back to article Ransomware now using disk-level encryption

Ransomware has been detected infecting master file tables, rendering Windows PC useless unless payment is made. When first executed, the Petya malware will reboot the victim's machine, and run what appears to be a Windows check disk scan as a mask for the encryption process. A screen is then displayed that directs users to a …

  1. cantankerous swineherd

    "silently encrypt and decrypt on the

    fly for months" so the thieving scum have backdoored their product.

  2. allthecoolshortnamesweretaken

    Clever bastards. I hope their headstones will be done in Comic Sans.

  3. Sgt_Oddball Silver badge

    I hate to say it...

    But is the cypto-ware Windows only or has other variants appeared so far?

    Also with regards to encypt/decrypt for months that means there's some kind of trigger? Any ideas on what that could be?

    1. joeW Silver badge

      Re: I hate to say it...

      Vastly more prevalent on Windows of course, but lately some miscreants have been sharing the love - http://www.theregister.co.uk/2016/03/07/first_working_mac_ransomware_infects_transmission_users/

      1. Anonymous Coward
        Anonymous Coward

        Re: I hate to say it...

        I presume you meant this article.

        Yes, nobody is safe unless they practice a bit of computer hygiene. I hope they will hit high level government computers in their own country soon so they will be dealt with swiftly.

      2. Anonymous Coward
        Anonymous Coward

        Re: I hate to say it...

        "Vastly more prevalent on Windows of course, but lately some miscreants have been sharing the love - "

        See also:

        http://www.theregister.co.uk/2016/02/29/reinvented_ransomware_shifts_from_pwning_pc_to_wrecking_websites/

        http://www.theregister.co.uk/2015/11/09/ransomware_targeting_linux_charging_bitcoin/

        http://www.theregister.co.uk/2014/08/05/synologys_synolocker_crisis_its_as_bad_as_you_think/

    2. ecofeco Silver badge

      Re: I hate to say it...

      Android exists as well.

  4. BugabooSue
    Mushroom

    It's B'stards like these...

    ...who take the fun out of using computers.

    OK, these assholes destroy lives, life, etc., but dammit - my PCs are not just my livelihood, but my recreation. My PCs are my ever-configurable toys. Each computer is "My Precious!"

    If you mess with my tools or mess with my toys:- bad stuff will happen!!

    A pox on you people! Just die and do the Human Race a huge favour!!

    [I now return to my nuclear fallout shelter where my Precious(es) hide, switched off, safe inside their EMP-hardened welded-shut copper-walled boxes. At least, I think they are in there...]

    1. Charlie Clark Silver badge

      Re: It's B'stards like these...

      Or, we've not been taking security seriously enough for years and hoping that something like this would never happen. I'm sticking my head back under the covers and hoping it goes away. Yeah, that should work.

    2. Anonymous Coward
      Anonymous Coward

      Re: It's B'stards like these...

      Definitely EMP hardening for what Petya meant the other time you heard about that and Janus in the same topic, no? But maybe this time EMP stands for Evil Meddling Pricks

  5. Anonymous Coward
    Anonymous Coward

    Always a fool

    Just discussing with my colleagues and no matter how clever it is, there is always someone who lets this malware in.

    Education is amazingly effective in combating malware, yet the vast majority of companies I have performed consulting at completely ignore it in favour of tin that they haven't got the in-house skills to use/maintain.

    Things are getting better and people are starting to wake up, but compared to the Threat Actors involved with the creation of malware, they are nowhere near.

    1. Charles 9 Silver badge

      Re: Always a fool

      "Education is amazingly effective in combating malware, yet the vast majority of companies I have performed consulting at completely ignore it in favour of tin that they haven't got the in-house skills to use/maintain."

      Because education isn't as effective as you think. Guaranteed there's that someone in your group who isn't capable of learning. To quote the comedian, "You can't fix stupid." And before you can suggest firing him, more often than not the idiot's up top.

      1. a_yank_lurker Silver badge

        Re: Always a fool

        Education combined with follow up testing is required. The testing is required to find the problem areas.

      2. Doctor Syntax Silver badge

        Re: Always a fool

        "Because education isn't as effective as you think....And before you can suggest firing him, more often than not the idiot's up top."

        Experience is a dear teacher but there are those who will learn from no other.

        1. Charles 9 Silver badge

          Re: Always a fool

          And then there are those who will learn from no ONE...at all. The guy who if you taught to fish would be found dead a week later with the rod still in his hand.

    2. Tom Melly

      Re: Always a fool

      I wouldn't be too confident even if your company/family is certified idiot-free. A work colleague was hit after visiting a few sites looking at technical forums.

    3. Version 1.0 Silver badge

      Re: Always a fool

      Our mail server is set to kill anything that I think might be a malicious attachment - the delivery of these always spikes during a holiday and this morning the logs showed our accounts being flooded over the last few days with .js attachments inside zip files containing "unpaid invoices"

      What continually surprises me is the number of organizations that really SHOULD KNOW BETTER who keep trying to send me .HTML documents - yep, I kill those on site too (sic).

      1. fran 2

        Re: Always a fool

        Mine too, hundreds and hundreds of them

  6. Pascal Monett Silver badge

    Nothing good will come of all this

    Not only do the miscreants hassle innocent people and destroy their data, but this scumware risks helping the US Government message on backdooring encryption. Of course, that is not the solution to the problem, but since when has that stopped a politician from pushing a point ?

    1. John H Woods

      Re: Nothing good will come of all this

      "but this scumware risks helping the US Government message on backdooring encryption" --- Pascal Monett

      Maybe only until people realise that these people will never use the approved backdoored algorithms.

    2. GrumpenKraut Silver badge
      Coat

      Re: Nothing good will come of all this

      Except possibly that people start to realize that backups are a must.

      The one with various external drives in the pockets. ------------->

      1. Anonymous Coward
        Anonymous Coward

        Re: Nothing good will come of all this

        Except possibly that people start to realize that backups are a must.

        Nope. Some of these f*ckers leave time between crypto and activation so your backups are infected too. You'd have to go back weeks, which means that all work between the last clean backup and the trigger is effectively lost until you pay.

        But that's not your only problem.

        Once you give in to this blackmail, there is no guarantee you have not started another timebomb that you'll be made to pay for later so your best bet is then to back up your data ASAP and rebuild the system underneath from scratch, which means you're facing quite some downtime before you can truly have some confidence in your machine. Imagine this happening at any medical practice.

        1. GrumpenKraut Silver badge

          Re: Nothing good will come of all this

          > Nope. Some of these f*ckers leave time ...

          I actually watch which files are transferred with each backup (rsync being used). If I don't see why some particular files are transferred then I check. More afraid of corruption by hardware problems, though.

          Surely more "professional" solutions are possible, but this is a home environment. All catastrophes I have seen (and that is quite a few) happened because no backup existed at all.

  7. Tezfair
    Unhappy

    I wonder if it only encrypts the boot drive. Might be worth revisiting folder redirection to another drive (or server depending on scenario). Either way it's getting more of a headache.

  8. Anonymous Coward
    Anonymous Coward

    Ransomware has been detected infecting master file tables, rendering Windows PC useless unless payment is made.

    We already knew that. Oh, wait, this isn't about Windows 10.

    Joking aside, I hope the people who do this will die slowly and painfully of a horrible disease. There is apparently no limit to the lowness criminals will go to collect some coin. F*ckers.

  9. David Roberts Silver badge

    Encrypts/decrypts for months?

    Does this mean a reboot with a Live CD (for example) would find evidence of the encryption?

    1. Anonymous Coward
      Anonymous Coward

      Re: Encrypts/decrypts for months?

      Maybe, but the REAL clever ones will use shadowing techniques, hiding in ways that make them difficult to even see, let alone detect (think hiding in sector lag space or encrypted in some out of the way place where you'd normally see scrambled data).

  10. John H Woods

    Fantasy hard drive (or array) ...

    ... 3 position physical (key?) switch on drive (or array)

    (1) looks to the BIOS/OS like a normal drive (or array) but keeps, inaccessibly and invisibly, all previous versions of files; perhaps also ignores destructive operations such as partitioning and formatting

    (2) all versions above become visible but drive is read-only

    (3) disk accessible as normal for partitioning, formatting or just maintenance (e.g. deleting of old versions of files).

    I'm not sure that my drive usage is typical but it seems to me that ordinary file store disk usage would not be greatly increased by keeping all previous versions of files - by far the biggest chunk of my diskspace is taken up by files that are their initial version.

    Even if this were not practical for operational disks or arrays, surely it's achievable for disk-based back-up solutions?

  11. TallGuy

    According to https://twitter.com/marcwrogers/status/714666493666017281 Petya encrypts the file table by XOR'ing with 7. Should be relatively easy to decrypt.

    1. Charles 9 Silver badge

      And as the article notes, that doesn't help. In fact, this may be a boobytrap since attempting to restore the original record blows out the traces and methods needed to actually decrypt the rest of the drive.

  12. Sir Sham Cad

    Personally I prefer this

    Yes, knacker the PC of the idiot who decided opening that strangely named attachment from the obviously spoofed email address was a good idea so that they can't infect the network. We can always re-image the PC.

    It's the other stuff that encrypts the fileshares that's the proper PITA.

    Also: String these fuckers up by their genitals and stone them to death with LTO tapes.

    1. Charles 9 Silver badge

      Re: Personally I prefer this

      Problem is, what if that's your boss?

      1. AlbertH

        Re: Personally I prefer this

        Problem is, what if that's your boss?

        That's frequently the way. We've had malware brought on-site by people up to and including the Board. One clueless twerp brought three malicious payloads on to the network through his frequent surfing of "free" porn sites using Internet Explorer.

        We now ban connection of anything "unapproved" on to the network on pain of instant dismissal. There is an "open" wi-fi for the (l)users if they're desperate to connect their personal gear to the interweb - this seems to satisfy them and has gone a long way to keeping our networks secure!

        1. Charles 9 Silver badge

          Re: Personally I prefer this

          "We now ban connection of anything "unapproved" on to the network on pain of instant dismissal."

          That still doesn't solve the problem of the unapproved stuff being brought in by the ones who write the rules. Try to dismiss them and they'll turn around and dismiss YOU first, AND they outrank you.

  13. Wade Burchette

    Proper backups

    Isn't it great that Windows 8 and 10 include a full backup program that creates a system image? Oh wait, no they don't. That was one of my requests for Windows 10 that was ignored. I want to know why Microsoft thought removing a proper backup program and disabling F8 by default was a good idea. I want to find the persons who made that decision and I want to smack some sense into them.

    1. picturethis
      Childcatcher

      Re: Proper backups

      It's now obvious to me why Backup functionality was removed starting with Windows 8. If backups were present and the implied restore worked, then this would effectively allow the windows' users data-slaves to roll-back changes. Microsoft wants to prevent this at all costs, so backup was eliminated, with Microsoft knowing that 99% of their users are too lazy to get a 3rd party package. Anytime you can reduce support costs (by eliminating a software package) and reduce the likelyhood of users doing something undesireable is a win-win, so to speak.

      Besides, everyone's data should be on azure anyways - right? (sic).

      I wonder what it's going to be like once MS has their Walled Garden (UWP + Store) fully locked down. You know it's coming, slowly.. The heat is being applied very, very slowly.. and within about 5 years, or so, the goose will be cooked.

    2. Jonathan Smythe

      Re: Proper backups

      Presumably as you don't mention Windows 7 as missing it, you are aware of the backup system that allows system images to be created on schedule etc.

      You appear to have missed that your request has not been ignored - the backup system from Windows 7 (which existed in Windows 8, but was removed in 8.1 - though you could still manually create a system image) was in fact returned to Windows 10, funnily enough titled "Back Up And Restore (Windows 7)" as it was in Windows 8.

  14. RedCardinal

    The dead give away surely is the WARNING with lots of exclamation marks :)

  15. SteveK

    Time to add more metrics

    Time to start monitoring how long an incremental backup takes to run, if order of magnitude above 'normal', clearly a lot more files have been modified.

    Similarly I think I might see if I can also monitor deduplication ratios and if they change, there's a lot of what was identical blocks of data that is now strangely not so identical.

  16. Anonymous Coward
    Anonymous Coward

    I predict a new and even more demonic scam

    "Pay us $$$ or we'll install Win10 on your PC!!"

    1. FuzzyWuzzys
      Coat

      Re: I predict a new and even more demonic scam

      As opposed to Microsoft's, "You paid us $$$ so we'll install Win10 on your PC!!"

  17. Anonymous Coward
    Anonymous Coward

    Legitimate uses for Bitcoin ?

    Seems to me it's ransomware victims buying in and other criminal uses that are preventing the Bitcoin pyramid from collapsing, as victims buying in enables criminals to cash out. Does anyone know of any regular markets where goods and services are exchanged in the open using Bitcoin where there are not crooks involved or tax evasion ? Or have all or nearly all attempts at creating legitimate uses dried up ? I'd like to know, because if there are no genuine uses for Bitcoin, then it seems to me that the conventional currency for Bitcoin exchanges are in effect little more than money launderers.

    1. e^iπ+1=0

      Re: Legitimate uses for Bitcoin ?

      "Or have all or nearly all attempts at creating legitimate uses dried up ?"

      Uhh - Microsoft accept btc ...

      1. PyLETS

        Re: Legitimate uses for Bitcoin ?

        "Uhh - Microsoft accept btc ... "

        It seems they price in and accept $US, and will allow an account to be settled through a Bitcoin payment processor which they immediately convert to the required $US amount. That's not the same thing, as the BC price will change minute to minute while the $US price is more fixed. You could more easily pay a restaurant bill in Spain with a £ debit card using the Visa or Mastercard network - but that doesn't mean the restaurant accepts or trades in £Sterling. http://time.com/money/3658361/dell-microsoft-expedia-bitcoin/

    2. Cynic_999 Silver badge

      Re: Legitimate uses for Bitcoin ?

      ISTM that you could make a far better case that cash is unnecessary than Bitcoin.

      I really hope that more and more regular transactions will start being made with Bitcoin so that control is taken away from banks and other financial institutions, and exchange of money ceases to incur any overheads. As it is, a percentage of what you pay for goods and services goes to the banks or card organisations (even if you pay by cash). When you add together all the payments made to the financial parasites in the chain between manufacturer and consumer, it adds up to a sizeable chunk of the price you are paying.

      1. Charles 9 Silver badge

        Re: Legitimate uses for Bitcoin ?

        Bitcoin's no panacea. Bit by bit, various criticisms are emerging: from the ungainly size of the blockchain to elements of corruption to allegations of blockchain manipulation. The whole thing's getting closer to house of cards status where one big snafu (the Mt. Gox scandal came close and still put a serious dent in Bitcoin for a while) will break the trust of the system (and any financial or monetary system needs this to survive).

  18. Mr.Bill

    phones?

    "Ransomware variants will encrypt desktops and phones"

    what are the phones that have had issues with this ransomware?

    1. ecofeco Silver badge

      Re: phones?

      Android.

  19. David Austin

    So Riddle me this...

    How Come the RansomWare guys have got the hang of encryption, yet major High Street Chains/ISPs/Mobile Operators/Local Governments/Adobe Can't?

    Just goes to show what a great motivator profit is, I guess...

    1. Anonymous Coward
      Anonymous Coward

      Re: So Riddle me this...

      Or it could just show that where the focus is for the different firms. Businesses need to be able to regularly decrypt their encrypted stuff in order to function. What happens is that malware targets endpoints where data may necessarily have to be decrypted to function, like stuff before encryption or after decryption. The crooks are less caring about being able to decrypt their "clients'" stuff at the end, so they focus on the encryption end.

  20. channel extended
    IT Angle

    UEFI

    I thought uefi was suppose to stop other boot loaders? Are these legacy machines?

    Or do the have a signed MS key?

    1. zero2dash

      Re: UEFI

      Yes this is ransomware that overwrites the MBR and then the rogue CHKDSK app overwrites the MFT.

      UEFI has nothing to do with it; you're thinking of GPT (probably because they somewhat go hand in hand because Windows requires a UEFI enabled motherboard to boot a GPT formatted disk).

      GPT is more secure, yes, but it's not bulletproof. Basically all GPT does (from this standpoint) is store several copies of itself across the disk, so if 1 of the GPT's gets corrupted, it has backups to recover from. Obviously though the issue there is if the ransomware gets smart enough and corrupts ALL the GPT records (which will surely be the next phase that ransomware progresses).

      Windows 8 and 10 having 'secure boot' capability helps as well but it doesn't really matter if the GPT (or MBR) is hosed because the OS is not going to boot either way.

  21. Conundrum1885 Bronze badge

    It suggests that

    Having a protected copy of the MBR and GPT on an external device which the second it detects large changes requires solving a CAPTCHA before it will commit those changes to the backups, would be useful.

    Also having a "Kill Switch" that if the AV triggers detect signs of ransomware or someone presses the "Big Red SCRAM Button" physically isolates the affected machine using optomagnetic switches if something bad happens and hard powering down while notifying admins that it has been trashed and to restore from backups.

    Having this built into the machine would help, I've always wondered why PC manufacturers don't simply keep compressed backup copies of the drivers and a failsafe OS on the motherboard in protected memory that can be used in the event of a severe system failure.

    Acorn used to do this and IIRC the viruses on these were nowhere near as severe as their PC equivalents, thanks to Winbond's new 2Gbit 8 pin SPI chips its more than feasible to include this

    as a feature with an "only update from pressed disk" failsafe in the event updates are needed.

    see http://www.google.com/patents/US20150248921

  22. Duffaboy
    Facepalm

    Trouble with backups is

    1. Users don't do them

    2. The tiny percentage of user that do them, expect us to restore it for them.

    3. Users think that they have backed up and haven't

    I always fail to understand that your average user gets a nice shiny new pc and has no idea on how to use it correctly, its like buy a car straight from the show room without ever getting behind the wheel.

  23. Brent Beach

    If the Intelligence services in the UK and the US really want the public to support what they do, they should bust these ransomware rings.

    They have all the metadata - they should be able to link back from ransomware demands to the sources.

    1. Anonymous Coward
      Anonymous Coward

      The problem is that, nine times out of ten, these ransomware wings trace back to countries hostile to the west, meaning there's nothing they can do to stop them since they'll have the covert but tacit blessing of the hostile state.

  24. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019