Slashdot Mirror

← Back to Stories (view on slashdot.org)

Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up (softpedia.com)

Posted by BeauHD on from the forced-to-pay-up dept.

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

18 of 155 comments (clear)

  1. Also encrypts files by Megahard · · Score: 2

    According to the update in TFA, so just repairing the MBR will not solve the problem.

    --
    I eat only the real part of complex carbohydrates.
  2. Re:Oh it's another one of those by bondsbw · · Score: 4, Informative

    Sounds more like a problem where the author of the article doesn't know the difference between DOS and "not GUI".

    This changes the Master Boot Record and encrypts files while it displays the skull logo and warning message. From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

    --
    All my liberal friends think I'm a conservative, all my conservative friends think I'm a liberal.
  3. Dead serious answer by DrYak · · Score: 5, Informative

    What happens when I open it with WINE?

    The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

    Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
    1. Re:Dead serious answer by david_thornley · · Score: 5, Funny

      Sigh. Yet another thing WINE won't run.

      --
      "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
    2. Re:Dead serious answer by Rutulian · · Score: 3, Insightful

      Found another article,
      http://sensorstechforum.com/re...

      After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.

      This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! Cryptolocker I could understand because it just used the current user's credentials, but there is no excuse for getting infected by this.

    3. Re:Dead serious answer by roman_mir · · Score: 4, Funny

      How can it? Petya is a diminutive of the Russian name Petr or Peter for the English speakers. Petya is a little boy, running him on wine is illegal even in Russia ;)

      --
      You can't handle the truth.
  4. Okay, I lied by davidwr · · Score: 2

    I don't *always* boot from non-writable media.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Okay, I lied by Anonymous Coward · · Score: 4, Funny

      But when you do, you boot from DOS XX.

  5. Only HR departments? by Bing+Tsher+E · · Score: 3, Insightful

    If we all volunteer to kick in a little to the ransom gang, is it possible we could spread it to all HR people worldwide? A world full of hamstrung HR people would allow us to all get direct-hire jobs.

    1. Re:Only HR departments? by ericloewe · · Score: 4, Funny

      "Ransom gang" has such a negative connotation.

      How about calling them "workplace productivity enhancement team" or "employee happiness consultancy"?

  6. Re:Infection Vector by david_thornley · · Score: 4, Insightful

    They probably did, and the "applicant" disregarded that. Personally, I think that if you have to trim the pile of resumes/CVs, removing the ones that broke the submission rules and the ones that have serious spelling and/or grammatical mistakes is a good start.

    --
    "When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
  7. Re: Why do they say "OS"? Windows-Only! by GoodNewsJimDotCom · · Score: 4, Funny

    Black hat virus writers are a bunch of bad guys, but it would be some next level evil to turn a Macintosh computer to boot into Dos or Windows.

    --
    God spoke to me
  8. Re: Infection Vector by Opportunist · · Score: 2

    But following a link and downloading&executing arbitrary crap from somewhere on the internet is better?

    Just how stupid are people really?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  9. Re:Oh it's another one of those by U2xhc2hkb3QgU3Vja3M · · Score: 4, Funny

    Some jokes never get old.

    Other ones... get integrated into the next version of systemd.

  10. Ummm, a "DOS screen"? "DOS level"? by aussersterne · · Score: 2

    I honestly entered this story hoping to read lots of merciless ridicule of these phrases.

    Where is it? Or have all the geeks finally left Slashdot?

    --
    STOP . AMERICA . NOW
  11. Re:Infection Vector by djinn6 · · Score: 2

    Following rules doesn't get you very far in life. At best you'll be just another cog in the global market, soon to be replaced by a computer, whose low cost is only matched by its ability to follow rules, however stupid those rules are.

  12. Re: What is a DOS screen? by One+With+Whisp · · Score: 2

    (Score:4, Insightful)

    No, please.

    The reason to use 320x240 is because the pixels were square.

    I would agree with you, except DOOM actually did use 320x200, and indeed the pixels were rectangular. It's a common problem that forks (known in DOOM circles as "source ports") face when they try to change up the rendering engine. Many of the graphics in the game were even designed with the knowledge that the screen would be stretched due to the non-square pixels, meaning that unstretching would degrade them.

    320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

    Yeah, except doom uses DPMI, so this doesn't even matter.

  13. Re:Oh it's another one of those by LocalH · · Score: 2

    That's as much a misconception than "text mode = DOS".

    This is neither. This is malware that installs code to the MBR that loads before any OS. In fact, it's sort of it's own OS, running on bare metal.

    --
    FC Closer