Ransomware gets a lot faster by encrypting the master file table instead of the filesystem

In just a few short years, ransomware -- malware that encrypts all the files on the computer and then charges you for a key to restore them -- has gone from a clever literary device for technothrillers to a cottage industry to an epidemic to a public menace.



But ransomware has a serious Achilles heel that's kept it in check: encrypting a lot of files is computationally expensive, especially when there isn't much free space on the victim's hard-drive. That means that ransomware either has to run very slowly (increasing the chances that it'll be detected and stopped before it can gobble up too many files) or very obviously (slowing down the victim's PC so badly that they may figure out something's up before it gets very far and pull the plug).

A new ransomware, Petya, deploys a rarely seen technique that massively speeds up the encryption. Petya attacks the drive's Master Boot Record and Master File Table, the metadata files that allow a drive to start up a computer and know which files are in which sectors. Without these two files, disks are unreadable by normal measures -- but these two files are relatively tiny and can be encrypted in seconds, rather than days.

MBR/MFT attacks will be easier to beat than whole filesystem encryption, though: since the earliest days of mechanical drive failure, there've been utility programs that read every sector on a disk that's experienced corruption and try to reconstruct the disk's catalog. Modern filesystems like EXT4 implement "journaling" protocols that redundantly store metadata that can be useful in this exercise. It's possible that if Petya becomes more widespread, companies or organizations will start offering specialized, bootable thumb-drives that contain filesystem recovery tools that you can use to get your data back without paying the ransom.

Petya isn't the first ransomware to attack drive metadata rather than the filesystem itself; a primitive version was seen last January.


When first installed, the Petya Ransomware will replace the boot drive's existing Master Boot Record, or MBR, with a malicious loader. The MBR is information placed at the very beginning on a hard drive that tells the computer how it should boot the operating system. It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK. During this fake CHKDSK stage, Petya will encrypt the Master File Table on the drive. Once the MFT is corrupted, or encrypted in this case, the computer does not know where files are located, or if they even exist, and thus they are not accessible.

Once the fake CHKDSK is completed, you will be presented with a lock screen that displays instructions on connecting to a TOR site and a unique ID you must use on the site to make the ransom payment. Once a ransom payment has been made, you will receive a password that you can enter into this screen to decrypt your computer.


Petya Ransomware skips the Files and Encrypts your Hard Drive Instead

[Lawrence Abrams/Bleeping Computer]

(via Bruce Sterling)