Security experts are warning of a new ransomware family which spreads via malicious Dropbox links and overwrites the targeted system’s master boot record (MBR) to lock users out.
Trend Micro explained in a blog post last week that ‘Petya’ is a departure from typical ransomware which spreads via malicious email attachments or is hosted in sites and delivered by exploit kits.
Instead, researchers found Petya in the form of an unsolicited email spoofed to come from an “applicant” seeking a position in a company. The malicious Dropbox hyperlinks supposedly led to the applicant’s CV.
“Of course, the file downloaded isn’t actually a resume at all, but rather a self-extracting executable file which would then unleash a trojan onto the system,” explained malware analyst, Jasen Sumalapao. “The trojan then blinds any antivirus programs installed before downloading (and executing) the Petya ransomware.”
Petya will then overwrite the MBR of the entire hard drive, causing a classic Windows ‘Blue Screen of Death.’
If the user then tries to reboot their PC they will be greeted by a red and white ASCII skull and the classic “pay up in Bitcoins or lose all your data” ultimatum.
“The user is then given explicit instructions on how to do this, just like any crypto-ransomware currently making the rounds: a list of demands, a link to the Tor Project and how to get to the payment page using it, and a personal decryption code,” continued Sumalapao.
“Looking at its very professionally-designed Tor website, we discover that its ransom price is currently at 0.99 Bitcoins (BTC), or $431 – and that said price would be doubled if the on-screen deadline for payment is missed.”
Dropbox swiftly removed the offending links and file when notified by Trend Micro, the security vendor said.
A spokesperson from the firm sent Infosecurity this statement:
"We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox. Although this attack didn't involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens."
Petya isn’t the only new ransomware doing the rounds. Last week, Cisco’s Talos team revealed the appearance of ‘SamSam” – a new variant targeted at the healthcare sector.
Instead of targeting the user via phishing campaigns and exploit kits, it works by taking advantage of remote execution techniques, compromising servers and moving laterally to infect additional servers.
“Adversaries are exploiting known vulnerabilities in unpatched JBoss servers before installing a web shell, identifying further network connected systems, and installing SamSam ransomware to encrypt files on these devices,” Cisco explained.