Submission + - Petya-Derived Ransomware Is Acting Like Shamoon, Wiping Data
Trailrunner7 writes: Security researchers are continuing to delve into the details of the latest ransomware outbreak, and have found that the ExPetr ransomware has a number of interesting characteristics that separate it from other variants and raise questions about its purpose.
Most ransomware is designed solely to make money for the attacker. But ExPetr not only encrypts users’ files but it exhibits some destructive behavior, too.
“Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine,” Microsoft’s researchers said.
Overwriting the master boot record essentially leaves a PC unusable and is the kind of behavior that’s normally associated with wiper malware such as Shamoon. Those variants are designed to destroy data, not encrypt it and hold it for ransom, and researchers say the financial aspect of ExPetr may just be a decoy.
Most ransomware is designed solely to make money for the attacker. But ExPetr not only encrypts users’ files but it exhibits some destructive behavior, too.
“Beyond encrypting files, this ransomware also attempts to overwrite the MBR and the first sector of the VBR. If the malware is run with SeShutdownPrivilege or SeDebugPrivilege or SeTcbPrivilege privilege, it overwrites the MBR of the victim’s machine,” Microsoft’s researchers said.
Overwriting the master boot record essentially leaves a PC unusable and is the kind of behavior that’s normally associated with wiper malware such as Shamoon. Those variants are designed to destroy data, not encrypt it and hold it for ransom, and researchers say the financial aspect of ExPetr may just be a decoy.