March 28, 2016 by

Petya Ransomware Corrupts Windows’ Boot Record

A new strain of malware that is found in the wild and is using methods of dispersal such as Dropbox and email has the means to lock Windows users out of their computers completely.

A new ransomware strain that is being distributed via email and Dropbox called “Petya” is locking users out of their computers and keeping them from regaining access to their Windows desktop unless a ransom of over $400 is paid.

The ransomware was revealed in a report by security firm Trend Micro. The link to the ransomware is included in professional correspondence emails that contains a Dropbox link.

The ransomware campaign reportedly targets employers as a message coming from professionals looking for work. Basically, the Dropbox link is purporting to help targets download resumes of those seeking employment.

As it turns out, the file is actually a self-extracting executable file that is designed to install a Trojan that blocks active security protocols in the background before downloading the Petya ransomware onto the targeted machine.

Trend Micro’s blog reads:

Not only does this malware have the ability to overwrite the affected system’s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).

Once the payload is downloaded and triggered, Petya sets out to overwrite the master boot record (MBR) of the infected OS before bringing about the dreaded blue screen of death. It gets worse, however.

When the user tries to reboot the computer, a bright red screen pictured with an ASCII skull and crossbones turns up, a clear sign of a corrupted MBR. Noting that the ransomware has locked out the user from the operating system with a “military-grade encryption algorithm”, the victim is asked to pay 1 bitcoin, approx. $425.

The edited MBR also keeps the user from restarting into Safe Mode, which is disabled by the ransomware. Instead, a list of demands followed by a link to the Tor Project browser and the means to pay with a bitcoin is provided as instructions to the user.


If the ransom isn’t paid within a stipulated period in time, the price would be doubled if the on-screen deadline for payment is missed.

petya_figure3Images credit: Trend Micro.

About the author

Image of Author

LIFARS is a digital forensics and cybersecurity intelligence firm based in New York City. LIFARS is ranked as one of the top Digital Forensics and Cyber Investigations companies in 2016 and as one of the top cybersecurity companies in the New York metropolitan area for 2015 on the Cybersecurity 500 – a directory of the hottest and most innovative companies to watch in the cybersecurity industry.

Related articles

26% of Ransomware Attacks Target Corporate Businesses

New research from Kaspersky Lab has revealed that the number of ransomware attacks targeting...

Read more arrow_forward

Ransomware Payments to Hit a Record $2 Billion in 2017: Research

According to new research from a cybersecurity firm, ransomware payments will hit a high of $2...

Read more arrow_forward

UK Govt Blames North Korea for WannaCry Ransomware CyberAttack

  The UK government has blamed North Korea for WannaCry - the comprehensive ransomware...

Read more arrow_forward