Alert: Petya Ransomware May Be the Worst YetinShareRansomware is such a popular method of attack used by hackers that new variants of it pop up every few months. Among these is Petya, a nasty new ransomware that masquerades as an unsolicited resume in an organization’s email inbox. Don’t be fooled, though; the only work these hackers are looking for is to work you out of a couple hundred dollars.Once the file has been downloaded, Petya causes a Windows error and forces the system to endure the typical “blue screen of death,” causing a reboot. The computer will then display a red skull and crossbones, and a fraudulent “system check” infects and encrypts the master file table (MFT) with military-grade encryption protocol. This causes the computer to basically forget which files it has, and where they are stored.
Rather than closing access to particular files, Petya completely locks the user out of the system by overwriting the computer’s master boot record. The computer is essentially rendered useless by the user, who can’t even log in. Petya will display a list of demands, as well as how to meet them. As is the case with most ransomware, the ransom must be paid in Bitcoin. Once this has been done, the criminal supplies a decryption key that’s used to regain access to the files.
The initial cost for the decryption key is .99 Bitcoins, which is an estimated $430. However, paying for the decryption key isn’t that simple. Once the user accesses the payment page, they’re given a limited amount of time to access the key before the price is doubled. While there are some websites that claim there are commands that can allow users to skip the lock screen, the MFT will still be encrypted, rendering the files useless. Even if the user pays the ransom, there’s still no guarantee that the decryption key provided by the hackers will work. This is why we always suggest that you don’t pay the ransom, and instead contact a professional technician who can consult you on the situation.
In particular, business owners and human resources representatives who are responsible for the hiring procedure are the preferred targets. Petya is distributed through emails that are disguised as potential job seekers. The message will often contain a hyperlink that redirects to a Dropbox containing a resume, which is really just a Trojan horse containing Petya that’s capable of weaseling its way past your antivirus solution. Petya had been causing significant trouble for German businesses, but a programmer has found a solution. Admittedly, it’s a tricky solution to implement, but it’s still preferable to paying a ransom.
As is the case with most ransomware, your best chance of escaping unscathed is by dodging the attacks altogether. Ransomware is notoriously difficult to crack, even for seasoned IT veterans, but keeping a watchful eye on anything you find on the Internet can help you avoid infections. With PC Medics’ security solutions, you can proactively detect and eliminate threats to your IT infrastructure. To learn more, give us a call at 818-357-2338.
Posts Tagged fbi-virus-fake
Cryptolocker Ransomware: What You Need To Know
Update 12/20/2013: A new version of Cryptolocker—dubbed Cryptolocker 2.0—has been discovered by ESET, although researchers believe it to be a copycat of the original Cryptolocker after noting large differences in the program’s code and operation. You can read the full blog comparing the two here.
Just last month, antivirus companies discovered a new ransomware known as Cryptolocker.
This ransomware is particularly nasty because infected users are in danger of losing their personal files forever.
Spread through email attachments, this ransomware has been seen targeting companies through phishing attacks.
Cryptolocker will encrypt users’ files using asymmetric encryption, which requires both a public and private key.
The public key is used to encrypt and verify data, while private key is used for decryption, each the inverse of the other.
Below is an image from Microsoft depicting the process of asymmetric encryption.
The bad news is decryption is impossible unless a user has the private key stored on the cybercriminals’ server.
Currently, infected users are instructed to pay $300 USD to receive this private key.
Infected users also have a time limit to send the payment. If this time elapses, the private key is destroyed, and your files may be lost forever.
Files targeted are those commonly found on most PCs today; a list of file extensions for targeted files include:
3fr, accdb, ai, arw, bay, cdr, cer, cr2, crt, crw, dbf, dcr, der, dng, doc, docm, docx, dwg, dxf, dxg, eps, erf, indd, jpe, jpg, kdc, mdb, mdf, mef, mrw, nef, nrw, odb, odm, odp, ods, odt, orf, p12, p7b, p7c, pdd, pef, pem, pfx, ppt, pptm, pptx, psd, pst, ptx, r3d, raf, raw, rtf, rw2, rwl, srf, srw, wb2, wpd, wps, xlk, xls, xlsb, xlsm, xlsx
In some cases, it may be possible to recover previous versions of the encrypted files using System Restore or other recovery software used to obtain “shadow copies” of files. The folks at BleepingComputer have some additional insight on this found here.
Malwarebytes detects Cryptolocker infections as Trojan.Ransom, but it cannot recover your encrypted files due to the nature of asymmetric encryption, which requires a private key to decrypt files encrypted with the public key.
In order to make removal even easier, a video was also created to guide users through the process (courtesy of Pieter Arntz).
While Malwarebytes cannot recover your encrypted files post-infection, we do have options to prevent infections before they start.
Users of Malwarebytes Anti-Malware Pro are protected by malware execution prevention and blocking of malware sites and servers.
To learn more on how Malwarebytes stops malware at its source, check out thisblog.
Free users will still be able to detect the malware if present on a PC, but will need to upgrade to Pro in order to access these additional protection options.
Also, the existence of malware such as Cryptolocker reinforces the need to back up your personal files.
However, a local backup may not be enough in some instances, as Cryptolocker may even go after backups located on a network drive connected to an infected PC.
Cloud-based backup solutions are advisable for business professionals and consumers alike. Malwarebytes offers Malwarebytes Secure Backup, which offers an added layer of protection by scanning every file before it is stored within the cloud in an encrypted format (don’t worry, you can decrypt these).
To find out more on remove Cryptolocker, check out the official removal guide from Malwarebytes.
Update: Adam Kujawa from Malwarebytes gives further insight about Cryptolocker in an interview with Category 5
This article was sourced from: Cryptolocker Ransomware: What You Need To Know | Malwarebytes Unpacked.
Beware of the FBI Virus
The FBI Virus is a virus that locks down your computer shortly after you turn it on preventing you from accessing any files or programs. The cleverly designed virus will tell you that your system has been used for different types of illegal activity and will demand a payment via Moneypak to unlock your computer. The payment requests could be anywhere from $100 – $700 depending on the variant installed on your computer. There are several variants. However, once you have paid nothing will change & your computer will remain infected.
Some of the viruses even state that they have taken pictures of you through your webcam and have your image on file. You may even be shown a photo of yourself taken with your webcam. Luckily, none of this is true. Here is what the virus might look like:
Since late last year, PC Medics 911 has been experiencing an influx of computers infected with what has now known as the FBI Virus. This virus is not going away anytime soon.
Fortunately, we have all the tool necessary to remove it! We have continuously removed the FBI virus successfully here at our Granada Hills store. Our highly trained emergency computer technicians will make sure any data you need protected is backed up prior to removal.
Give us a call today if you believe you are infected with this virus. Our toll free number is 888-729-1163.