Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

Re:Oh it's another one of those

[bondsbw]

Sounds more like a problem where the author of the article doesn't know the difference between DOS and "not GUI".

This changes the Master Boot Record and encrypts files while it displays the skull logo and warning message. From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

Dead serious answer

[DrYak]

What happens when I open it with WINE?

The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

Re: What is a DOS screen?

[the_humeister]

Actually, DOOM was 320x240. 320x200 was Duke Nukem 3D. The reason to use 320x240 is because the pixels were square. However, the screen was split into banks of four because 320x240 pixels is too large to fit in a 64 KiB segment (ie pixels 0,4,8,⦠are in bank 0, pixels 1, 5,9,⦠are in bank 1, etc.) which makes accessing the framebuffer more complicated and slower. 320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.