Forums
New posts
Search forums
News
Security News
Technology News
Giveaways
Giveaways, Promotions and Contests
Discounts & Deals
Reviews
Users Reviews
Video Reviews
Support
Windows Malware Removal Help & Support
Mac Malware Removal Help & Support
Mobile Malware Removal Help & Support
Blog
Log in
Register
What's new
Search
Search titles only
By:
Search titles only
By:
Reply to thread
Menu
Install the app
Install
JavaScript is disabled. For a better experience, please enable JavaScript in your browser before proceeding.
You are using an out of date browser. It may not display this or other websites correctly.
You should upgrade or use an
alternative browser
.
Forums
Security
Video Reviews - Security and Privacy
Petya MBR Encryption Ransomware Test
Message
<blockquote data-quote="Fabian Wosar" data-source="post: 496488" data-attributes="member: 24327"><p>No, it does not. For some reason a lot of people (including OP judging by the text files shown in the video, but I would think that was just a small oversight in wording the text instead of a lack of understanding what the malware does) think that is all the malware does. If it was just overwriting the MBR it would be incredibly easy to restore access to the machine by just rewriting the MBR. There are plenty of tools who could do that and a lot of the crappy removal tutorial sites suggest exactly that, which may actually make matters worse.</p><p></p><p>The dropper (the Windows executable) will overwrite the first 66 sectors of your disk. This includes the MBR at position 0. It then forces a bluescreen using an undocumented native Windows API. After the bluescreen your system will reboot and the malware becomes active. The malicious bootloader left in the MBR will load the rest of the malware stored in later sectors on the disk into memory and jumps there. The malware then checks if the actual encryption process already took place. If it did not, it will obtain the key from a dedicated sector on your disk and will go through all the installed disks on the system. It will parse the partition table of each disk, looking for NTFS partitions. If such a partition is found, it will read the VBR of said partition, parse the BPB stored within the VBR, locate the exact cluster where the MFT, which is an important data structure in the NTFS file system, can be found and starts encrypting all the sectors that are occupied by the MFT, with the exception of the first two, which contain the entry for the MFT itself, so the malware still knows later on which sectors it has to decrypt. All of this happens during the fake CHKDSK screen you can see in the video.</p><p></p><p>After that the ransom screen is being displayed. Now, what is the MFT? The MFT or Master File Table is essentially a data structure that tells Windows where the actual file data can be found. In the most simplest terms, think of it as a table that just maps file names to actual sector or cluster addresses. So if you access file C:\Windows\Explorer.exe, Windows checks the MFT, where on the disk the content of C:\Windows\Explorer.exe is located and then reads those sectors. So by encrypting the MFT, you do not encrypt the actual file content, but you encrypt the lookup directory where on disk the files can be found. That also means, that any recovery tool that isn't dependent on the MFT to recover files, will work just fine and there are plenty of those around.</p><p></p><p>There is also one other misconception you see people regurgitating repeatedly when it comes to this malware and that is the Mirror MFT. "Can't you just restore the MFT from the mirror MFT." That useless advise stems from the wrong belief that the Mirror MFT, which is an actual thing, contains a copy of all MFT records. That is blatantly wrong though. The Mirror MFT only contains the records of the first 4 MFT entries, which are for the MFT ($Mft) itself, the Mirror MFT ($MftMirr), the NTFS log file ($LogFile) and the volume information ($Volume). So the Mirror MFT is completely useless when dealing with this particular malware.</p></blockquote><p></p>
[QUOTE="Fabian Wosar, post: 496488, member: 24327"] No, it does not. For some reason a lot of people (including OP judging by the text files shown in the video, but I would think that was just a small oversight in wording the text instead of a lack of understanding what the malware does) think that is all the malware does. If it was just overwriting the MBR it would be incredibly easy to restore access to the machine by just rewriting the MBR. There are plenty of tools who could do that and a lot of the crappy removal tutorial sites suggest exactly that, which may actually make matters worse. The dropper (the Windows executable) will overwrite the first 66 sectors of your disk. This includes the MBR at position 0. It then forces a bluescreen using an undocumented native Windows API. After the bluescreen your system will reboot and the malware becomes active. The malicious bootloader left in the MBR will load the rest of the malware stored in later sectors on the disk into memory and jumps there. The malware then checks if the actual encryption process already took place. If it did not, it will obtain the key from a dedicated sector on your disk and will go through all the installed disks on the system. It will parse the partition table of each disk, looking for NTFS partitions. If such a partition is found, it will read the VBR of said partition, parse the BPB stored within the VBR, locate the exact cluster where the MFT, which is an important data structure in the NTFS file system, can be found and starts encrypting all the sectors that are occupied by the MFT, with the exception of the first two, which contain the entry for the MFT itself, so the malware still knows later on which sectors it has to decrypt. All of this happens during the fake CHKDSK screen you can see in the video. After that the ransom screen is being displayed. Now, what is the MFT? The MFT or Master File Table is essentially a data structure that tells Windows where the actual file data can be found. In the most simplest terms, think of it as a table that just maps file names to actual sector or cluster addresses. So if you access file C:\Windows\Explorer.exe, Windows checks the MFT, where on the disk the content of C:\Windows\Explorer.exe is located and then reads those sectors. So by encrypting the MFT, you do not encrypt the actual file content, but you encrypt the lookup directory where on disk the files can be found. That also means, that any recovery tool that isn't dependent on the MFT to recover files, will work just fine and there are plenty of those around. There is also one other misconception you see people regurgitating repeatedly when it comes to this malware and that is the Mirror MFT. "Can't you just restore the MFT from the mirror MFT." That useless advise stems from the wrong belief that the Mirror MFT, which is an actual thing, contains a copy of all MFT records. That is blatantly wrong though. The Mirror MFT only contains the records of the first 4 MFT entries, which are for the MFT ($Mft) itself, the Mirror MFT ($MftMirr), the NTFS log file ($LogFile) and the volume information ($Volume). So the Mirror MFT is completely useless when dealing with this particular malware. [/QUOTE]
Insert quotes…
Verification
Post reply
Top