Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.

This file is an EXE file. What Year is This???

[mpapet]

I thought Windows[7,8,10,9999] was supposed to fix this? Was the user "warned" about opening a file for the 10th time that day?

What happens when I open it with WINE?

Dead serious answer

[DrYak]

What happens when I open it with WINE?

The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

Re:Dead serious answer

[david_thornley]

Sigh. Yet another thing WINE won't run.

Re:Dead serious answer

[roman_mir]

How can it? Petya is a diminutive of the Russian name Petr or Peter for the English speakers. Petya is a little boy, running him on wine is illegal even in Russia ;)

Re:

[Rutulian]

I'm pretty sure you would need to at least pass the UAC panel on Windows as well. I can't believe Windows would allow access to the MBR without permissions. So how does this really work?

Re:Dead serious answer

[Rutulian]

Found another article,
http://sensorstechforum.com/re... [sensorstechforum.com]

After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.

This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! Cryptolocker I could understand because it just used the current user's credentials, but there is no excuse for getting infected by this.

Re:

[Antique Geekmeister]

> This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! C

Because they're HR. The field has high turnover and is noted for poor security practices "in order to get their job done".

Re: Dead serious answer

[cyber-vandal]

I'm surprised a standard user would have the required security permissions to alter the MBR.

Re:

[Rutulian]

I'm surprised a standard user would have the required security permissions to alter the MBR.

That's Windows security for you. Decades of established security practices where everyday users run unprivileged and only become root for administrative tasks, plus very user friendly implementations by Apple for OS X that nobody has complained about AFAIK, but nope, Microsoft has to come up with UAC instead. It is an improvement over XP, but it is still far too easy to inadvertently hose your system. The first thing I do when I install Windows is create an unprivileged user and set a password for the admin

Re:

[thegarbz]

but why the f$#%k would you click ok to a UAC warning to read a CV?

Because we're conditioned to know if you click no then the thing we want to do doesn't work. It's gotten to the point where I've seen software installed that actively elevates user privileges so they aren't burdened by the UAC prompt. We're just used to knowing something won't work if we click No, not necessarily that this has nothing to do with the ability to read a CV.

Re:

[Skuld-Chan]

This is actually true for Windows as well - need local admin to write to the mbr.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

Privilege ; UEFI

[DrYak]

This is actually true for Windows as well - need local admin to write to the mbr.

The difference is that wine will simply refuse and fail.

Whereas, on windows, this will open an UAC prompt which user have taken the habit (...have been pavlovian-trained...) to click okay to get anything done due to countless badly designed pieces of software.

Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

That's a bit more complicated.

If the disk is partitioned in Legacy mode, this will fry the partition table.

The UEFI firmware won't be able to locate the special FAT32 boot partition ("EFI system partition") with the bootloader .EFI executable used by

Re:

[ihtoit]

98 used COMMAND.COM, ME used VMM32.VXD (hence real-mode DOS applications couldn't run without some serious tweaking).

Also encrypts files

[Megahard]

According to the update in TFA, so just repairing the MBR will not solve the problem.

Infection Vector

[Anonymous Coward]

"HR employees are sent an email with a link to a file stored on Dropbox, where an applicant's CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death."

How does this scenario even occur? Why didn't HR just tell them to attach an appropriate file instead of going out of their way to download the "CV" and unpacking it? This is insanity.

Re:Infection Vector

[david_thornley]

They probably did, and the "applicant" disregarded that. Personally, I think that if you have to trim the pile of resumes/CVs, removing the ones that broke the submission rules and the ones that have serious spelling and/or grammatical mistakes is a good start.

Re:

[KGIII]

I taught college maths for three semesters after retiring. The lack of longevity should be an indication of how much I enjoyed it. I only taught two different classes and then just one class for the final semester. I sort of enjoyed it but it was a "teacher's college" where they graduate future teachers. (It was UMF.) I'd had some decent instructors and borrowed/modified this entrance exam. It tells you a lot about the student's abilities.

At any rate, I did the tried and true exam at the start of two of tho

Re:

[ihtoit]

I had a similar test for potentials when I ran my law firm. Five pages of questions (about 70 of them, some multiple choice, some short answer), the first instruction being: "Read the entire paper before you begin answering any of the questions", the penultimate being "Do not answer any question on this test but carry out the next instruction", the very last one being and I quote: "Sign your name in the box below, break your pencil in half and step away from the desk."

Only one person ever passed, out of pro

Re:

[KGIII]

I am just getting to read the responses. There are a few to mine (and then to yours) that indicate they would not have passed the exam. I'd already stressed the importance of following instructions - including the importance of bringing a pen with blue or black ink.

Re:

[ihtoit]

yeah, I kinda noticed that too.

Oh, found the archived videos, they're on a stack in a server I'm actually rebuilding. Should be up again in the next week.

Re:

[KGIII]

Sweet. Lemme know when they're available for me to view 'em. Funny enough, I almost posted a reminder in the response I'd written but I figured it hadn't been long enough to need a reminder. (I imagine anyone reading this is now officially lost or confused.)

At any rate, I'm quite curious to see them. Maybe they'll give me some inspiration to write about 'em. I'm officially working on a site, technically a network of sites, to prove a point and win a bet - but also because it's an interesting thing to do. Th

Re:

[ihtoit]

OK. Mobile version is here [google.com] (and I apologise in advance for the sound quality, you probably need some noise-cancelling headphones to hear it properly), I'll get the SD (which has better sound quality) up on a torrent because I don't have the space on my GDrive for a 14GB upload.

Re:

[ihtoit]

addendum: soon's the torrent's done I'll drop it into the SD folder on the previous link.

(and my wife says netbooks with flat batteries are useless... they're great for chucking up torrent boxes)

Re:

[KGIII]

I got to thinking... It will fit here:
https://mega.nz/ [mega.nz]

Re:

[ihtoit]

actually my "dumb test" weeded out the fools who just waded right on in and FUCKED UP as surely as they would have FUCKED UP CASE AFTER CASE.

Shithead.

Re:

[Cederic]

Doing that in the UK would break the law. You're clearly discriminating against people with specific learning disabilities - including ones that wouldn't preclude them from being a lawyer.

But go right ahead, be clever and feel good about your own superiority.

Re:

[ihtoit]

I've never come across a lawyer with specific learning disabilities. The nature of the work actually precludes the possibility of such a person even getting a toe in the door.

Re:

[Cederic]

No you fuckwit. Just avoid discriminating against them.

Re:

[djinn6]

Following rules doesn't get you very far in life. At best you'll be just another cog in the global market, soon to be replaced by a computer, whose low cost is only matched by its ability to follow rules, however stupid those rules are.

Re:

[KGIII]

Two things. That sounds good and is a nice pithy thought but we both know better. The second is that... Ah, screw it. You'll only want to argue anyhow. Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue. Have a nice day.

Re:

[djinn6]

What you call an argument, I call a discussion. Why else come to slashdot?

I've basically followed a few rules in life and I've done great:
1. Do what you love and do it really well
2. Focus on your life goal
3. Treat others kindly

Every other rule is either a more specific (and therefore less useful) version of the above, or a moronic rule made by some asshat authoritarian to keep you down.

Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue.

So is this a dick-measuring contest now?

Re:

[KGIII]

It became a dick measuring contest, and nothing more, when you stated that it wouldn't get you very far in life.

Re:

[david_thornley]

Blindly not following rules is worse than blindly following rules. Know what the rules are, and why you're breaking them. My standard rule: never break a rule you don't understand. (Self-reference not only intentional, but vital to understanding the rule.)

Re:

[cwsumner]

Breaking human rules is one thing, it will only get you in trouble.

Breaking Mother Nature's rules is different. Most of her punishments are death, and Mother Nature has no pity.

Be sure you know the difference!

Re:

[thegarbz]

A few points:

1. We give students competing goals: Do something in a limited time, but waste time reading an entire paper in full despite the bulk to the assessment being assigned to answer questions.

2. You set something that was highly out of the ordinary for an exam. Even more out of the ordinary for a maths exam.

3. You set something that has nothing to do with the course.

4. You were attempting to teach people to blindly follow rules rather than attempt to get through what is typically tough questions usin

Re:

[cwsumner]

And the next job was in a manufacturing plant, where there was a set of steel steps with a light at the top. The sign said "Do Not go down the steps until the light goes out". The one who did not learn from the class, made a terrible mess. But they never actually found the body.

The rest lived! 8-)

Re:

[KGIII]

Far too many people understand the value of following directions. There's a time and a place to not do so. That's a rarity. Usually, you're far better off by following the directions.

Re:

[ihtoit]

no, it's called teaching your students to arm themselves with the maximum amount of information BEFORE they act. It's not as if the information they require isn't RIGHT THERE IN FRONT OF THEM.

Re:

[KGIII]

Oh you silly child. No, the students who remained loved my class. I hated it because I could not devote enough time to actually teach them all. I wanted to teach them mathematics, not rote mathematics. I hated it. There is not enough time in my day, or in their day, to do so.

On the other hand, yes I am an asshole. I fully admit, accept, and intend it.

Re:

[ihtoit]

because if you don't bother to read through a simple test paper before chickenscratching your way to a frycook job, how the fuck do you expect to be entrusted with a complex set of instructions which could potentially injure or kill you or someone else if you get it wrong?

Re:

[david_thornley]

Doesn't stop him from looking.

Re:

[KGIII]

Do they think us old folks don't notice the cuties? Hell, sometimes we get to sleep with 'em.

I've a girlfriend at the moment but there's a certain special quality about a marginally insane crazy college chick with daddy issues. I did not sleep with any of my students. I have not slept with any of my former students - but I have gotten wasted with a couple of them back when I used to drink. They were no longer my students and were over the age of 21 as far as I know.

Re:

[KGIII]

That would have been the proper choice for you. You're too special to follow directions.

Re:

[KGIII]

Pretty much. It's not like these kids were going to go on to be mathematicians. They were going to be (many of them) physical education teachers. (I kid you not.)

The grade didn't impact a whole lot but it did go into the books. Follow directions. 'Snot hard. Just follow 'em. If you don't understand the directions - stop and ask. The importance of following instructions and asking if they did not understand any of them was stressed on day one. Day two, we found out if you paid the least bit of attention on d

Re:

[Opportunist]

But following a link and downloading&executing arbitrary crap from somewhere on the internet is better?

Just how stupid are people really?

Re:

[dryeo]

It doesn't help that Windows actively hides the fact that it is an executable. I got one the other day, named something like foo.pdf.exe and a PE binary, Windows would just show foo.pdf and happily run it.

I boot from non-writable media

[davidwr]

Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.

Oh, by the way, a comment at this Trend Micro write-up [trendmicro.com] suggests that the initial program that infects the system won't work unless the user has administrative privileges.

Okay, I lied

[davidwr]

I don't *always* boot from non-writable media.

Re:Okay, I lied

[Anonymous Coward]

But when you do, you boot from DOS XX.

Re:

[Opportunist]

In what company do computer illiterates like HR have admin privs on their computers?

Re:

[dbIII]

One where the inhouse developers demand admin access for all users of their almighty VB application because they have admin access and don't have the patience to test it on a machine that does not. It used to be a very common problem and it still lurks in a few places. It took about two years to convince a developer in my workplace that it was a really bad idea despite it being part of the cause of a pile of virus incidents.

Re:

[Opportunist]

There's an easy fix for that. Sit down with your CISO and have him demand that any and all virus incidents that could have been avoided by not having admin privs on accounts that have no reason to have them be tacked to the cost center said dufus wannabe programmer is in.

That problem will soon clean up itself.

Re:

[dbIII]

Workplace politics is often more complicated - I was the "CISO" but the developer was outside of my chain of command since he did it more or less as a hobby on the side of his real job.

The real issue is for developers to wake up to bad practices instead of just thinking they are being bullied by the head of a different department.

All that is aside from the point - such bad practices were very common not long ago and still exist in many places.

Re:

[Opportunist]

Then you weren't the CISO.

Re:

[dbIII]

Thanks a lot for calling me a lair for a very trivial reason. Meanwhile back in reality the problem was that I was not the CEO so it meant dealing with the very non-technical boss of the guy with the application instead of dealing with him myself.
It's a side issue of the example so I really don't get why you are arguing and why you are going so far as to call me a liar. You also seem to be acting as if you have been asked to solve a problem when with that example it was solved years ago, but it won't be t

Re:

[Opportunist]

What I mean is that the title is pointless if you don't get the power to go with it. If you are responsible for the security in your company but have no power to make the relevant decisions, they have not CISO, all they have is a scapegoat.

Re:

[Maritz]

I'm unreasonably interested in the thinking behind the scare quotes.

Why do they say "OS"? Windows-Only!

[rsborg]

This won't impact a Mac, nor will it impact Linux (it's an .exe file). The TFA referred to Windows, so should the summary.

Just like as usual - most rampant exploits and malware are Windows-only.

Re: Why do they say "OS"? Windows-Only!

[GoodNewsJimDotCom]

Black hat virus writers are a bunch of bad guys, but it would be some next level evil to turn a Macintosh computer to boot into Dos or Windows.

Re:

[nmoore]

It says "prevents your OS from starting". If your machine triple-boots Linux, OS X, and Windows, and a Windows trojan overwrites the boot loader, it's going to keep you from booting into all three OSes.

Re:

[Maritz]

Security through obscurity is on your side.

Only HR departments?

[Bing Tsher E]

If we all volunteer to kick in a little to the ransom gang, is it possible we could spread it to all HR people worldwide? A world full of hamstrung HR people would allow us to all get direct-hire jobs.

Re:

[Anonymous Coward]

And cancel all the "sensitivity training" seminars? Puh-leez????

If I hear one more "Binary is for *computers*, not people!" presentation of Social Justice Warrior drivel masquerading as workplace ethics.... it's not going to be pleasant.

Re:Only HR departments?

[ericloewe]

"Ransom gang" has such a negative connotation.

How about calling them "workplace productivity enhancement team" or "employee happiness consultancy"?

Re:

[CanadianMacFan]

Stop thinking small. Let's put it to where it can do some real good. Send it to the lawyers!

Corporate machines should have exe whitelisting

[Anonymous Coward]

There is no reason anybody should be able to run unknown exes on a work computer without notifying IT first.
It's the only way to combat this kind of lack of basic IT knowledge that afflicts most office workers.

I work with people who have used PCs for over a decade who still lack basic IT knowledge and would still fall for this trick in a heartbeat. You cannot drill it into your staff to not open stuff like this, you have to actively prevent it happening.

Re:

[HiThere]

At one point that was a reasonable position. Unfortunately operating systems now execute lots of things they shouldn't automatically. I've heard of jpg viruses.

Your PC is now Stoned!

[Bigbuzzman]

Your PC is now Stoned [wikipedia.org]!

So...

[JustAnotherOldGuy]

So just boot from a CD or USB drive and then fix the MBR.

Re:

[luther349]

you can still get tape drives i fact they hold alot of data its still used in server farms.

DOS?

[Sir Holo]

I thought QDOS, and thus the BSOD, went away with Windows Vista. At least, that's what the ads told me.

Are you implying that Microsoft might have lied to me? :cry emoji:

Re:

[pjbgravely]

QDOS AKA MSDOS went away with the NT Kernel, the last Microsoft OS running on MSDOS was Windows ME. Windows Vista (NT 6.0) added to the BSOD with a more critical R(ed)SOD but the B(lue)SOD was still there. I don't know if the RSOD survived into Windows 7 NT6.1.

Microsoft Windows strikes again!

[khz6955]

Hey, slashdot, the technical site how about telling us the name of the Operating System and the Hardware Platform this ransomware runs on? hint Windows and Intel ..

UEFI + Secure Boot

[Microlith]

Or boot using UEFI, which probably breaks this. Toss in Secure Boot, and even if they wrote a UEFI bootloader they wouldn't be able to intercept the boot process.

Cue idiots who make inaccurate comments about UEFI and betray their technical ignorance.

Ummm, a "DOS screen"? "DOS level"?

[aussersterne]

I honestly entered this story hoping to read lots of merciless ridicule of these phrases.

Where is it? Or have all the geeks finally left Slashdot?

/. is dead

[Anonymous Coward]

I was hoping for exactly the same, there's a brief mention of it followed by someone(user 4,496,745, yikes) seriously asking

"I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?"

That, a day or so after some prick from the gadget show made it to the front page pontificating on things we all know he has absolutely no grasp of, this just isn't my slashdot any more and it's sad.

Re:

[pjbgravely]

The /. geeks are gone, replace by cowards and lusers that think a PC has to run Microsoft Windows and a Hacker is a bad person. I only post about it when I think my karma is getting too high.

Petya

[dimko]

In Russian, Petya - is variation of name Peter. A childish way to say that name. That makes me wonder...

Re:Oh it's another one of those

[bondsbw]

Sounds more like a problem where the author of the article doesn't know the difference between DOS and "not GUI".

This changes the Master Boot Record and encrypts files while it displays the skull logo and warning message. From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

Re:

[is7s]

I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?

Re:

[Antique Geekmeister]

No, it's mostly VMS. Take a look at the extensive lawsuits when David Cutler was hired from DEC, and took a lot of his old VMS developer team with him to create the kernel for Windows NT.

Re:

[LocalH]

That's as much a misconception than "text mode = DOS".

This is neither. This is malware that installs code to the MBR that loads before any OS. In fact, it's sort of it's own OS, running on bare metal.

The Flash could do it in time, but he's fiction

[dbIII]

From what I can tell, you can simply unplug your computer to stop the process of encrypting your files... the earlier you stop, the fewer files are affected.

I looked at the timestamps of the files of a cryptolocker attack victim once - it's worth remembering that computers are very fast these days and it did quite a few GB per minute.

Re:

[Vlad_the_Inhaler]

Did you not RTFA? It only claims to encrypt the data, but does not actually do it.

Re: Oh it's another one of those

[bondsbw]

Yes I did. But the article took a quote from its source and summarized it a bit differently. Here is the original quote from the source:

As of this writing we assume that only the file access is blocked but the files themselves are not encrypted. Experts at the G DATA SecurityLabs are still analyzing this new type of ransomware.

That is a bit less confident than TFA states.

Re:

[hey!]

Some jokes never get old.

Other ones...

Re:Oh it's another one of those

[U2xhc2hkb3QgU3Vja3M]

Some jokes never get old.

Other ones... get integrated into the next version of systemd.

Re:

[sunderland56]

It stands for "Denial Of Service". It's a nasty bit of software designed to prevent you from making full use of your computer.

Re: What is a DOS screen?

[MTBaldwin]

Brings back memories. I remember when i got my first IBM PS2 MODEL 30....1024 kilobytes of memory. 12 screaming MEGAhertz of CPU power. MS-DOS 3.3. That cost me about $2000.00, way back in 1987.

Re:

[MobileTatsu-NJG]

Actually it was 320 by 200, and "DOS Screens" were actually in text-mode that was measured in characters and not pixels.

Re:

[ihtoit]

720x400 is 80x25 textmode with the 9x16 system typeface. Doom was 320x200 CGA graphics mode (specifically IBM mode 13h, 256 colours). Both use the same amount of video memory (IIRC 16kB).

Re: What is a DOS screen?

[the_humeister]

Actually, DOOM was 320x240. 320x200 was Duke Nukem 3D. The reason to use 320x240 is because the pixels were square. However, the screen was split into banks of four because 320x240 pixels is too large to fit in a 64 KiB segment (ie pixels 0,4,8,⦠are in bank 0, pixels 1, 5,9,⦠are in bank 1, etc.) which makes accessing the framebuffer more complicated and slower. 320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size

Re:

[ihtoit]

Would [wikia.com] you [zdoom.org] like [chocolate-doom.org] to revise your information? DOOM engine renders at 320x200 (16:10 aspect ratio). You'll also find that the memory space for 320x240 is the SAME (it's a VGA mode which uses a more efficient algorithm) as the CGA 320x200 mode (which in 1993 was STILL the most common graphics mode available to MOST PC users hence the denominator for developers). Also, the only reason to split the screen was during multiplayer mode on console (eg Saturn, N64). It makes absolutely no sense to bank the screen quadr

Re:

[hvdh]

320x240x8bit is 76800 bytes, more than 64KB. It required bank switching, but it was easier than the GP wrote. VRAM was still linear, but you needed a VESA BIOS call to change the 64KB VRAM bank accessible in the 64KB video memory segment. Of 320x240, 204.8 lines fit in the first bank, the remaining ones in the second bank. As a display line split in two banks is very unhandy, you could increase the virtual resolution to 512x240 an had 128 full lines in bank 0 and the other 112 lines in bank 1.

Re:

[One With Whisp]

(Score:4, Insightful)

No, please.

The reason to use 320x240 is because the pixels were square.

I would agree with you, except DOOM actually did use 320x200, and indeed the pixels were rectangular. It's a common problem that forks (known in DOOM circles as "source ports") face when they try to change up the rendering engine. Many of the graphics in the game were even designed with the knowledge that the screen would be stretched due to the non-square pixels, meaning that unstretching would degrade them.

320x200 has slightly rectangular pixels, but the framebuffer is linear and fits in 64KiB, which is the largest segment size that can be accesses in real mode DOS.

Yeah, except doom uses DPMI, so this doesn't even matter.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[david_thornley]

I've seen some pretty intelligent people fall prey to email viruses, mostly in the older days when email viruses were effective. More recently, I know a very sharp woman who used the New York Times website without adequate defenses.

Re:

[david_thornley]

I mean intelligent and thoughtful people who are competent in the real world and do have common sense. I'm not impressed by the sort of "book-smart" people you describe. Been there, done that, learned better.

Re:

[KGIII]

If you can get away with it, preserve ~/ and you won't even have to do much in the way of customization. That's not applicable this time, theoretically, but none of it is applicable as this doesn't appear to impact Linux users.

However, avoiding reformatting /home or ~/ are both awesome ways to do a "repair" install in a lot of cases so it is worth mentioning it. As for your use of Lubuntu, I agree with your OS choice. Lubuntu is my favorite distro - even on bleeding edge hardware. If folks think LXDE is fas

Re:

[Maritz]

I think that's kinda the point. You only do that if you're in the biz of ransoming data. Literally no applicants ever turn their word doc resume/CV into a .exe just 'cos