- Apr 13, 2013
- 3,147
Petya MBR Encryption Ransomware Test
- Thread starter cruelsister
- Start date
It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.
- Mar 17, 2016
- 457
Wow... It's in a whole new level! Great video as always... really wish WinAntiransom to be on sale!
- Sep 9, 2012
- 470
Hi you could try the anti ransomware feature in xvirus firewall ?As always, good video.
- Jan 29, 2015
- 96
Thank you again @cruelsister for your vid. Always a pleasure to watch!
- Aug 2, 2015
- 4,286
Try that with an Anti-Virus rofl.
Should have tried to boot it anyway MalwareBytes states in their Beta page that the ransom screen is often left behind but the files are indeed intact, and that they are working on it. Try MBARW when it's out of Beta please, I would love to see a completed MBARW against this and locky
Awesome Vid Cruelsis. PeAcE
Should have tried to boot it anyway MalwareBytes states in their Beta page that the ransom screen is often left behind but the files are indeed intact, and that they are working on it. Try MBARW when it's out of Beta please, I would love to see a completed MBARW against this and locky
Awesome Vid Cruelsis. PeAcE
Last edited:
Another great video, thanks for sharing! Maybe I should give WAR a try...
Hope HMP.A team (SurfRight) fixes those weaknesses quickly...
Hope HMP.A team (SurfRight) fixes those weaknesses quickly...
- Jul 28, 2014
- 1,990
Great video, hopefully HMP and Malwarebytes have the sample and are working on a fix!
I would also like to see the prevalence of the sample using a virustotal scan to see how many AV actually detect the malware
I would also like to see the prevalence of the sample using a virustotal scan to see how many AV actually detect the malware
- Aug 2, 2015
- 4,286
@Hanmin147
I messaged Decrypterfixer on the Malwarebytes beta forum so he can see this, he may message her for the sample I would guess.
I messaged Decrypterfixer on the Malwarebytes beta forum so he can see this, he may message her for the sample I would guess.
- Dec 3, 2015
- 938
WAR is a solid product, scotty does a good job, sadly it was on sale a few weeks backs at BDJ, not anymore. Thanks for bringing us these awesome tests cruelsister, amazing as always !
- Jul 28, 2014
- 1,990
Awesome, looking forward to seeing what they can do to detect it.
There still seems to be some discount offered
Attachments
- Dec 3, 2015
- 938
There still seems to be some discount offered
Good find! I saw it just now, ublock origin had blocked the offer popup.
- Apr 25, 2013
- 5,355
- Apr 13, 2013
- 3,147
Petrovic- I may move it up to my next video in a week or two. I did some preliminary work on it after your post and it seems like an excellent candidate. But one thing- as the AV Cloud can be shut off I would do so for 2 reasons: to keep the playing filed level (the other products in this series didn't have AV's), and the fact that I despise traditional AV products. I may even write some malware for the test.
- Apr 25, 2013
- 5,355
It is not a cloud in the classic sense, collecting statistics, etc.... not to detect
&
katana- proactive technologies,heuristics(HIPS)......... there is no antivirus
Dr.Web Katana
&
thanks
&
katana- proactive technologies,heuristics(HIPS)......... there is no antivirus
Dr.Web Katana
&
thanks
- Sep 22, 2014
- 1,767
- Apr 25, 2013
- 5,355
- Apr 13, 2013
- 3,147
P- it seemed to me that the Cloud was there for a bit more than statistics. They state when a file is run it will also be compared "with the reputation information stored in the Dr.Web cloud which is constantly being updated. Dr.Web Katana subsequently uses that information to determine whether a program is dangerous and then takes whatever measures are necessary to neutralise the threat."
M
M
- Jun 29, 2014
- 260
Dr Web blocks it just fine using default settings (which is to block direct disk access for all processes) both in Katana as well as their normal AV/IS product. The malware will just sit there and consume excessive amounts of CPU because it just tries to infect the MBR over and over again. EAM blocks it as well for pretty much the same reason.
In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here:
KernelMode.info • View topic - Petya malware
Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for
GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted.
In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here:
KernelMode.info • View topic - Petya malware
Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for
GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted.
Similar threads
![[correlate]](/data/avatars/s/79/79653.jpg?1556985072){kind=avatar}
