New ransomware with an old trick: “Petya” parties like it’s 1989

Thanks to Nemes Sándor and Anand Ajjan of SophosLabs for their behind-the-scenes work on this article.

Here’s a ransomware story with a difference.

Petya is modern-day malware that locks you out of your data, much like TeslaCrypt or Locky, but does it the hard way.

This malware family (detected and blocked by Sophos products as Troj/Petya-*) uses low-level programming tricks that went out of vogue nearly two decades ago.

Instead of scrambling your data files and leaving the rest of your computer running just fine, Petya leaves all your data intact, but scrambles the indexes on your disk so that Windows can no longer make sense of it.

In other words, the individual disk sectors that contain your programs and files are left untouched, but the so-called metadata that Windows uses to turn your raw data into useful information is wiped out.

That’s a bit like opening up a filing cabinet, taking out all the carefully-arranged papers from every folder in every drawer, unstapling every document, removing any bulldog clips or paper clips that are there to keep some sort of internal order…

…and then throwing the whole lot high in the air to land in a jumbled up mess.

Everything is there, but it’s not much use: you might be able to re-organise it, but it wouldn’t be a quick or a cheap job.

In common with most encrypting ransomware, Petya then offers to sell you an unscrambling key that will pick up all the papers, sort them into order, replace the staples and clips, put them in the right folders, and file them neatly back in their proper places.

What happens?

Petya arrives as an innocent-looking Windows program that you are forced, tricked or talked into running.

The malware then takes advantage of its good fortune, and:

  • Pops up a User Account Control (UAC) security prompt that it hopes you will authorise. (Sufficiently many legitimate programs do this that it is understandable, if undesirable, for you to click [OK].)
  • Generates a one-time encryption key of 16 bytes, together with a human-readable “personal decryption code” that the crooks use to identify you later.
  • Uses its privileges to write data-scrambling code and the encryption key into the Master Boot Record (MBR) and other disk sectors that lie outside the area allocated to your C: drive.
  • Reboots your computer.

The MBR is the very first sector on your hard disk, and on older computers, it’s the first thing (after the so-called BIOS firmware) that runs during startup.

That happens not only before Windows loads, but also while your computer is still running in what we’ll call “1980s-mode.”

The security features built into the processor itself, such as memory protection and privilege levels, aren’t activated yet.

Those hardware features are what Windows and other modern operating systems rely on to keep programs apart and to stop unauthorised access to critical system resources such as the hard disk itself.

In fact, even on a multi-core 64-bit CPU with gigabytes of RAM, a computer booting from the MBR is running in the same open-for-anyone-to-do-anything 16-bit mode that MS-DOS did 30 years ago, with just 1MB of RAM directly accessible.

Unfortunately, even just a few hundred bytes of code and RAM is more than enough to implement as-good-as-uncrackable encryption, and to scramble vital parts of the as-yet-unprotected hard disk.

Once Petya has encrypted your disk indexes, it rewrites its own data to wipe out the encryption key it just used, so you can’t simply reboot to unscramble the disk.

Petya uses a strong encryption algorithm called Salsa20 – strong enough that it won a global competition as the code of choice to replace the cipher known as RC4, which was found in the early 2000s to have irremediable cryptographic flaws and should no longer be used.

Petya’s sneaky trick, which greatly simplifies its implementation, is that is doesn’t bother trying to make sense of the directories and files on your Windows C: drive.

Instead, it simply scrambles the Master File Table (MFT) of your C: drive, which is the central index of what goes where in a Windows disk.

The MFT is much easier for low-level code like a boot sector to find than other files, by design.

That’s because the MFT is the core data needed to make sense of the rest of the disk, in much the same way that a technical paper usually has an abstract on the first page to help you get started.

Unfortunately, without the MFT, the rest of your data is not much more useful than a pile of digital shredded cabbage – so much so that Windows helpfully keeps a second copy of the MFT, but that’s easy to find, too.

Faster, leaner, meaner

The crooks can effectively lock you out of your whole disk by scrambling just a tiny part of it; and they can restore it equally quickly, making for a faster, leaner, meaner flavour of ransomware.

First, you see a fake CHKDSK screen intended to discourage you from pulling the plug until the malware has finished:

Then, in true 1980s malware style, there’s some 80×25 ASCII art:


Press a key, as instructed, and you get the “pay page”:

Petya doesn’t need, and doesn’t have, any programming for network access, because it doesn’t need to call home.

It relies on you doing the network call-home manually, by typing in one of the “dark web” URLs off the screen of your frozen computer, which takes you to a CAPTCHA:

Of course, you need a second computer to get online, but once you do, you’re in the same sort of situation that you would be with file-based ransomware like TeslaCrypt or Locky:

Good and bad news

The good news is that, according to our statistics, you’re unlikely to see this malware.

The bad news is that, just like a lot of 1980s boot sector malware, it’s likely to fail catastrophically by making incorrect assumptions about the layout of your disk .

If you have a recent Windows computer, the hard disk is almost certainly arranged using a system called GPT (short for GUID Partition Table) instead of MBR.

An MBR-based computer has, as its name suggests, a master boot record that contains not only the boot-time code but also the disk partition table; the sectors immediately following the MBR are almost always unused, which is why Petya “borrows” them to store some of its own code.

But a GPT hard disk has an MBR (for backward compatibility purposes) immediately followed by its own partition table: a one-sector header followed by at least 32 sectors of partition data.

Petya overwrites this GPT data, but doesn’t keep a backup of it, assuming instead that the sectors were unused.

If that happens, the malware can’t unscramble your disk.

A dedicated data recovery service might be able to recover some or all your files (or an automated disk repair program might help if you are willing to risk trying and failing), but paying the crooks won’t help in such cases.

What do do?

Although Petya is rather different from the rest of the ransomware we’ve seen in recent years, you can defend against it by following the same advice.

We’ve published an article entitled How to stay protected against ransomware to help you out.