New ransomware makes HDD inaccessible by overwriting Master Boot Record

Security researchers have found a new type of ransomware that doesn’t encrypt specific files but makes the entire HDD inaccessible. The malware has been named Petya and targets mainly companies.

https://www.youtube.com/watch?v=yfCt35RTR-U

Video: See how Petya infects a system

Petya is distributed by sending emails to Human Resources (HR) departments of companies with a link to Dropbox. The email states the link should contain a resume but instead it’s an executable file. As soon as the file is opened the computer crashes and reboots. After the reboot, the user receives a message stating the computer is performing a disk analysis. In reality this is when the ransomware performs its job on the HDD.

The ransomware doesn’t encrypt the HDD but overwrites the Master Boot Record (MBR). After the disk analysis, a skull is shown together with a message stating the disk is encrypted. Through a Tor website it’s possible to purchase a decryption key for 0.99 Bitcoin ($412.50) which doubles after a week.

The overwritten MBR doesn’t allow starting the PC in safe mode and actual files don’t seem to be encrypted. It’s unclear whether it’s possible to restore the MBR to gain access to the HDD again.