Petya Ransomware blocks Operating System loading and demands ransom for data decryption

Experts from the G DATA Company reported finding unusual ransomware. Petya – is a good old locker ransomware, it differs from the recent ransomware by locking the computer and not just encrypting the data. Petya blocks not only the desktop or browser, it generally prevents the loading of the operating system. The ransom message states that the malware uses “military encryption algorithm” and encrypts the entire hard disk at once.


In recent past, lockers were very common type of ransomware. Some of them blocked the desktop, others only the browser window, however all of them demanded a ransom to restore the access. Lockers had been replaced by encryptors, which not just block the access, but also encrypt the data stored on the hard drive, which greatly increased the probability of receiving a ransom payment.

However, the experts from the G DATA company found a fresh sample of the locker, which calls itself Petya. In the demanding message, cyber criminals state that this ransomware combines the locker function and encryptor at once. Petya mainly attacks HR specialists. To do this, the attackers sending phishing emails with fake resume from candidates for any position. Emails contain a link to the applicant’s complete portfolio, which is hosted on cloud service Dropbox. Of course, instead of the portfolio, the link leads to the ransomware – file application_portfolio-packed.exe.


Once executed this .exe victim will see the blue screen of death and the subsequent reboot. G DATA experts believe that before the reboot ransomware intervenes with MBR file operation, to intercept the boot process management. After restarting the computer, the victim will see the imitation of disk check (CHKDSK), at the end of which will be loaded the lock screen of Petya ransomware. Ransomware will state that all of the data on the hard drive has been encrypted using a “military encryption algorithm”, and it is impossible to restore it without paying a ransom.


To restore the access to the system and decrypt the personal data, user will need to pay the ransom by going to the .onion website, located in anonymous network TOR. If the payment will not be made within 7 days, the amount of ransom will be doubled. Cyber criminals offer to buy a special decryption code that is needed to be introduced directly on the locker screen.


Experts from G DATA have not yet figured out how Petya ransomware works, however they suspect that it simply lying about the data encryption. Most likely, malware simply blocks access to files doesn’t let to boot the operating system. Experts strongly recommend to NOT pay the ransom to the cyber criminals and promise in the near future to publish an updated information about the threat as well as the removal tool.

You can see the Petya ransomware in action in the video below.

Information added: 04/06/2016 07:15 PM;