Mortgage Software Solutions Blog

Petya: A New Ransomware Threat


Ransomware is a growing threat to computers and to the businesses and individuals that use them. This kind of malware encrypts the contents of a drive, making it useless to the owner. To get it decrypted, the user must send payment through an anonymous channel to the extortionist, who will then (if you're lucky) send you a decryption key that will restore your files.

Understanding Petya

Petya is a recent and especially nasty form of ransomware that encrypts not your documents but the underlying Windows file system, making it impossible even to boot your computer. The payment process is cumbersome and error-prone. The good news is that it's possible, though difficult, to recover the files.

So far, this attack has taken the form of supposed job applications emailed to employers. It asks them to download a file from Dropbox that supposedly contains a resume. It's actually an executable file that does the dirty work. Dropbox has removed this file, but we can expect the perpetrators to put it up somewhere else in the near future.

When it runs, it overwrites the boot loader—the code that your computer executes when you first turn it on. Then, it crashes the computer, displaying only the "Blue Screen of Death." At this point your file structure is still intact, but it isn't safe to reboot.

If you reboot, you'll see text on your screen that impersonates the CHKDSK system software that verifies the disk. What it’s actually doing is encrypting the computer's Master File Table. When it's done, it will display a red skull made of text characters and then a politely phrased demand for payment.

Since your computer is now useless, you have to go to another computer to carry out the instructions. You have to send a payment, most often in Bitcoin, to retrieve the decryption key. Then you have to type it, by hand, on your own machine; it's very long and difficult to copy without mistakes.

How are Mortgage Firms Affected?

Mortgage companies and similar institutions are especially vulnerable to this type of attack because they get a lot of email that falls into generic categories, such as job applications, loan applications, and follow-ups, and they also retain and receive a lot of extremely private and valuable information.

How Can You Protect Your Business?

Fortunately, your mortgage business can take certain measures to avoid being hit. First, if you get a file or a download link emailed to you, check what kind it is. PDF and text files are reasonably safe to open, but you should never double-click an executable file unless you have a really good reason to run it. This applies even to files that may appear to come from people you know and trust.

If you have second thoughts after double-clicking and your computer immediately crashes, do not reboot it. Have it checked remotely by an IT security professional.

If you reboot after that sequence of events and it appears to be running CHKDSK, pull the plug. That's almost never good advice, but this is one of those rare occasions when it's the right thing to do.

Petya encrypts the Master File Table, which tells the computer where all the files are, but doesn't touch the actual content of the files. It's as if someone went through your library, tearing every page out of your books, erasing the page numbers, and scattering them randomly on the floor. All the information is still there; you just don't have any good way to get at it. A good disk recovery service may be able to reconstruct your files. It will still cost money, but at least you won't be helping to finance extortion.

Antivirus software companies are just now catching up with Petya, but we know that it’s only a matter of time before other viruses and security threats evolve. Keeping the protection on your computer up to date will help to stop these threats.

Using Access Business Technologies’ managed mortgage security solutions will protect you from new and existing threats. In particular, DocumentGuardian™ provides a secure way to send sensitive documents, scanning them for malware and rejecting anything that is infected. Access Business Technologies vigilantly monitors several sources for new spyware, ransomware, and other forms of intrusion, to help you stay ahead of cyber criminals. For more information about our services, please contact us.

Learn More

Topics: ransomware Petya ransomware