Petya Ransomware infects MBR

Discussion in 'malware problems & news' started by stapp, Mar 26, 2016.

  1. stapp

    stapp Global Moderator

    Joined:
    Jan 12, 2006
    Posts:
    23,940
    Location:
    UK
  2. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Yeah, read about it over a Bleepingcomputer.com yesterday. Basically renders your OS installation drive useless by modifying the MBR and encrypting the MFT. Restoring MBR doesn't help because MFT still encrypted preventing access to all files on the drive. Thankfully, appears to be targeted at businesses only.

    -EDIT- Unknown at this point is if the backup MFT Windows maintains is also encrypted. If not, MFT could be restoring from that using disk recovery software.
     
    Last edited: Mar 26, 2016
  3. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
  4. wat0114

    wat0114 Registered Member

    Joined:
    Aug 5, 2012
    Posts:
    4,064
    Location:
    Canada
    Distributed via email with Dropbox links. Note the UAC elevation request of unknown Publisher. No one with even a shred of common sense should be launching this.
     
  5. CHEFKOCH

    CHEFKOCH Registered Member

    Joined:
    Aug 29, 2014
    Posts:
    395
    Location:
    Swiss
    Don't get it, no matter how it was faked to show the .exe/.zip or whatever as .jpg to fool people it still needs administrative access. Why someone click then yes on uac prompt? Even if you're infected, reparing the MBR via a live CD is easy as hell.
     
    Last edited: Mar 26, 2016
  6. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
  7. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes, that's what I meant to say: restoring the entire image backup specifically with Terabyte Unlimited products, can't tell for other imaging software.
    Anyway, if this malware is mainly targeted to business/enterprises I see no big deal about this infection cause they are supposed to have a good culture about imaging/backup system and data drives.
     
  8. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I suspect that most businesses aren't as good about backup as WIlders users. I know that not only Terabytes products will work but also Shadowprotect, Macrium, Acronis, and probably also Aomei and Drive Snapshot.
     
  9. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    This sort of ransomeware is another reason not to put your data file/documents etc on your OS drive. i.e., use your OS drive solely are a boot drive, and store all personal data on a 2nd or 3rd drive.

    Edit: damn, it appears this ransomeare will encrypt all HDDs on the infected computer, not just the OS drive. Good news is it only affect MBR type of disks, but not GPT type. So if you are using GPT disks you are fine.
     
  10. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Although good news indeed I'm not so optimistic. I believe not so long in the future GPT scheme will be infected as well... It's just a matter of time.
     
  11. oliverjia

    oliverjia Registered Member

    Joined:
    Jul 21, 2005
    Posts:
    1,926
    I agree. I would suggest people move to Ubuntu LTS, use it for day to day tasks, then install an offline Windows 10 Virtual machine for tasks that demands Microsoft Word, Adobe Acrobat and Photoshop, as well as other specialty software.
    By using Ubuntu LTS as our main OS, I would think most of these ransomware will do nothing to our data.. LOL.
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    I think that is a bit extreme. A little well designed software, and a large dose of using one's brains should be adequate.
     
  13. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Latest from BC is:

    Grinler - 6 hours ago


    At the time of this writing the ransomware was currently targeting German companies.
     
  14. imdb

    imdb Registered Member

    Joined:
    Nov 2, 2011
    Posts:
    4,208
    ditto.
     
  15. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Below are some details on one possible MFT recovery tool that can be run from a DOS, Linux, or Win PE boot CD. Personally, I would have reservations using same in this situation if the goal is to fully recover the PC. If for any reason the recovery tool modifies the original MFT and the recovery from the backup MFT fails, it is reasonable to assume the MFT at this point is totally trashed. As such even if the ransom was paid, it is highly doubtful the unencrypting would be successful.

    I suggest TestDisk. Assuming the partition is NTFS, there will be a mirror copy of the MFT in the middle of the drive that can be used to recover from.

    From the TestDisk web site:

    "Repair An NTFS MFT

    The MFT (Master File Table) is sometimes corrupted. If Microsoft's Checkdisk (chkdsk) failed to repair the MFT, run TestDisk. In the Advanced menu, select your NTFS partition, choose Boot, then Repair MFT. TestDisk will compare the MFT and MFT mirror (its backup). If the MFT is damaged, it will try to repair the MFT using the backup. If the MFT backup is damaged, it will use the main MFT."


    If both MFT and MFTMirr are damaged and thus cannot be repaired using TestDisk, you might want to try commercial software like Zero Assumption Recovery, GetDataBack for NTFS or Restorer 2000.

    Ref.: http://www.techrepublic.com/forums/questions/master-file-table-recovery/

    Here's the link to the TestDisk recovery tool: http://www.cgsecurity.org/wiki/TestDisk

     
  16. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Seems like that would be a large effort. Wouldn't restoring a disk image where you restore, MBR, Track 0, and partition solve the whole problem?
     
  17. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    No. All that is stored there is a "pointer" to the actual MFT file:

    NTFS treats everything as a file. $MFT, $Boot, $MFTMirr...they are all files according to NTFS. All are hidden, and all are system files. $MFT can be found anywhere on the volume. I know FTK will identify the $MFT file, and I suspect most others will, however, I don't believe it will break down the individual FILE0/FILE* records contained within the $MFT.

    To echo the posts of the others, Brian Carrier's book is your friend in this particular area.

    To find the actual $MFT in use, you need to examine the $Boot file, which is found in the first sectors of the volume. The actual starting logical cluster extent of the $MFT is located at offset 0x30 (48 decimal) I believe, and goes for 8 bytes (remember...Little Endian!)

    Once you've got the starting cluster, it's time to start work!

    I think that The Sleuth Kit (TSK) can handle some of the $MFT work, but in order to get a GOOD understanding of it, you should break at least a part of it down manually so you understand how the file record header and each file attribute that is found in that record (usually $STANDARD_INFORMATION, $FILE_NAME, $DATA, but there can be a host of others).


    Ref.: Ref.: http://www.forensicfocus.com/Forums/viewtopic/t=2902/
     
  18. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    Hi Itman

    I know, but that references restoring just the mbr. Restoring an image restores not only the MBR, but all of track 0 and all the sectors of the partition. That should include the MFT shouldn'lt it?
     
  19. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes it should. I've discussed that before with @Brian K

    https://www.wilderssecurity.com/threads/terabyte-product-release-thread.305838/page-39#post-2551554
     
  20. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Correct. I thought you were referring to just restoring the MBR and track 0.
     
  21. itman

    itman Registered Member

    Joined:
    Jun 22, 2010
    Posts:
    8,592
    Location:
    U.S.A.
    Well, appears this bugger also encrypts the MFT mirror backup copy:

    Grinler - 17 hours ago

    Yes, it appears to encrypt the mirror as well in some manner.
    So, only way to recover from this infection is using an image backup.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    You also have to be careful on this. Some images can take the whole disk or just the partition. With just the partition, the restore could be iffy
     
  23. Mr.X

    Mr.X Registered Member

    Joined:
    Aug 10, 2013
    Posts:
    4,796
    Location:
    .
    Yes, it seems the only way to go... And the most reliable too.
    Well it depends on the software used and the user's skills. I've done partition restore out of an entire disk image file successfully, without hiccups of anything iffy.
     
  24. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    20,590
    So have I, but here we are talking specifically about a restore to undo petya. That changes things a bit.
     
  25. MisterB

    MisterB Registered Member

    Joined:
    May 31, 2013
    Posts:
    1,267
    Location:
    Southern Rocky Mountains USA
    I generally image and restore partitions with no issues. The partition image should contain all the data necessary for file access and most imaging programs let you mount it as a virtual disk. The only problem could be booting it after restore if the mbr was messed up. For mbr disks fixing that is pretty easy. It is a good idea to make a backup of the mbr separate from the disk or partition image. Easily done with a Linux dd command or a utility like Bootice. Gpt disk with UEFI are bit more complicated but most disk imaging software can deal with it these days.
     
    Last edited: Mar 28, 2016
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.