Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

This file is an EXE file. What Year is This???

[mpapet]

I thought Windows[7,8,10,9999] was supposed to fix this? Was the user "warned" about opening a file for the 10th time that day?

What happens when I open it with WINE?

Re: This file is an EXE file. What Year is This???

[ihtoit]

98 used COMMAND.COM, ME used VMM32.VXD (hence real-mode DOS applications couldn't run without some serious tweaking).

Also encrypts files

[Megahard]

According to the update in TFA, so just repairing the MBR will not solve the problem.

Re:Oh it's another one of those

[bondsbw]

Sounds more like a problem where the author of the article doesn't know the difference between DOS and "not GUI".

This changes the Master Boot Record and encrypts files while it displays the skull logo and warning message. From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

Re:Oh it's another one of those

[hey!]

Some jokes never get old.

Other ones...

Dead serious answer

[DrYak]

What happens when I open it with WINE?

The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

Re:Dead serious answer

[david_thornley]

Sigh. Yet another thing WINE won't run.

Re:Dead serious answer

[Rutulian]

I'm pretty sure you would need to at least pass the UAC panel on Windows as well. I can't believe Windows would allow access to the MBR without permissions. So how does this really work?

Re:Dead serious answer

[Rutulian]

Found another article,
http://sensorstechforum.com/re...

After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.

This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! Cryptolocker I could understand because it just used the current user's credentials, but there is no excuse for getting infected by this.

Re:Dead serious answer

[roman_mir]

How can it? Petya is a diminutive of the Russian name Petr or Peter for the English speakers. Petya is a little boy, running him on wine is illegal even in Russia ;)

Re:Dead serious answer

[Antique+Geekmeister]

> This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! C

Because they're HR. The field has high turnover and is noted for poor security practices "in order to get their job done".

Re:Dead serious answer

[Skuld-Chan]

This is actually true for Windows as well - need local admin to write to the mbr.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

Re: Dead serious answer

[cyber-vandal]

I'm surprised a standard user would have the required security permissions to alter the MBR.

Re: Dead serious answer

[Rutulian]

I'm surprised a standard user would have the required security permissions to alter the MBR.

That's Windows security for you. Decades of established security practices where everyday users run unprivileged and only become root for administrative tasks, plus very user friendly implementations by Apple for OS X that nobody has complained about AFAIK, but nope, Microsoft has to come up with UAC instead. It is an improvement over XP, but it is still far too easy to inadvertently hose your system. The first thing I do when I install Windows is create an unprivileged user and set a password for the administrator. This instantly gets rid of 99% of the problems. The remaining 1% is training users when it is appropriate for an application to be asking for admin rights (almost never), but if you tell them to just never enter their password unless they are making a deliberate change to their system, or to ask if they are unsure, this is usually sufficient. I've never had malware problems on the boxes I administer.

Re:Dead serious answer

[thegarbz]

but why the f$#%k would you click ok to a UAC warning to read a CV?

Because we're conditioned to know if you click no then the thing we want to do doesn't work. It's gotten to the point where I've seen software installed that actively elevates user privileges so they aren't burdened by the UAC prompt. We're just used to knowing something won't work if we click No, not necessarily that this has nothing to do with the ability to read a CV.

Infection Vector

"HR employees are sent an email with a link to a file stored on Dropbox, where an applicant's CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death."

How does this scenario even occur? Why didn't HR just tell them to attach an appropriate file instead of going out of their way to download the "CV" and unpacking it? This is insanity.

Re:Infection Vector

[david_thornley]

They probably did, and the "applicant" disregarded that. Personally, I think that if you have to trim the pile of resumes/CVs, removing the ones that broke the submission rules and the ones that have serious spelling and/or grammatical mistakes is a good start.

Re:Infection Vector

[KGIII]

I taught college maths for three semesters after retiring. The lack of longevity should be an indication of how much I enjoyed it. I only taught two different classes and then just one class for the final semester. I sort of enjoyed it but it was a "teacher's college" where they graduate future teachers. (It was UMF.) I'd had some decent instructors and borrowed/modified this entrance exam. It tells you a lot about the student's abilities.

At any rate, I did the tried and true exam at the start of two of those semesters. I did not bother doing so for the third. This was our second day class and I'd given them some instructions on the first day. I told everyone to not flip the paper over until they were told to do so. Anyone who turned the exam over prior to being told to do so was quietly marked as a failure. There were no questions asked and I let them keep going. I then told them the exam's rules.

The exam was to be done in black or blue pen. They'd been instructed to bring one on the first day of class.
I told them to read all of the exam questions and instructions completely before answering any of them.
The top of the exam also included the instructions to read all of the questions/instructions thoroughly prior to answering any of them.

The third to last "question" was instructions that said to finish reading the exam, sign the top of the page in blue or black ink, not to mark anywhere else on the front of the exam, but to continue pretending to work or to answer the bonus question. The bonus question, I forget how it was worded, was the last question and the bonus was to draw an impressionist's sketch of pi on the back of the exam.

Most people wrote their name in first. Many did all the questions until they got to #7 (? - I think it had ten questions - buggered if I remember all the details). In both of the years that I did it, only a few people actually got it right. It wasn't my original idea or anything.

However, I did fail (for that exam) those who failed it. It was a simple pass/fail exam where failure counted as a zero. It was not a mathematics test, it was a test to see how well they would follow instructions in my class. If they can't follow instructions then they'll need to learn how and we can start there.

For the most part, it worked out well. It did not work out well for everyone. After doing it a second time, I got an angry phone call from a parent (seriously, who has their parent's call their professor at a university about failing a test?) who was really unhappy that I'd given their brilliant daughter a failing score on the exam. She'd already failed it when she flipped it over before being told to but she failed it when she did the work in pencil and she failed it again when she completed the problems up until #7.

I refused to remove the grade. She, and her parents (her mother, specifically) were livid. She didn't drop the course. She passed but just barely. It seems she'd been to a private school and was considered very bright. She barely passed an introduction to collegiate mathematics... Who the hell has their parents call their professor because they legitimately failed an exam? It didn't even count for much. They expected me to not re-test but to just change the grade.

I did not change the grade. She even showed up after class with fake tears - not even good fake crying. Some of the folks who failed it were a little pissed but they got the point - and did well, most of them. I can only imagine what this person must have lead for a life to get to that point. It must have been pretty inept if they were used to being able to get stuff like that "fixed" by calling the parental units or pretending to cry. Presumably, she's out there teaching someone today - probably in some public school somewhere in Rural America.

At any rate, that's just one of the many reasons why I simply did the one more semester that I'd said I'd do. I'd have not even done that semester but I had said I would do it and I try to do what I say I will do. She was one

Re: Infection Vector

[Opportunist]

But following a link and downloading&executing arbitrary crap from somewhere on the internet is better?

Just how stupid are people really?

Re:Infection Vector

[ihtoit]

I had a similar test for potentials when I ran my law firm. Five pages of questions (about 70 of them, some multiple choice, some short answer), the first instruction being: "Read the entire paper before you begin answering any of the questions", the penultimate being "Do not answer any question on this test but carry out the next instruction", the very last one being and I quote: "Sign your name in the box below, break your pencil in half and step away from the desk."

Only one person ever passed, out of probably 500 applicants. Some of the responses on the short answer questions were hysterical.

Re: Infection Vector

[ihtoit]

no, it's called teaching your students to arm themselves with the maximum amount of information BEFORE they act. It's not as if the information they require isn't RIGHT THERE IN FRONT OF THEM.

Re: Infection Vector

[ihtoit]

because if you don't bother to read through a simple test paper before chickenscratching your way to a frycook job, how the fuck do you expect to be entrusted with a complex set of instructions which could potentially injure or kill you or someone else if you get it wrong?

Re:Infection Vector

[david_thornley]

Doesn't stop him from looking.

Re:Infection Vector

[ihtoit]

actually my "dumb test" weeded out the fools who just waded right on in and FUCKED UP as surely as they would have FUCKED UP CASE AFTER CASE.

Shithead.

Re:Infection Vector

[djinn6]

Following rules doesn't get you very far in life. At best you'll be just another cog in the global market, soon to be replaced by a computer, whose low cost is only matched by its ability to follow rules, however stupid those rules are.

Re: Infection Vector

[dryeo]

It doesn't help that Windows actively hides the fact that it is an executable. I got one the other day, named something like foo.pdf.exe and a PE binary, Windows would just show foo.pdf and happily run it.

Re:Infection Vector

[ihtoit]

I've never come across a lawyer with specific learning disabilities. The nature of the work actually precludes the possibility of such a person even getting a toe in the door.

Re:Infection Vector

[Cederic]

No you fuckwit. Just avoid discriminating against them.

Re: Infection Vector

[KGIII]

That would have been the proper choice for you. You're too special to follow directions.

Re:Infection Vector

[KGIII]

Two things. That sounds good and is a nice pithy thought but we both know better. The second is that... Ah, screw it. You'll only want to argue anyhow. Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue. Have a nice day.

Re:Infection Vector

[KGIII]

Pretty much. It's not like these kids were going to go on to be mathematicians. They were going to be (many of them) physical education teachers. (I kid you not.)

The grade didn't impact a whole lot but it did go into the books. Follow directions. 'Snot hard. Just follow 'em. If you don't understand the directions - stop and ask. The importance of following instructions and asking if they did not understand any of them was stressed on day one. Day two, we found out if you paid the least bit of attention on day one.

Re:Infection Vector

[KGIII]

I am just getting to read the responses. There are a few to mine (and then to yours) that indicate they would not have passed the exam. I'd already stressed the importance of following instructions - including the importance of bringing a pen with blue or black ink.

Re: Infection Vector

[KGIII]

Oh you silly child. No, the students who remained loved my class. I hated it because I could not devote enough time to actually teach them all. I wanted to teach them mathematics, not rote mathematics. I hated it. There is not enough time in my day, or in their day, to do so.

On the other hand, yes I am an asshole. I fully admit, accept, and intend it.

Re:Infection Vector

[KGIII]

Do they think us old folks don't notice the cuties? Hell, sometimes we get to sleep with 'em.

I've a girlfriend at the moment but there's a certain special quality about a marginally insane crazy college chick with daddy issues. I did not sleep with any of my students. I have not slept with any of my former students - but I have gotten wasted with a couple of them back when I used to drink. They were no longer my students and were over the age of 21 as far as I know.

Re:Infection Vector

[ihtoit]

yeah, I kinda noticed that too.

Oh, found the archived videos, they're on a stack in a server I'm actually rebuilding. Should be up again in the next week.

Re:Infection Vector

[thegarbz]

A few points:

1. We give students competing goals: Do something in a limited time, but waste time reading an entire paper in full despite the bulk to the assessment being assigned to answer questions.

2. You set something that was highly out of the ordinary for an exam. Even more out of the ordinary for a maths exam.

3. You set something that has nothing to do with the course.

4. You were attempting to teach people to blindly follow rules rather than attempt to get through what is typically tough questions using a method that has worked best for them.

Quite frankly I'm glad you're not teaching anymore. This is something you can use as a joke in class, but not something that should be set in an exam, EVER. If you try that in the legal field (doing something truly out of the ordinary in a contract, the contract becomes unconscionable.

Also you're lucky. I've seen the student's parents actually come in to the university... if my mother did that I would have just died of embarrassment on the spot.

Re:Infection Vector

[KGIII]

Sweet. Lemme know when they're available for me to view 'em. Funny enough, I almost posted a reminder in the response I'd written but I figured it hadn't been long enough to need a reminder. (I imagine anyone reading this is now officially lost or confused.)

At any rate, I'm quite curious to see them. Maybe they'll give me some inspiration to write about 'em. I'm officially working on a site, technically a network of sites, to prove a point and win a bet - but also because it's an interesting thing to do. The first of them is up and running but incomplete. It's *close* to complete but not quite there. I've a few more kinks to work out, I keep finding small bugs, and there's a few more tweaks to be made.

The best thing is, I'm doing it all for the low cost of absolutely zero dollars. That's part of the bet. If you're curious, click here and be even more confused. *sighs* It's a long story. ;-) Aren't they always?

Re:Infection Vector

[david_thornley]

Blindly not following rules is worse than blindly following rules. Know what the rules are, and why you're breaking them. My standard rule: never break a rule you don't understand. (Self-reference not only intentional, but vital to understanding the rule.)

Re:Infection Vector

[djinn6]

What you call an argument, I call a discussion. Why else come to slashdot?

I've basically followed a few rules in life and I've done great:
1. Do what you love and do it really well
2. Focus on your life goal
3. Treat others kindly

Every other rule is either a more specific (and therefore less useful) version of the above, or a moronic rule made by some asshat authoritarian to keep you down.

Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue.

So is this a dick-measuring contest now?

Re:Infection Vector

[KGIII]

It became a dick measuring contest, and nothing more, when you stated that it wouldn't get you very far in life.

Re:Infection Vector

[ihtoit]

OK. Mobile version is here (and I apologise in advance for the sound quality, you probably need some noise-cancelling headphones to hear it properly), I'll get the SD (which has better sound quality) up on a torrent because I don't have the space on my GDrive for a 14GB upload.

Re:Infection Vector

[ihtoit]

addendum: soon's the torrent's done I'll drop it into the SD folder on the previous link.

(and my wife says netbooks with flat batteries are useless... they're great for chucking up torrent boxes)

Re:Infection Vector

[cwsumner]

And the next job was in a manufacturing plant, where there was a set of steel steps with a light at the top. The sign said "Do Not go down the steps until the light goes out". The one who did not learn from the class, made a terrible mess. But they never actually found the body.

The rest lived! 8-)

Re:Infection Vector

[cwsumner]

Breaking human rules is one thing, it will only get you in trouble.

Breaking Mother Nature's rules is different. Most of her punishments are death, and Mother Nature has no pity.

Be sure you know the difference!

Re:Infection Vector

[KGIII]

Far too many people understand the value of following directions. There's a time and a place to not do so. That's a rarity. Usually, you're far better off by following the directions.

Re:Infection Vector

[KGIII]

I got to thinking... It will fit here:
https://mega.nz/

I boot from non-writable media

[davidwr]

Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.

Oh, by the way, a comment at this Trend Micro write-up suggests that the initial program that infects the system won't work unless the user has administrative privileges.

Re:I boot from non-writable media

[Opportunist]

In what company do computer illiterates like HR have admin privs on their computers?

Re:I boot from non-writable media

[dbIII]

One where the inhouse developers demand admin access for all users of their almighty VB application because they have admin access and don't have the patience to test it on a machine that does not. It used to be a very common problem and it still lurks in a few places. It took about two years to convince a developer in my workplace that it was a really bad idea despite it being part of the cause of a pile of virus incidents.

Re:I boot from non-writable media

[Opportunist]

There's an easy fix for that. Sit down with your CISO and have him demand that any and all virus incidents that could have been avoided by not having admin privs on accounts that have no reason to have them be tacked to the cost center said dufus wannabe programmer is in.

That problem will soon clean up itself.

Re:I boot from non-writable media

[dbIII]

Workplace politics is often more complicated - I was the "CISO" but the developer was outside of my chain of command since he did it more or less as a hobby on the side of his real job.

The real issue is for developers to wake up to bad practices instead of just thinking they are being bullied by the head of a different department.

All that is aside from the point - such bad practices were very common not long ago and still exist in many places.

Re:I boot from non-writable media

[Opportunist]

Then you weren't the CISO.

Re:I boot from non-writable media

[dbIII]

Thanks a lot for calling me a lair for a very trivial reason. Meanwhile back in reality the problem was that I was not the CEO so it meant dealing with the very non-technical boss of the guy with the application instead of dealing with him myself.
It's a side issue of the example so I really don't get why you are arguing and why you are going so far as to call me a liar. You also seem to be acting as if you have been asked to solve a problem when with that example it was solved years ago, but it won't be the case for similar situations of identical stupidity.
So many developers are still stuck on the single user, 32 bit, single threaded, non-networked, trust be default mentality of MSDOS and that shows with software that needlessly runs as admin.

Re:I boot from non-writable media

[Opportunist]

What I mean is that the title is pointless if you don't get the power to go with it. If you are responsible for the security in your company but have no power to make the relevant decisions, they have not CISO, all they have is a scapegoat.

Re:I boot from non-writable media

[Maritz]

I'm unreasonably interested in the thinking behind the scare quotes.

Why do they say "OS"? Windows-Only!

[rsborg]

This won't impact a Mac, nor will it impact Linux (it's an .exe file). The TFA referred to Windows, so should the summary.

Just like as usual - most rampant exploits and malware are Windows-only.

Re: Why do they say "OS"? Windows-Only!

[GoodNewsJimDotCom]

Black hat virus writers are a bunch of bad guys, but it would be some next level evil to turn a Macintosh computer to boot into Dos or Windows.

Re:Why do they say "OS"? Windows-Only!

[nmoore]

It says "prevents your OS from starting". If your machine triple-boots Linux, OS X, and Windows, and a Windows trojan overwrites the boot loader, it's going to keep you from booting into all three OSes.

Re:Why do they say "OS"? Windows-Only!

[Maritz]

Security through obscurity is on your side.

Okay, I lied

[davidwr]

I don't *always* boot from non-writable media.

Re:Okay, I lied

But when you do, you boot from DOS XX.

Only HR departments?

[Bing+Tsher+E]

If we all volunteer to kick in a little to the ransom gang, is it possible we could spread it to all HR people worldwide? A world full of hamstrung HR people would allow us to all get direct-hire jobs.

Re:Only HR departments?

And cancel all the "sensitivity training" seminars? Puh-leez????

If I hear one more "Binary is for *computers*, not people!" presentation of Social Justice Warrior drivel masquerading as workplace ethics.... it's not going to be pleasant.

Re:Only HR departments?

[ericloewe]

"Ransom gang" has such a negative connotation.

How about calling them "workplace productivity enhancement team" or "employee happiness consultancy"?

Re:Only HR departments?

[CanadianMacFan]

Stop thinking small. Let's put it to where it can do some real good. Send it to the lawyers!

Re:What is a DOS screen?

[MobileTatsu-NJG]

Actually it was 320 by 200, and "DOS Screens" were actually in text-mode that was measured in characters and not pixels.

Corporate machines should have exe whitelisting

There is no reason anybody should be able to run unknown exes on a work computer without notifying IT first.
It's the only way to combat this kind of lack of basic IT knowledge that afflicts most office workers.

I work with people who have used PCs for over a decade who still lack basic IT knowledge and would still fall for this trick in a heartbeat. You cannot drill it into your staff to not open stuff like this, you have to actively prevent it happening.

Re:Corporate machines should have exe whitelisting

[HiThere]

At one point that was a reasonable position. Unfortunately operating systems now execute lots of things they shouldn't automatically. I've heard of jpg viruses.

Re:It's a tax on the stupid

[david_thornley]

I've seen some pretty intelligent people fall prey to email viruses, mostly in the older days when email viruses were effective. More recently, I know a very sharp woman who used the New York Times website without adequate defenses.

Your PC is now Stoned!

[Bigbuzzman]

Your PC is now Stoned!

Re:Oh it's another one of those

[is7s]

I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?

Re:Oh it's another one of those

[U2xhc2hkb3QgU3Vja3M]

Some jokes never get old.

Other ones... get integrated into the next version of systemd.

So...

[JustAnotherOldGuy]

So just boot from a CD or USB drive and then fix the MBR.

The Flash could do it in time, but he's fiction

[dbIII]

From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

I looked at the timestamps of the files of a cryptolocker attack victim once - it's worth remembering that computers are very fast these days and it did quite a few GB per minute.

Re:What is a DOS screen?

[Gaygirlie]

You're talking about BIOS graphics mode 13, MCGA 320x200 x256 colors onscreen pallet with an available color selection for those 256 palette entries of 24bits per R,G, or B.

Minor nitpick: the colour-palette only had a depth of 18 bits, ie. 6 bits per channel, not 24 bits.

Re:What is a DOS screen?

[ihtoit]

720x400 is 80x25 textmode with the 9x16 system typeface. Doom was 320x200 CGA graphics mode (specifically IBM mode 13h, 256 colours). Both use the same amount of video memory (IIRC 16kB).

DOS?

[Sir+Holo]

I thought QDOS, and thus the BSOD, went away with Windows Vista. At least, that's what the ads told me.

Are you implying that Microsoft might have lied to me? :cry emoji:

Re:Oh it's another one of those

[Antique+Geekmeister]

No, it's mostly VMS. Take a look at the extensive lawsuits when David Cutler was hired from DEC, and took a lot of his old VMS developer team with him to create the kernel for Windows NT.

Microsoft Windows strikes again!

[khz6955]

Hey, slashdot, the technical site how about telling us the name of the Operating System and the Hardware Platform this ransomware runs on? hint Windows and Intel ..

Re: What is a DOS screen?

[the_humeister]

Actually, DOOM was 320x240. 320x200 was Duke Nukem 3D. The reason to use 320x240 is because the pixels were square. However, the screen was split into banks of four because 320x240 pixels is too large to fit in a 64 KiB segment (ie pixels 0,4,8,⦠are in bank 0, pixels 1, 5,9,⦠are in bank 1, etc.) which makes accessing the framebuffer more complicated and slower. 320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

UEFI + Secure Boot

[Microlith]

Or boot using UEFI, which probably breaks this. Toss in Secure Boot, and even if they wrote a UEFI bootloader they wouldn't be able to intercept the boot process.

Cue idiots who make inaccurate comments about UEFI and betray their technical ignorance.

Re: What is a DOS screen?

[ihtoit]

Would you like to revise your information? DOOM engine renders at 320x200 (16:10 aspect ratio). You'll also find that the memory space for 320x240 is the SAME (it's a VGA mode which uses a more efficient algorithm) as the CGA 320x200 mode (which in 1993 was STILL the most common graphics mode available to MOST PC users hence the denominator for developers). Also, the only reason to split the screen was during multiplayer mode on console (eg Saturn, N64). It makes absolutely no sense to bank the screen quadrants when you're using the same amount of memory to render and MORE memory (and processor clocks) to stitch the quadrants.

Ummm, a "DOS screen"? "DOS level"?

[aussersterne]

I honestly entered this story hoping to read lots of merciless ridicule of these phrases.

Where is it? Or have all the geeks finally left Slashdot?

Re:Ummm, a "DOS screen"? "DOS level"?

[pjbgravely]

The /. geeks are gone, replace by cowards and lusers that think a PC has to run Microsoft Windows and a Hacker is a bad person. I only post about it when I think my karma is getting too high.

/. is dead

I was hoping for exactly the same, there's a brief mention of it followed by someone(user 4,496,745, yikes) seriously asking

"I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?"

That, a day or so after some prick from the gadget show made it to the front page pontificating on things we all know he has absolutely no grasp of, this just isn't my slashdot any more and it's sad.

Re:Oh it's another one of those

[Vlad_the_Inhaler]

Did you not RTFA? It only claims to encrypt the data, but does not actually do it.

Re: What is a DOS screen?

[hvdh]

320x240x8bit is 76800 bytes, more than 64KB. It required bank switching, but it was easier than the GP wrote. VRAM was still linear, but you needed a VESA BIOS call to change the 64KB VRAM bank accessible in the 64KB video memory segment. Of 320x240, 204.8 lines fit in the first bank, the remaining ones in the second bank. As a display line split in two banks is very unhandy, you could increase the virtual resolution to 512x240 an had 128 full lines in bank 0 and the other 112 lines in bank 1.

Re: What is a DOS screen?

[One+With+Whisp]

(Score:4, Insightful)

No, please.

The reason to use 320x240 is because the pixels were square.

I would agree with you, except DOOM actually did use 320x200, and indeed the pixels were rectangular. It's a common problem that forks (known in DOOM circles as "source ports") face when they try to change up the rendering engine. Many of the graphics in the game were even designed with the knowledge that the screen would be stretched due to the non-square pixels, meaning that unstretching would degrade them.

320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

Yeah, except doom uses DPMI, so this doesn't even matter.

Re: Oh it's another one of those

[bondsbw]

Yes I did. But the article took a quote from its source and summarized it a bit differently. Here is the original quote from the source:

As of this writing we assume that only the file access is blocked but the files themselves are not encrypted. Experts at the G DATA SecurityLabs are still analyzing this new type of ransomware.

That is a bit less confident than TFA states.

Re:DOS?

[pjbgravely]

QDOS AKA MSDOS went away with the NT Kernel, the last Microsoft OS running on MSDOS was Windows ME. Windows Vista (NT 6.0) added to the BSOD with a more critical R(ed)SOD but the B(lue)SOD was still there. I don't know if the RSOD survived into Windows 7 NT6.1.

Re:Oh it's another one of those

[LocalH]

That's as much a misconception than "text mode = DOS".

This is neither. This is malware that installs code to the MBR that loads before any OS. In fact, it's sort of it's own OS, running on bare metal.

Petya

[dimko]

In Russian, Petya - is variation of name Peter. A childish way to say that name. That makes me wonder...

Privilege ; UEFI

[DrYak]

This is actually true for Windows as well - need local admin to write to the mbr.

The difference is that wine will simply refuse and fail.

Whereas, on windows, this will open an UAC prompt which user have taken the habit (...have been pavlovian-trained...) to click okay to get anything done due to countless badly designed pieces of software.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

That's a bit more complicated.

If the disk is partitioned in Legacy mode, this will fry the partition table.

The UEFI firmware won't be able to locate the special FAT32 boot partition ("EFI system partition") with the bootloader .EFI executable used by the OS.
The system is left in an unbootable state, and the few next available boot options will be taken in turns, eventually reaching legacy boot, which will load the booter code of the malware.

If the disk is partitioned in GPT mode, things will get a little bit more complex.

Some UEFI firmware implementation DO require an appropriate "Guarding DOS partition" to boot in UEFI mode (some are even picky about whether the ms-dos "BOOT" flag should be set on that guarding partition). Of course, none of which is standardised.
Because of this, and because the partition table is hosed, some UEFI firmware won't detect the availability of the EFI system partition and won't boot in UEFI mode, again degrading to next available modes, eventually reaching the point they attemps a legacy MBR boot.

Some other UEFI implementation completely ignore the MBR and go straight for the GPT.

Then it depends on the malware. I can't find reliable sources whether the malware does encrypt files on the disk or not.
If it doesn't, then MBR-ignoring UEFI firmware will boot as usual. No problem noticed beyond the initial bluescreen crash.

If the malware does encrypt files, the boot process will fail at some point (depending on the encrypted fils).

The only difference that "Secure booting" brings, is that it refuses to run .efi executables (like bootloader) which weren't signed by Microsoft's key or any key that an admin has loaded into the system (for Linux users that do use it, but don't use the shim and load their own keys instead).

The system will refuse to boot all the same as above (except for the single exception), and simply won't fall back to displaying the skull. But the system is hosed all the same.

I can't find relliable information about what exactly is encrypted, so it's impossible to know if simply rebuilding the partition table using a USB boot stick (like System Rescue CD) is enough, or whether a decryption tool will be eventually needed to rescue important files from the drive.

Re: What is a DOS screen?

[MTBaldwin]

Brings back memories. I remember when i got my first IBM PS2 MODEL 30....1024 kilobytes of memory. 12 screaming MEGAhertz of CPU power. MS-DOS 3.3. That cost me about $2000.00, way back in 1987.

Re:It's a tax on the stupid

[david_thornley]

I mean intelligent and thoughtful people who are competent in the real world and do have common sense. I'm not impressed by the sort of "book-smart" people you describe. Been there, done that, learned better.

Re:portfolio-packed.exe

[Maritz]

I think that's kinda the point. You only do that if you're in the biz of ransoming data. Literally no applicants ever turn their word doc resume/CV into a .exe just 'cos