Ransomware now using disk-level encryption

Ransomware has been detected infecting master file tables, rendering Windows PC useless unless payment is made.

When first executed, the Petya malware will reboot the victim's machine, and run what appears to be a Windows check disk scan as a mask for the encryption process.

A screen is then displayed that directs users to a payment link where 0.9 Bitcoins (US$382) are to be sent in exchange for the decryption key.

Malware man Lawrence Abrams says German businesses are being targeted with Petya through phishing emails.

"The Petya ransomware takes it to the next level by encrypting portions of the hard drive itself that make it so you are unable to access anything on the drive, including Windows," Abrams says.

"When first installed, the Petya ransomware will replace the boot drive's existing master boot record with a malicious loader.

"It will then cause Windows to reboot in order to execute the new malicious ransomware loader, which will display a screen pretending to be CHKDSK."

See a screenshot of the fake checkdisk scan here (at Bleeping Computer).

There are not yet any methods for free decryption by way of exploiting possible flaws in Petya's encryption implementation, meaning users must wipe their machines or pay the ransom.

Repairing the master boot record will not decrypt the ransomware, leading the attackers (calling themselves 'Janus Cybercrime Solutions') to say such an attempt can shutter the ability to decrypt using a purchased key. Interestingly, a backup of the PC's original master boot record is, for want of a better word, encrypted using the ASCII character '7' – you can find more analysis here.

It is the latest evolution in the dynamic and hugely-profitable ransomware market.

Ransomware variants will encrypt desktops and phones with the best using strong encryption that has resisted circumvention attacks.

Some will target multiple network drives, seek out and encrypt connected back-ups, and silently encrypt and decrypt on the fly for months in a bid to prevent admins falling back to restores.

Payments are often met with working decryption keys for the most professional ransomware, leading many businesses and even hospitals to pay up to re-access their digital goodies. ®