[BreachExchange] Ransomware gets a lot faster by encrypting the master file table instead of the filesystem

Audrey McNeil audrey at riskbasedsecurity.com
Tue Mar 29 21:32:45 EDT 2016


https://boingboing.net/2016/03/28/ransomware-gets-a-lot-faster-b.html

In just a few short years, ransomware -- malware that encrypts all the
files on the computer and then charges you for a key to restore them -- has
gone from a clever literary device for technothrillers to a cottage
industry to an epidemic to a public menace.

But ransomware has a serious Achilles heel that's kept it in check:
encrypting a lot of files is computationally expensive, especially when
there isn't much free space on the victim's hard-drive. That means that
ransomware either has to run very slowly (increasing the chances that it'll
be detected and stopped before it can gobble up too many files) or very
obviously (slowing down the victim's PC so badly that they may figure out
something's up before it gets very far and pull the plug).

A new ransomware, Petya, deploys a rarely seen technique that massively
speeds up the encryption. Petya attacks the drive's Master Boot Record and
Master File Table, the metadata files that allow a drive to start up a
computer and know which files are in which sectors. Without these two
files, disks are unreadable by normal measures -- but these two files are
relatively tiny and can be encrypted in seconds, rather than days.

MBR/MFT attacks will be easier to beat than whole filesystem encryption,
though: since the earliest days of mechanical drive failure, there've been
utility programs that read every sector on a disk that's experienced
corruption and try to reconstruct the disk's catalog. Modern filesystems
like EXT4 implement "journaling" protocols that redundantly store metadata
that can be useful in this exercise. It's possible that if Petya becomes
more widespread, companies or organizations will start offering
specialized, bootable thumb-drives that contain filesystem recovery tools
that you can use to get your data back without paying the ransom.

Petya isn't the first ransomware to attack drive metadata rather than the
filesystem itself; a primitive version was seen last January.

When first installed, the Petya Ransomware will replace the boot drive's
existing Master Boot Record, or MBR, with a malicious loader. The MBR is
information placed at the very beginning on a hard drive that tells the
computer how it should boot the operating system. It will then cause
Windows to reboot in order to execute the new malicious ransomware loader,
which will display a screen pretending to be CHKDSK. During this fake
CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once
the MFT is corrupted, or encrypted in this case, the computer does not know
where files are located, or if they even exist, and thus they are not
accessible.

Once the fake CHKDSK is completed, you will be presented with a lock screen
that displays instructions on connecting to a TOR site and a unique ID you
must use on the site to make the ransom payment. Once a ransom payment has
been made, you will receive a password that you can enter into this screen
to decrypt your computer.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160329/e054907b/attachment-0001.html>


More information about the BreachExchange mailing list