Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Bitcoin Operating Systems Businesses Crime Encryption Network Privacy Security Software The Almighty Buck The Internet Windows Build

Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up (softpedia.com) 155

An anonymous reader writes: A new type of ransomware was discovered that crashes your PC into a BSOD, restarts your computer, and then prevents your OS from starting by altering the hard drive's master boot record (MBR). This keeps the user locked in a DOS screen that doubles as the ransomware's ransom note. The ransomware's name is Petya, and was currently seen only targeting HR departments in Germany.
This discussion has been archived. No new comments can be posted.

Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

Comments Filter:
  • I thought Windows[7,8,10,9999] was supposed to fix this? Was the user "warned" about opening a file for the 10th time that day?

    What happens when I open it with WINE?

    • Dead serious answer (Score:5, Informative)

      by DrYak ( 748999 ) on Friday March 25, 2016 @05:16PM (#51778929) Homepage

      What happens when I open it with WINE?

      The virus needs to modify the boot sequence so the next reboot starts its "fake" CHKDSK (to encrypt the disk and display a lock screen).

      Under most Unix, root-level privilege are necessary to write to a raw block device (as required to change the MBR) and as Wine is usually ran under an end-users account, it simply lacks the necessary rights to perform this action.

      • by david_thornley ( 598059 ) on Friday March 25, 2016 @05:29PM (#51779015)

        Sigh. Yet another thing WINE won't run.

      • I'm pretty sure you would need to at least pass the UAC panel on Windows as well. I can't believe Windows would allow access to the MBR without permissions. So how does this really work?

      • by Rutulian ( 171771 ) on Friday March 25, 2016 @09:23PM (#51780269)

        Found another article,
        http://sensorstechforum.com/re... [sensorstechforum.com]

        After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.

        This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! Cryptolocker I could understand because it just used the current user's credentials, but there is no excuse for getting infected by this.

        • > This is unbelievably stupid. I know, social engineering and all, but why the f$#%k would you click ok to a UAC warning to read a CV?! C

          Because they're HR. The field has high turnover and is noted for poor security practices "in order to get their job done".

        • I'm surprised a standard user would have the required security permissions to alter the MBR.

          • I'm surprised a standard user would have the required security permissions to alter the MBR.

            That's Windows security for you. Decades of established security practices where everyday users run unprivileged and only become root for administrative tasks, plus very user friendly implementations by Apple for OS X that nobody has complained about AFAIK, but nope, Microsoft has to come up with UAC instead. It is an improvement over XP, but it is still far too easy to inadvertently hose your system. The first thing I do when I install Windows is create an unprivileged user and set a password for the admin

        • but why the f$#%k would you click ok to a UAC warning to read a CV?

          Because we're conditioned to know if you click no then the thing we want to do doesn't work. It's gotten to the point where I've seen software installed that actively elevates user privileges so they aren't burdened by the UAC prompt. We're just used to knowing something won't work if we click No, not necessarily that this has nothing to do with the ability to read a CV.

      • This is actually true for Windows as well - need local admin to write to the mbr.

        Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

        • This is actually true for Windows as well - need local admin to write to the mbr.

          The difference is that wine will simply refuse and fail.

          Whereas, on windows, this will open an UAC prompt which user have taken the habit (...have been pavlovian-trained...) to click okay to get anything done due to countless badly designed pieces of software.

          Also if the machine is using uefi/"Secure Boot" wouldn't be affected either.

          That's a bit more complicated.

          If the disk is partitioned in Legacy mode, this will fry the partition table.

          The UEFI firmware won't be able to locate the special FAT32 boot partition ("EFI system partition") with the bootloader .EFI executable used by

  • by Megahard ( 1053072 ) on Friday March 25, 2016 @05:07PM (#51778853)

    According to the update in TFA, so just repairing the MBR will not solve the problem.

  • by Anonymous Coward

    "HR employees are sent an email with a link to a file stored on Dropbox, where an applicant's CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death."

    How does this scenario even occur? Why didn't HR just tell them to attach an appropriate file instead of going out of their way to download the "CV" and unpacking it? This is insanity.

    • by david_thornley ( 598059 ) on Friday March 25, 2016 @05:31PM (#51779029)

      They probably did, and the "applicant" disregarded that. Personally, I think that if you have to trim the pile of resumes/CVs, removing the ones that broke the submission rules and the ones that have serious spelling and/or grammatical mistakes is a good start.

      • Re: (Score:2, Interesting)

        by KGIII ( 973947 )

        I taught college maths for three semesters after retiring. The lack of longevity should be an indication of how much I enjoyed it. I only taught two different classes and then just one class for the final semester. I sort of enjoyed it but it was a "teacher's college" where they graduate future teachers. (It was UMF.) I'd had some decent instructors and borrowed/modified this entrance exam. It tells you a lot about the student's abilities.

        At any rate, I did the tried and true exam at the start of two of tho

        • by ihtoit ( 3393327 )

          I had a similar test for potentials when I ran my law firm. Five pages of questions (about 70 of them, some multiple choice, some short answer), the first instruction being: "Read the entire paper before you begin answering any of the questions", the penultimate being "Do not answer any question on this test but carry out the next instruction", the very last one being and I quote: "Sign your name in the box below, break your pencil in half and step away from the desk."

          Only one person ever passed, out of pro

          • by KGIII ( 973947 )

            I am just getting to read the responses. There are a few to mine (and then to yours) that indicate they would not have passed the exam. I'd already stressed the importance of following instructions - including the importance of bringing a pen with blue or black ink.

            • by ihtoit ( 3393327 )

              yeah, I kinda noticed that too.

              Oh, found the archived videos, they're on a stack in a server I'm actually rebuilding. Should be up again in the next week.

              • by KGIII ( 973947 )

                Sweet. Lemme know when they're available for me to view 'em. Funny enough, I almost posted a reminder in the response I'd written but I figured it hadn't been long enough to need a reminder. (I imagine anyone reading this is now officially lost or confused.)

                At any rate, I'm quite curious to see them. Maybe they'll give me some inspiration to write about 'em. I'm officially working on a site, technically a network of sites, to prove a point and win a bet - but also because it's an interesting thing to do. Th

                • by ihtoit ( 3393327 )

                  OK. Mobile version is here [google.com] (and I apologise in advance for the sound quality, you probably need some noise-cancelling headphones to hear it properly), I'll get the SD (which has better sound quality) up on a torrent because I don't have the space on my GDrive for a 14GB upload.

                  • by ihtoit ( 3393327 )

                    addendum: soon's the torrent's done I'll drop it into the SD folder on the previous link.

                    (and my wife says netbooks with flat batteries are useless... they're great for chucking up torrent boxes)

        • by djinn6 ( 1868030 )
          Following rules doesn't get you very far in life. At best you'll be just another cog in the global market, soon to be replaced by a computer, whose low cost is only matched by its ability to follow rules, however stupid those rules are.
          • by KGIII ( 973947 )

            Two things. That sounds good and is a nice pithy thought but we both know better. The second is that... Ah, screw it. You'll only want to argue anyhow. Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue. Have a nice day.

            • by djinn6 ( 1868030 )
              What you call an argument, I call a discussion. Why else come to slashdot?

              I've basically followed a few rules in life and I've done great:
              1. Do what you love and do it really well
              2. Focus on your life goal
              3. Treat others kindly

              Every other rule is either a more specific (and therefore less useful) version of the above, or a moronic rule made by some asshat authoritarian to keep you down.

              Yet, I suspect if you look at where I am and where you are - and then at who followed the rules, you would still just want to argue.

              So is this a dick-measuring contest now?

              • by KGIII ( 973947 )

                It became a dick measuring contest, and nothing more, when you stated that it wouldn't get you very far in life.

          • Blindly not following rules is worse than blindly following rules. Know what the rules are, and why you're breaking them. My standard rule: never break a rule you don't understand. (Self-reference not only intentional, but vital to understanding the rule.)

          • Breaking human rules is one thing, it will only get you in trouble.

            Breaking Mother Nature's rules is different. Most of her punishments are death, and Mother Nature has no pity.

            Be sure you know the difference!

        • A few points:

          1. We give students competing goals: Do something in a limited time, but waste time reading an entire paper in full despite the bulk to the assessment being assigned to answer questions.

          2. You set something that was highly out of the ordinary for an exam. Even more out of the ordinary for a maths exam.

          3. You set something that has nothing to do with the course.

          4. You were attempting to teach people to blindly follow rules rather than attempt to get through what is typically tough questions usin

        • And the next job was in a manufacturing plant, where there was a set of steel steps with a light at the top. The sign said "Do Not go down the steps until the light goes out". The one who did not learn from the class, made a terrible mess. But they never actually found the body.

          The rest lived! 8-)

          • by KGIII ( 973947 )

            Far too many people understand the value of following directions. There's a time and a place to not do so. That's a rarity. Usually, you're far better off by following the directions.

  • Unless you are going to tamper with the firmware or its settings, "good luck" changing my boot sequence.

    Oh, by the way, a comment at this Trend Micro write-up [trendmicro.com] suggests that the initial program that infects the system won't work unless the user has administrative privileges.

    • I don't *always* boot from non-writable media.

    • In what company do computer illiterates like HR have admin privs on their computers?

      • by dbIII ( 701233 )
        One where the inhouse developers demand admin access for all users of their almighty VB application because they have admin access and don't have the patience to test it on a machine that does not. It used to be a very common problem and it still lurks in a few places. It took about two years to convince a developer in my workplace that it was a really bad idea despite it being part of the cause of a pile of virus incidents.
        • There's an easy fix for that. Sit down with your CISO and have him demand that any and all virus incidents that could have been avoided by not having admin privs on accounts that have no reason to have them be tacked to the cost center said dufus wannabe programmer is in.

          That problem will soon clean up itself.

          • by dbIII ( 701233 )
            Workplace politics is often more complicated - I was the "CISO" but the developer was outside of my chain of command since he did it more or less as a hobby on the side of his real job.

            The real issue is for developers to wake up to bad practices instead of just thinking they are being bullied by the head of a different department.

            All that is aside from the point - such bad practices were very common not long ago and still exist in many places.
            • Then you weren't the CISO.

              • by dbIII ( 701233 )
                Thanks a lot for calling me a lair for a very trivial reason. Meanwhile back in reality the problem was that I was not the CEO so it meant dealing with the very non-technical boss of the guy with the application instead of dealing with him myself.
                It's a side issue of the example so I really don't get why you are arguing and why you are going so far as to call me a liar. You also seem to be acting as if you have been asked to solve a problem when with that example it was solved years ago, but it won't be t
                • What I mean is that the title is pointless if you don't get the power to go with it. If you are responsible for the security in your company but have no power to make the relevant decisions, they have not CISO, all they have is a scapegoat.

    • by Maritz ( 1829006 )
      I'm unreasonably interested in the thinking behind the scare quotes.
  • This won't impact a Mac, nor will it impact Linux (it's an .exe file). The TFA referred to Windows, so should the summary.

    Just like as usual - most rampant exploits and malware are Windows-only.

  • by Bing Tsher E ( 943915 ) on Friday March 25, 2016 @05:27PM (#51779007) Journal

    If we all volunteer to kick in a little to the ransom gang, is it possible we could spread it to all HR people worldwide? A world full of hamstrung HR people would allow us to all get direct-hire jobs.

    • by Anonymous Coward

      And cancel all the "sensitivity training" seminars? Puh-leez????

      If I hear one more "Binary is for *computers*, not people!" presentation of Social Justice Warrior drivel masquerading as workplace ethics.... it's not going to be pleasant.

    • by ericloewe ( 2129490 ) on Friday March 25, 2016 @05:50PM (#51779169)

      "Ransom gang" has such a negative connotation.

      How about calling them "workplace productivity enhancement team" or "employee happiness consultancy"?

    • Stop thinking small. Let's put it to where it can do some real good. Send it to the lawyers!

  • There is no reason anybody should be able to run unknown exes on a work computer without notifying IT first.
    It's the only way to combat this kind of lack of basic IT knowledge that afflicts most office workers.

    I work with people who have used PCs for over a decade who still lack basic IT knowledge and would still fall for this trick in a heartbeat. You cannot drill it into your staff to not open stuff like this, you have to actively prevent it happening.

    • by HiThere ( 15173 )

      At one point that was a reasonable position. Unfortunately operating systems now execute lots of things they shouldn't automatically. I've heard of jpg viruses.

  • Your PC is now Stoned [wikipedia.org]!
  • So just boot from a CD or USB drive and then fix the MBR.

  • I thought QDOS, and thus the BSOD, went away with Windows Vista. At least, that's what the ads told me.

    Are you implying that Microsoft might have lied to me? :cry emoji:

    • QDOS AKA MSDOS went away with the NT Kernel, the last Microsoft OS running on MSDOS was Windows ME. Windows Vista (NT 6.0) added to the BSOD with a more critical R(ed)SOD but the B(lue)SOD was still there. I don't know if the RSOD survived into Windows 7 NT6.1.
  • Hey, slashdot, the technical site how about telling us the name of the Operating System and the Hardware Platform this ransomware runs on? hint Windows and Intel ..
  • Or boot using UEFI, which probably breaks this. Toss in Secure Boot, and even if they wrote a UEFI bootloader they wouldn't be able to intercept the boot process.

    Cue idiots who make inaccurate comments about UEFI and betray their technical ignorance.

  • by aussersterne ( 212916 ) on Saturday March 26, 2016 @01:23AM (#51780909) Homepage

    I honestly entered this story hoping to read lots of merciless ridicule of these phrases.

    Where is it? Or have all the geeks finally left Slashdot?

    • by Anonymous Coward

      I was hoping for exactly the same, there's a brief mention of it followed by someone(user 4,496,745, yikes) seriously asking

      "I thought that was DOS too, how is it called then? Isn't that MS DOS running the boot code?"

      That, a day or so after some prick from the gadget show made it to the front page pontificating on things we all know he has absolutely no grasp of, this just isn't my slashdot any more and it's sad.

    • The /. geeks are gone, replace by cowards and lusers that think a PC has to run Microsoft Windows and a Hacker is a bad person. I only post about it when I think my karma is getting too high.
  • In Russian, Petya - is variation of name Peter. A childish way to say that name. That makes me wonder...

You are always doing something marginal when the boss drops by your desk.

Working...