March 28, 2016 by

Petya Ransomware Corrupts Windows’ Boot Record

A new strain of malware that is found in the wild and is using methods of dispersal such as Dropbox and email has the means to lock Windows users out of their computers completely.

A new ransomware strain that is being distributed via email and Dropbox called “Petya” is locking users out of their computers and keeping them from regaining access to their Windows desktop unless a ransom of over $400 is paid.

The ransomware was revealed in a report by security firm Trend Micro. The link to the ransomware is included in professional correspondence emails that contains a Dropbox link.

The ransomware campaign reportedly targets employers as a message coming from professionals looking for work. Basically, the Dropbox link is purporting to help targets download resumes of those seeking employment.

As it turns out, the file is actually a self-extracting executable file that is designed to install a Trojan that blocks active security protocols in the background before downloading the Petya ransomware onto the targeted machine.

Trend Micro’s blog reads:

Not only does this malware have the ability to overwrite the affected system’s master boot record (MBR) in order to lock users out, it is also interesting to note that it is delivered to victims via a legitimate cloud storage service (in this case, via Dropbox).

Once the payload is downloaded and triggered, Petya sets out to overwrite the master boot record (MBR) of the infected OS before bringing about the dreaded blue screen of death. It gets worse, however.

When the user tries to reboot the computer, a bright red screen pictured with an ASCII skull and crossbones turns up, a clear sign of a corrupted MBR. Noting that the ransomware has locked out the user from the operating system with a “military-grade encryption algorithm”, the victim is asked to pay 1 bitcoin, approx. $425.

The edited MBR also keeps the user from restarting into Safe Mode, which is disabled by the ransomware. Instead, a list of demands followed by a link to the Tor Project browser and the means to pay with a bitcoin is provided as instructions to the user.


If the ransom isn’t paid within a stipulated period in time, the price would be doubled if the on-screen deadline for payment is missed.

petya_figure3Images credit: Trend Micro.

About the author

Image of Author

LIFARS is the global leader in Digital Forensics and Cyber Resiliency Services. Our experience spans two decades working on high profile events, often in concert with Law Enforcement Agencies around the world. Our proprietary methodology derives directly and indirectly from our experience working with and for U.S. Intelligence Agencies, Interpol, Europol, and NATO. We are solely dedicated to Cyber Resiliency and thus pay close attention to all aspects of our clients’ engagements experience while providing a strategic and integrated array of services to minimum risk and disruption while protecting your brand.

Related articles

US Hospital Coughs Up $55,000 to Hackers after Ransomware Attack

A ransomware attack targeting a hospital in Greenfield, Indiana, has seen hackers make away with...

Read more arrow_forward

47 Million Emails/Day: Necurs Botnet Launches Massive Ransomware Campaign

A cybersecurity firm has revealed it has blocked as many as 47 million emails per day spewed by the...

Read more arrow_forward

Ransomware Continues to Dominate as 2017’s Main Attack Vector

Cyber attacks are on the rise in 2017, clocking a staggering 238% jump in attacks against endpoints....

Read more arrow_forward