What makes them thick
15 April 2016 | 0
The menacing tide of ransomware appeared to have gotten somewhat worse last month with the appearance of a new variant that overwrote master boot records (MBR) on hard disks making it even more difficult to deal with.
Petya ransomware overwrites the MBR of the affected PCs, leaving operating systems in an unbootable state, researchers from antivirus Trend Micro reported.
The researchers said that Petya does not encrypt the data on the disk, but rather it encrypts the master file table (MFT), the special file on NTFS partitions that contains information about every other file, such as name, size and mapping to the hard disk sectors.
After the MFT encryption is complete, the rogue Petya MBR code will display the ransom message accompanied by a skull drawn in ASCII characters, with a message which instructs users to access the attackers’ decryption site on the Tor anonymity network and provides them with a unique code that identifies their computer.
And the price for release? 0.99 bitcoins (BTC), or around €385.
This was a most worrying development in the ransomware technology war.
However, some months ago, at the end of last year in fact, I made a prediction — dangerous I know, but I did it nonetheless.
“That worrying development in ransomware mentioned above, Petya, seems to be less than the data death sentence it first appeared to be.”
I said that 2016 would see a rise in attacks by half-baked cybercriminals that may well create more havoc than those executed by the more discerning cybercriminal that has a firm grasp on arse and elbow concepts.
I said that the trend towards usability and userfriendliness in crimeware would see people with motive and resources perpetrating cybercrimes without necessarily having a full understanding of the import of what they were doing, meaning that even if they wanted to release a victim after a ransom was paid, that they may not be able to do so as a result of sheer hamfistedness in execution.
I also warned of the fact that in certain instances, the tools for do-it-yourself cybercrime are often mere trojans for the creator of the wares and act in their interest, not those of the buyer.
Now it seems as if my reckless predictions have been borne out to some extent.
That worrying development in ransomware mentioned above, Petya, seems to be less than the data death sentence it first appeared to be.
Experts from the popular tech support site BleepingComputer.com have published a procedure which not only recovers the data but also restores the MFT, recovering the drive.
Now the procedure is not straightforward, but it is effective and exploits weaknesses in the way the ransomware was put together.
While this solution is down to the tireless work of skilled and insightful information security professionals, it still shows that such attacks are often poorly designed and executed.
In this case the fallout is addressable, but the next one may not be so easy to deal with. Watch this space.
However, in protecting yourself and your organisation, the advice is still the same. Make sure your systems are up to date with patches, you are at least aware of any zero-days that have been reported, and you have a reasonable security posture with a minimised attack surface.
Educate your people about phishing, and its more targeted spear phishing variety, and make yourself generally, the least attractive target in the neighbourhood.