Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Petya MBR Encryption Ransomware Test
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 496327" data-attributes="member: 24327"><p>Dr Web blocks it just fine using default settings (which is to block direct disk access for all processes) both in Katana as well as their normal AV/IS product. The malware will just sit there and consume excessive amounts of CPU because it just tries to infect the MBR over and over again. EAM blocks it as well for pretty much the same reason.</p><p></p><p>In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here:</p><p></p><p><a href="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4293#p28134" target="_blank">KernelMode.info • View topic - Petya malware</a></p><p></p><p>Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for </p><p>GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted.</p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 496327, member: 24327"] Dr Web blocks it just fine using default settings (which is to block direct disk access for all processes) both in Katana as well as their normal AV/IS product. The malware will just sit there and consume excessive amounts of CPU because it just tries to infect the MBR over and over again. EAM blocks it as well for pretty much the same reason. In general the threat already has kind of an expiration date. If you use any modern version of Windows (8, 8.1, 10) and if you are using UEFI/EFI to boot (which you really, really should), you are automatically protected from it, because the code in the MBR never gets to execute. The Windows binary itself doesn't do any actual encryption. It just prepares the malicious boot loader and writes it to disk. That's it. The actual encryption of the MFT is performed by the boot loader. I posted some technical information here: [URL="http://www.kernelmode.info/forum/viewtopic.php?f=16&t=4293#p28134"]KernelMode.info • View topic - Petya malware[/URL] Since the actual file data isn't touched by the malware at all and only the MFT is encrypted, all tools that allow you to restore files without the usage of the MFT will work just fine. You will probably lose directory names and structure, but if you shelve out the $80 for GetDataBack for example or any other zero knowledge file recovery tool, you will get your files back just fine, with the exception of small files that may be stored within the MFT itself and may be encrypted. [/QUOTE]
Insert quotes…
Verification
Post reply
Top