Petya Ransomware Uses DOS-Level Lock Screen, Prevents OS Boot Up

Share this…

Petya uses old-school ransomware tactics, seems to be doing fine without employing powerful encryption. Malware experts from German security firm G DATA have found a new type of lock-ransomware that uses a DOS-level lock screen to prevent users from accessing their files.

Lock-ransomware, also known as lockers, is the first type of ransomware that existed before the rise of crypto-ransomware. This type of ransomware doesn’t encrypt files, but merely blocks the user’s access to his data.

In the vast majority of cases, this is a desktop-level lock screen, but there have been ransomware families that only locked up the browser’s window (called browser lockers, or browser ransomware).

As time went by, lock-ransomware proved to be easy to remove, and most ransomware cyber-gangs these days are using a crypto-ransomware variant, due to its efficiency at “convincing” infected victims to pay.

With all this said, it is strange to see a lock-ransomware these days, outside mobile devices where they’re still efficient.

Petya ransomware is distributed to HR departments

The latest lock-ransomware discovered by security researchers is the Petya ransomware, which was seen spread via spear-phishing campaigns aimed at human resource departments.

HR employees are sent an email with a link to a file stored on Dropbox, where an applicant’s CV can be downloaded. This file is an EXE file named portfolio-packed.exe, which if executed, immediately crashes the system into a standard Windows blue screen of death.

Before this happens, G DATA suspects that the ransomware alters the hard drive’s MBR, preventing the OS from starting and hijacking the boot process into a malicious routine.

Petya keeps computers at DOS level until victims pay the ransom

As soon as the user restarts the PC after the blue screen, the computer will enter a fake check disk (CHKDSK) process that, after it finishes, will load Petya’s lock screen, at the computer’s DOS level.

Restarting the computer over and over will always enter this screen, which is (we must admit) a pretty smart and innovative method of showing a lock screen.

This screen provides a link to the ransomware’s payment site, hosted on Tor. After the user purchases a decryption key, he can enter it at the bottom of the DOS lock screen. Petya claims to encrypt the user’s files, but G DATA says they can’t verify its claims, and that this is presumably a lie.

G DATA is still analyzing this new type of ransomware and has not yet identified a method of going around this screen and booting the OS.

Besides Petya, security researchers from Cyphort also discovered a new version of the Ransom Locker family, another lock-ransomware variant that uses old-school lock screens instead of encryption. Below is a video of Petya in action.