This year should be declared as year of Ransomware! Cyber-criminals come up with new families and new versions of it, resulting in making life miserable for victims of their extortion campaigns. In our threat predictions for 2016, we had predicted that Ransomware will be a major threat in this year. Little did we know that Ransomware would target Master Boot Record. We have witnessed Ransomware locking desktop, encrypting files, Web servers, shared drives and backups and targeting various operating systems.
According to the latest research of eScan, a new variant of Ransomware named Petya (Trojan.Ransom.Petya.C) has been found targeting human resources in German companies, the Malware replaces Master Boot Record (MBR) and encrypts the Master File Table on an infected Windows computer’s hard drive and demands 9 Bitcoin in return for the decryption key.
How does Petya enter the system?
It is typically transmitted through spam emails targeting business users pretending to contain job applications. For instance, HR personnel receiving a Dropbox link to a file, which pretends to be resume of a candidate, who is seeking a position in the company. Clicking the file leads to installation of Ransomware. The Malware replaces boot drive’s Master Boot Record (MBR) with a malicious loader. MBR is the first sector of any hard disk, which tells computer how it should boot the operating system. The Malicious loader will prevent the computer loading the OS correctly and disables booting up in Safe Mode and it will force Windows to reboot. In order to execute the Ransomware, it will display a phony checkdisk (CHKDSK) operation. During this process, the Malware will encrypt master file table. Master File table is a database in which information about every file and directory on an NTFS volume is stored. Once MFT is encrypted, the system does not know where files are located, or if they even exist, as it is inaccessible. After successful encryption of MFT is carried out, Ransomware displays a ransom message to victim, instructing them to connect to TOR site and pay 9 Bitcoin to make ransom payment. The cyber crooks intentionally choose Tor to maintain anonymity.
What makes this Ransomware unique?
Typical Ransomware usually encrypts files of certain types like pictures, office documents and so on. The OS is untouched by the Malware as cyber-crook expects the victim to use the pc for ransom payment. However, in this case, it does not happen likewise since access to the whole hard drive is blocked.
How to safeguard?
- Update your antivirus software (eScan) on regular basis, which will protect your system from all kinds of Malware attacks.
- Ensure that all software installed in your system are updated frequently, including Oracle Java and Adobe.
- Implement a three dimensional security policy in your organization, i.e. firstly understand your requirement based on which IT Security policy would be prepared accordingly. Secondly, educate your staff about the policy and finally enforce the policy.
- Make sure you either implement MailScan at gateway level or enable Mail Anti-virus on endpoint in order to block extensions such as *.EXE, *.SCR, *.JS, *.VBE etc. These attachments would infect your system.
- Open emails only if you are positive about the source.
- Regularly backup your important files.