App Review Petya MBR Encryption Ransomware Test

[Duotone]

@cruelsister
How would Appguard(Protected mode) fare with the Petya and the other recent ransomware?! Locked-down mode(always) 100% sure it instantly blocked, but then again if somehow its digitally signed file. I need others opinion as I'm considering purchasing WAR, or if it is even needed in my set-up. Thanks...

 

[Der.Reisende]

Dr Web blocks it just fine using default settings (which is to block direct disk access for all processes) both in Katana as well as their normal AV/IS product. The malware will just sit there and consume excessive amounts of CPU because it just tries to infect the MBR over and over again. EAM blocks it as well for pretty much the same reason.

In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here:

KernelMode.info • View topic - Petya malware

Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for
GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted.

Thank you for that Input, very interesting and helpful I hope you don't mind me I shared this in the News Section, there is an article on this particiular malware.

 

[cruelsister]

1). Duotone- As long as you always Block things whenever you get an AppGuard popup and never (never, ever) assume it is an FP and run a file you will be protected. AppGuard is a nice application but it's the possibility of a wrong choice that unnerves me.

2). Regarding Katana, yes it will stop Petya. But it does seem to have a rather large blind spot to other things. If this is confirmed I'll release something in a few weeks (or even if it isn't!).

3). If infected by Petya, I find it a bit disingenuous to state all you have to do is use (and/or buy) some Boot Disk or other. So easy to write, but it presupposes quite a bit (like the user knows what a Boot Disk is, can get access to it, and once acquiring it knowing what to do with it). As for paying for one, a person is better off taking the computer to Mr Robot down the street and have him deal with it.

4). Much better is a security solution that will work or even better using an imaging application (and using it routinely) to catch you when you fall.

 

[Dani Santos]

With this new growing trend of ransomware it's good to see someone testing products reaction. Maybe you can do a top 5 products good at blocking ransomware?

 

[Fabian Wosar]

3). If infected by Petya, I find it a bit disingenuous to state all you have to do is use (and/or buy) some Boot Disk or other.

It's a fact. Try it out yourself. Get a demo disk of GetDataBack for NTFS, boot from it, let it run. Nothing dishonest about it.

So easy to write, but it presupposes quite a bit (like the user knows what a Boot Disk is, can get access to it, and once acquiring it knowing what to do with it).

That's why I tell people that option exists, just in case they didn't know. Fixing Petya is a non-issue in most cases. Not having to deal with it to begin with, is definitely the better option. But then again, trying to teach someone to use disk imagining will most likely turn out to be just as fruitful as trying to teach them not to open links they get from unsolicited emails.

 

[Duotone]

1). Duotone- As long as you always Block things whenever you get an AppGuard popup and never (never, ever) assume it is an FP and run a file you will be protected. AppGuard is a nice application but it's the possibility of a wrong choice that unnerves me.

With regards to files I never assume its an FP and as much as possible I open file/exe thru SBIE if after it run/open and no AppGuard pop-up that's when I run ex:MSWord and open it there. So basically with my set-up WAR isn't needed?!!

 

[BoraMurdar]

@Fabian Wosar So, Petya encrypts only MBR, you can save data by booting from some recovery disk or usb, and repair MBR with Windows Installation Disk or manually?

 

[Duotone]

@Fabian Wosar So let say I got infected image recovery is all I need?! I use AX64/FLASHBACK(it can also restore MBR if I'm not mistaken)

 

[cruelsister]

I certainly never said Dishonest, nor did I in any way imply it. I did state that is was disingenuous, and by that I meant that not everyone are Geeks like us, and what is intuitively obvious for some may not be for everyone else. Also GTB is as you said ~80 USD. Mr Robot charges only 60.

Bora- Windows installation disk isn't of value.

 

[BoraMurdar]

Bora- Windows installation disk isn't of value.

If only loader in MBR is alternated (or VBR) it could be fixed with Command Prompt from Windows Installation Disk...

 

[Fabian Wosar]

@Fabian Wosar So, Petya encrypts only MBR, you can save data by booting from some recovery disk or usb, and repair MBR with Windows Installation Disk or manually?

No, it does not. For some reason a lot of people (including OP judging by the text files shown in the video, but I would think that was just a small oversight in wording the text instead of a lack of understanding what the malware does) think that is all the malware does. If it was just overwriting the MBR it would be incredibly easy to restore access to the machine by just rewriting the MBR. There are plenty of tools who could do that and a lot of the crappy removal tutorial sites suggest exactly that, which may actually make matters worse.

The dropper (the Windows executable) will overwrite the first 66 sectors of your disk. This includes the MBR at position 0. It then forces a bluescreen using an undocumented native Windows API. After the bluescreen your system will reboot and the malware becomes active. The malicious bootloader left in the MBR will load the rest of the malware stored in later sectors on the disk into memory and jumps there. The malware then checks if the actual encryption process already took place. If it did not, it will obtain the key from a dedicated sector on your disk and will go through all the installed disks on the system. It will parse the partition table of each disk, looking for NTFS partitions. If such a partition is found, it will read the VBR of said partition, parse the BPB stored within the VBR, locate the exact cluster where the MFT, which is an important data structure in the NTFS file system, can be found and starts encrypting all the sectors that are occupied by the MFT, with the exception of the first two, which contain the entry for the MFT itself, so the malware still knows later on which sectors it has to decrypt. All of this happens during the fake CHKDSK screen you can see in the video.

After that the ransom screen is being displayed. Now, what is the MFT? The MFT or Master File Table is essentially a data structure that tells Windows where the actual file data can be found. In the most simplest terms, think of it as a table that just maps file names to actual sector or cluster addresses. So if you access file C:\Windows\Explorer.exe, Windows checks the MFT, where on the disk the content of C:\Windows\Explorer.exe is located and then reads those sectors. So by encrypting the MFT, you do not encrypt the actual file content, but you encrypt the lookup directory where on disk the files can be found. That also means, that any recovery tool that isn't dependent on the MFT to recover files, will work just fine and there are plenty of those around.

There is also one other misconception you see people regurgitating repeatedly when it comes to this malware and that is the Mirror MFT. "Can't you just restore the MFT from the mirror MFT." That useless advise stems from the wrong belief that the Mirror MFT, which is an actual thing, contains a copy of all MFT records. That is blatantly wrong though. The Mirror MFT only contains the records of the first 4 MFT entries, which are for the MFT ($Mft) itself, the Mirror MFT ($MftMirr), the NTFS log file ($LogFile) and the volume information ($Volume). So the Mirror MFT is completely useless when dealing with this particular malware.

 

[BoraMurdar]

Thank you for your minutely reply, just one thing more to ask. You said that files cannot be saved by booting from the other environment but if only MFT is encrypted then the actual readness of files is correlated with Explorer.exe reading them from within the infected system and not by quest OS booted from memory...so data can be saved, except those that had bad luck being located at the very beginning of the partition (or HDD)

 

[Fabian Wosar]

You said that files cannot be saved by booting from the other environment but if only MFT is encrypted then the actual readness of files is correlated with Explorer.exe reading them from within the infected system and not by quest OS booted from memory...so data can be saved, except those that had bad luck being located at the very beginning of the partition (or HDD)

The first track of the disk is historically unused and does not contain any data. So there are no files there. Even a guest OS would have to be able to read the MFT to make sense of the data on that partition. Since the MFT is encrypted, it will just throw an error when you try to access the partitions that have been encrypted that way.

 

[BoraMurdar]

The first track of the disk is historically unused and does not contain any data. So there are no files there. Even a guest OS would have to be able to read the MFT to make sense of the data on that partition. Since the MFT is encrypted, it will just throw an error when you try to access the partitions that have been encrypted that way.

I thought there was a way to bypass MFT FILE_READ_DATA from hdd driver and read the files directly from the HDD, but I've probably mixed something up

 

[Deleted member 2913]

All of this happens during the fake CHKDSK screen you can see in the video.

What would happen if the user power off/hard shutdown the system before or start of the CHKDSK screen?

 

[Fabian Wosar]

What would happen if the user power off/hard shutdown the system before or start of the CHKDSK screen?

If you manage to turn the system off before the MFT encryption started, you can just rewrite the MBR using your Windows installation disk. If it already started, interrupting the process will leave you with a damaged MFT that can't be repaired even if you pay the ransom.

 

[Tempnexus]

Wow I am regretting my purchase of HItmanPro Alert...more and more.

 

[Duotone]

Wow I am regretting my purchase of HItmanPro Alert...more and more.

Some ransomware are delivered thru exploits kits, HMP.A is your first defense against those rather than regret just add another security layer.

 

[Deleted member 178]

Wow I am regretting my purchase of HItmanPro Alert...more and more.

Every software will encounter a flaw, because the developers can't think and predict about every unknown OS vulnerability or attack vectors.

As if you bought a bulletproof vest and then regret it because someone used a gas grenade, just buy a gas mask then.

 

[jamescv7]

Ransomware is meant to destroy things, and the example of replacing the MBR is already different side of story besides usual encryption of files which can manage to fix it A pretty logic that the malware writers will not provide a solution because all they want is a money only. so its a myth to pay them just to fix the problem.