Petya ransomware spread through Dropbox affects users from Germany

Trend Micro has discovered a different variant of a type of crypto-ransomware infecting users in Germany through the Dropbox platform – it has been dubbed “Petya” (RANSOM_PETYA.A)

The ransomware encrypts files and holds them hostage, while also causing the blue screen of death as their ransom note appears before the system boots up. As the computer is restarted, blinking red and white screen shows up with a skull and crossbones animation.

This malware also has the ability to overwrite the infected computer system’s master boot record (MBR), locking users out from their computer. While a legitimate application like Dropbox isn’t a new target, it is the first time after a long while that something like this happened. It also deviates from the usual process of malicious files attached to emails or uploaded to malicious sites and delivered by exploit kits.

It’s believed that the Petya ransomware is still distributed via email. Potential victims would get an email that looks like a business related message from a job seeker interested in the company. It would include a link to a Dropbox folder wherein the unsuspecting victim would be able to access the “applicant’s” credentials.

This leads to the computer being overwritten entirely, causing the system to crash and show the blue screen.

Among the samples Trend Micro studied, the Dropbox link leads to two files: a self-extracting executable file posing as the applicant’s curriculum vitae, and a photo of the job seeker. The photo was usually a stock photo stolen from a photographer’s portfolio as discovered by the research team.

The self-extracting executable files would then release a Trojan into the computer system, blinding any antivirus applications, and eventually installing the Petya ransomware. This leads to the computer’s MBR being overwritten entirely, causing the system to crash and show the blue screen. If the victim tries to reboot his or her computer, the ransomware prevents the normal booting and shows the aforementioned skull and bones.

Rebooting the computer in Safe Mode is also not possible because of the infected computer. The user is stuck with the demands of the attackers, how to pay the ransom, and other instructions on how to regain access to the computer. The hackers are demanding 0.99 Bitcoin or approximately US$431 in exchange for the computer’s “life”. This then doubles if the payment deadline is not met by the victim.

Dropbox was notified by Trend Micro about the malware hosted on their system, prompting them to remove all files and links related to the Petya ransomware. Dropbox also stated, “we take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox. Although this attack didn’t involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens.”

Comprehensive multi-device protection for you and your family for up to 6 PCs, Macs, Android, and iOS devices. For more info click here.

Share on social media: