App Review Petya MBR Encryption Ransomware Test

It is advised to take all reviews with a grain of salt. In extreme cases some reviews use dramatization for entertainment purposes.

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
Ehm sorry I am not an expert, tried to google cf but I can't find anything that explain what is it for and what is it
 
  • Like
Reactions: Der.Reisende

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
May I ask a question? I didn't get what exactly happens before the reboot.
If the encryption starts after the reboot, would be enough to prevent the reboot and delete the ransomware? I don't know about Petya, but, for example, tesla 3.0 wasn't much difficult to remove, the difficult part is to decrypt.

Thank you
 
  • Like
Reactions: Der.Reisende

Dirk41

Level 17
Verified
Top Poster
Well-known
Mar 17, 2016
797
May I ask a question? I didn't get what exactly happens before the reboot.
If the encryption starts after the reboot, would be enough to prevent the reboot and delete the ransomware? I don't know about Petya, but, for example, tesla 3.0 wasn't much difficult to remove, the difficult part is to decrypt.

Thank you


OK got it: from bleepig computer:
When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system.
 
  • Like
Reactions: Der.Reisende

cruelsister

Level 42
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 13, 2013
3,133
Dirk- When Petya is run it will establish priority loading for itself then reboot the computer. On reboot that Checkdisk routine you see running is fraudulent, giving time for the malware to corrupt (encrypt) the Master file Table (so it seems to things that the hard drive does not exist).

It is curious that on some German Forums people have been using Recovery console and getting to a command prompt where they are using bootrec with the usual switches (/rebuildBCD, /fixmbr, and /fixboot) and saying that the system was recovered. Now this routine presupposes that Recovery Console can actually see the corrupt Windows installation which it cannot on every sample that I've come across, so I find these claims curious.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top