (boots) its operating system, allowing all other programs to run.
Arrival via email
Users typically first encounter Petya ransomware through email messages. The emails contain legitimate-looking business content, such as an application for a job opening, and a link to a file stored on a legitimate cloud storage service. The link is designed to appear to be for a resumé document, but is actually an executable program. Once the disguised file is downloaded and run, it downloads the actual ransomware and runs it on the user's machine.
At the time of writing, the disguised file has been removed from the cloud storage service. Cases of Petya infection are currently mostly reported targeting companies in Germany.
Encrypting the MBR
Technically speaking, the disguised file is a packer that is compiled in Visual C++. The packer code is obfuscated and uses multiple layers of encryption to hide its malicious payload - a DLL file that is executed in memory-allocated space, so that no files are dropped on the system.
The DLL file is responsible of fetching the machine's MBR, encrypting it using the XOR cipher. The DLL then replaces it with the malware's own MBR and the original, now-encrypted MBR is written on the next sector after the malware's code.
More technical details of how Petya performs the encryption are available at:
Displaying the ransom demand
The ransomware will then trigger an error that causes the system to crash, displaying what is known as a 'blue screen of death' (BSOD). To do this, the DLL file will call NtRaiseHardError to trigger "0xC0000350 Error", leading the system to BSOD and restart. When it tries to start again, the malicious MBR is loaded and executes the malware code written on the "\\.\PhysicalDrive0" sectors.
A red screen (complete with skull illustration) is then displayed, containing the ransom text. From this point onwards, the user's machine is inaccessible without the decryption key.
Petya's ransom demand screen
For more about this threat, see: