@Peter2150 @Mister X You both use AppGuard in Lock-Down mode combo-ed with NVT ERP, so no need to worry about PETYA ... but I understand discussion is interesting. Both your systems are so tight PETYA would have to bypass - what ? - something like 7 or 8 layers ?? Then, even if it does bypass, you recover system from backup - and "poof" - PETYA gone - nothing but a bad dream.
I already know this but I also need to know if my layers are bypassed somehow. Besides I am a technician and my customers' machines don't have that level of security. Exactly my thoughts but @Peter2150 says recovery from Petya is a bit different even when using an image backup to restore. So how is a bit different? Now I am interested
@Mister X See 1st and 3rd, 2nd and 4th just for infos from within context of discussion: https://malwaretips.com/threads/petya-mbr-encryption-ransomware-test.57634/#post-496327 https://malwaretips.com/threads/petya-mbr-encryption-ransomware-test.57634/page-2#post-496462 https://malwaretips.com/threads/petya-mbr-encryption-ransomware-test.57634/page-2#post-496488 https://malwaretips.com/threads/petya-mbr-encryption-ransomware-test.57634/page-2#post-496492 I mis-stated "backup" recovery soft. Fabian Wosar states "file recovery software."
Rollback Rx would be trashed. MBR is over written, as well as MFT encrypted @yesnoo. The question is how good/reliable is the restore of AX64. Not sure I'd trust it.
Fabian of Emsisoft posted a great clarification on the ransomware over at Malwaretips.com which I am going to post here to clear up things. First, Petya specifics: The dropper (the Windows executable) will overwrite the first 66 sectors of your disk. This includes the MBR at position 0. It then forces a bluescreen using an undocumented native Windows API. After the bluescreen your system will reboot and the malware becomes active. The malicious bootloader left in the MBR will load the rest of the malware stored in later sectors on the disk into memory and jumps there. The malware then checks if the actual encryption process already took place. If it did not, it will obtain the key from a dedicated sector on your disk and will go through all the installed disks on the system. It will parse the partition table of each disk, looking for NTFS partitions. If such a partition is found, it will read the VBR of said partition, parse the BPB stored within the VBR, locate the exact cluster where the MFT, which is an important data structure in the NTFS file system, can be found and starts encrypting all the sectors that are occupied by the MFT, with the exception of the first two, which contain the entry for the MFT itself, so the malware still knows later on which sectors it has to decrypt. All of this happens during the fake CHKDSK screen you can see in the video. Next a clarification that recovery of MFT using its mirror file is not possible: There is also one other misconception you see people regurgitating repeatedly when it comes to this malware and that is the Mirror MFT. "Can't you just restore the MFT from the mirror MFT." That useless advise stems from the wrong belief that the Mirror MFT, which is an actual thing, contains a copy of all MFT records. That is blatantly wrong though. The Mirror MFT only contains the records of the first 4 MFT entries, which are for the MFT ($Mft) itself, the Mirror MFT ($MftMirr), the NTFS log file ($LogFile) and the volume information ($Volume). So the Mirror MFT is completely useless when dealing with this particular malware. A HIPS assuming a rule is created to monitor low level disk access against the OS installation drive or behavior blockers that likewise do the same should detect the above noted Petya dropper malware and prevent the overwriting the MBR. No way to know for sure w/o a test with a live sample of the ransomware. It all depends on the security solution being able to detect the dropper execution. -EDIT- Appears dropper is a straight forward .exe named application_portfolio-packed.exe according to GData: https://blog.gdatasoftware.com/2016/03/28213-ransomware-petya-encrypts-hard-drives . The fact I see "packed" in its file name does imply some level of encryption and obfuscation in the dropper.
There is one big Arg in that. It's not just the c: drive, but all installed drives. That is bad. Best thing is keep this thing off your system
I'm not @itman but here you go: https://malwaretips.com/threads/petya-mbr-encryption-ransomware-test.57634/page-2#post-496488
Eset has three sigs for this malware. I assume Emsisoft has likewise. So, threat no longer in the wild.
Thanks Mister X @itman. I would assume the same and also I expect the behavior blocker would catch it.
Basically, A partition restore or complete hard drive restore with Terabyte's imaging products should completely fix the issue, if it is ever encountered? Also, a question that I have always wondered about, but have never had an answer for: Can Malware hide in the Host Protected Area (HPA) and Device Configuration Overlay (DCO)? I guess that this Malware does not use the Host Protected Area (HPA) and Device Configuration Overlay (DCO). http://www.jetico.com/solutions/by-need/wiping
What do you mean by how good/reliable is the restore of AX64? Why would you not trust it? Any probs with its restored snapshots? I have done many restore with AX64 V2 on Win 10 64 & always worked fine. Is restore with AX64 boot option possible with Petya infection?
You'd need some kind of media, to do a cold restore. Yes people have had problems with AX64 and Flashback. People reported problems when the released FB. Seen any fixes.
I also assume that HIPS should be able to protect against this. Too bad that no one has been able to test it against EIS, Comodo and SS to name a few.
I have tested similar ransomware against COMODO's HIPS, and here's what I found: Since the program is not digitally signed, you'll get a warning and a request to either block the program, run it on the sandbox, or run it unlimited; If you chose to block it, no harm will be done to the OS; If you run it on the sandbox, it will run but the payload delivery will fail; If you run it unlimited, the payload will be delivered and no HIPS alert/option will come up, unless you use the Paranoid Mode. If the ransomware somehow is able to hijack ligitimate processes via a compromised and digitally signed download, then we're pretty much screwed. That's why it's important to limit the number of installed programs that are downloaded through 3rd party channels, specially the ones with adware.
Perhaps I missed them at some point but anyway, could someone recap all possible points of entry / vectors / delivery methods for petya? No time to read other webpages at this moment.
