Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Petya/Mischa/GoldenEye Ransomware - YOUR_FILES_ARE_ENCRYPTED.txt


  • Please log in to reply
46 replies to this topic

#1 Grinler

Grinler

    Lawrence Abrams


  • Admin
  • 43,168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:52 AM

Posted 24 March 2016 - 07:18 PM

The Petya Ransomware is a new infection that infects the Master Boot Record of the victim's computer in order to show a ransom note before Windows starts. In the ransom note will be a special ID and the TOR payment site that you must enter the ID into. You will then be able to learn how much you need to pay and the bitcoin address it needs to be sent to.

Note: Do not repair the MBR unless you do not want your data back. Doing so will just leave you with a encrypted drive and will not fix the problem.

I have put together a youtube video showing the ransomware in action.


When the infection is first started it will modify the MBR and then reboot the computer. On reboot it will perform a fake Chkdsk, which is actually when it is encrypting your drive.

Then it will show a lock screen with information as to what happened and a password prompt to decrypt your data. To get the password you need to pay the ransom.

fake-chkdsk.jpg


lock-screen-1.jpg


lock-screen-2.jpg


decrytion-site.jpg



BC AdBot (Login to Remove)

 


#2 JohnC_21

JohnC_21

  • Members
  • 19,766 posts
  • OFFLINE
  •  
  • Local time:02:52 AM

Posted 24 March 2016 - 07:30 PM

Does this Ransomware also affect GPT disks?



#3 xXToffeeXx

xXToffeeXx

    Bleepin' Polar Bear


  • Malware Response Instructor
  • 6,015 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:The Arctic Circle
  • Local time:07:52 AM

Posted 25 March 2016 - 06:28 AM

Does this Ransomware also affect GPT disks?

No, only ones which use MBR.
 
xXToffeeXx~


~If I am helping you and you have not had a reply from me in two days, please send me a PM~

~Currently in my last year of school, so replies might be more delayed~

 

logo-25.pngID Ransomware - Identify What Ransomware Encrypted Your Files [Support Topic] - If we have helped you out and you want to support what we do, you can do so here

 

 ~Twitter~ | ~Malware Analyst at Emsisoft~


#4 leostone

leostone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 AM

Posted 10 April 2016 - 08:19 AM

Petya encryption has been broken!!!
You can retrieve your keys here: https://petya-pay-no-ransom.herokuapp.com/
Read more here: https://twitter.com/leo_and_stone
And here: https://github.com/leo-stone/hack-petya



#5 leostone

leostone

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:08:52 AM

Posted 10 April 2016 - 08:22 AM

Petya encryption has been broken!!!
You can retrieve your keys here: https://petya-pay-no-ransom.herokuapp.com/
Read more here: https://twitter.com/leo_and_stone
And here: https://github.com/leo-stone/hack-petya

 



#6 Grinler

Grinler

    Lawrence Abrams

  • Topic Starter

  • Admin
  • 43,168 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:USA
  • Local time:02:52 AM

Posted 10 April 2016 - 09:47 AM

Hi Leo,

 

Thanks for the info. Very promising. Trick is to come up with a method that the "average" user can get that data uploaded. 



#7 al1963

al1963

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 10 April 2016 - 10:59 PM

Congratulations for leostone found an effective solution. It is working!!!!!!

I had snepshot encrypted virtual machine. I used the utility Fabian Wosar.

Boot from the bootable disk winpe, plugged a flash drive and run from the flash drive PetyaExtractor.

Save both files, and then use the key generator on site

https://petya-pay-no-ransom.herokuapp.com/

or here

https://petya-pay-no-ransom-mirror1.herokuapp.com/

I received the key for 1 minute.

 

Your key is: sxTx8xPxgx3xXx7x

 

After entering the key drive has been decrypted and I got access to the desktop of your virtual machine :)


Edited by al1963, 11 April 2016 - 04:19 AM.


#8 raw

raw

    Bleeping Hacker


  • Members
  • 2,577 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Texas
  • Local time:01:52 AM

Posted 11 April 2016 - 09:56 PM

Nice discussion on Hacker News:

https://news.ycombinator.com/item?id=11474613


rawsig.png

 rawcreations.net          @raw_creations


Current systems: WHAT OS, BackTrack-raw, PCLinuxOS, Peppermint OS 6, Kali Linux

and a custom Linux From Scratch server hosting a bunch of top secret stuff.


#9 DBAPaul

DBAPaul

  • Members
  • 21 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:02:52 AM

Posted 12 April 2016 - 01:46 PM

Another good write-up on decrypting this ransomware here.



#10 Metallica

Metallica

    Spyware Veteran


  • Malware Response Team
  • 209 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Netherlands
  • Local time:08:52 AM

Posted 15 April 2016 - 03:48 AM

Recovery by Hasherezade: https://blog.malwarebytes.org/threat-analysis/2016/04/recovery-from-petya-ransomware/
How can I be lost, if I've got nowhere to go?
My blog
MS-MVP Consumer Security 2003-2015

#11 al1963

al1963

  • Members
  • 814 posts
  • OFFLINE
  •  
  • Local time:12:52 PM

Posted 20 April 2016 - 04:50 AM

interesting that the MBR system copied from the encrypted Petja Ransomware, on VirusTotal identified only Microsoft :)

 

Microsoft Ransom:DOS/Petya.A 20160420

 

https://www.virustotal.com/ru/file/cdcc95616faee15d2eab02837a6050b0dc3790219edeaa87fee40f805b86522a/analysis/1461145205/



#12 ScotchGER

ScotchGER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 12 May 2016 - 05:29 AM

Hi there,
 
I have a Laptop which is infected by "MISCHA RANSOMWARE". It looks like a new unkown ransomware. 
You became victim of the MISCHA RANSOMWARE!

The files on your computer have been encrypted with an military grade encryption algorithm. There is no way to
restore your data without a special key. You can purchase this key on the darknet page shown in step 2.

To purchase your key and restore your data, please follow these three easy steps:

  1. Download the Tor Browser at "https://www.torproject.org/". If you need
     help, please google for "access onion page".
  2. Visit one of the following pages with the Tor Browser:

	   http://mischapuk6hyrn72.onion/1MZKMy
	   http://mischa5xyix2mrhd.onion/1MZKMy
It renamed personal files with ".cRh8"
 
Regards
Scotch

#13 quietman7

quietman7

    Bleepin' Janitor


  • Global Moderator
  • 49,588 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Virginia, USA
  • Local time:02:52 AM

Posted 12 May 2016 - 05:35 AM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.
.
.
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Microsoft MVP Reconnect 2016
Windows Insider MVP 2017
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#14 ScotchGER

ScotchGER

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 12 May 2016 - 05:43 AM

I have advised our Security Colleagues who specialize in crypto malware ransomware with a link to this topic.

Samples of any encrypted files, ransom notes or suspicious executables (installer, malicious files, attachments) that you suspect were involved in causing the infection can be submitted here (http://www.bleepingcomputer.com/submit-malware.php?channel=168) with a link to this topic. Doing that will be helpful with analyzing and investigating by our crypto experts.

It is done!


Edited by ScotchGER, 12 May 2016 - 05:46 AM.


#15 teamallow

teamallow

  • Members
  • 2 posts
  • OFFLINE
  •  
  • Local time:08:52 AM

Posted 12 May 2016 - 05:53 AM

Same issue here I got a phone call from my Boss, found out he Installed petya and mischa ransomeware. The link to the file he opend was hxxps://www.magentacloud.de/share/84pu7fsxs9 .






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users