Home / malware Ransom:Win32/Petya.A
First posted on 29 June 2017.
Source: MicrosoftAliases :
There are no other names known for Ransom:Win32/Petya.A.
Explanation :
Installation
This threat may be installed by malicious documents and distributed through email and uses exploits to distribute.
You might see the following email:
Payload
This malware encrypts fixed drives and encrypt the following file extensions:
.3ds .pdf .7z .php .accdb .pmf .ai .ppt .asp .pptx .aspx .pst .avhd .pv .back .py .bak .pyc .c .rar .cfg .rtf .conf .sln .cpp .sql .cs .tar .ctl .vbox .dbf .vbs .disk .vcb .djvu .vdi .doc .vfd .docx .vmc .dwg .vmd .eml .vmsd .fdb .vmx .gz .vsdx .h .vsv .hdd .work .kdbx .xls .mail .xlsx .mdb .xvd .msg .zip .nrg .ora .ost .ova .ovf
It skips the folder "C:Windows".
It drops the following decryption instructions:
"Ooops, your important files are encrypted.\r\n"
"\r\n"
"If you see this text, then your files are no longer accessible, because\r\n"
"they have been encrypted. Perhaps you are busy looking for a way to recover\r\n"
"your files, but don't waste your time. Nobody can recover your files without\r\n"
"our decryption service.\r\n"
"\r\n"
"We guarantee that you can recover all your files safely and easily.\r\n"
"All you need to do is submit the payment and purchase the decryption key.\r\n"
"\r\n"
"Please follow the instructions:\r\n"
"\r\n"
"1.\tSend $300 worth of Bitcoin to following address:\r\n"
"\r\n",
0x432u,
&NumberOfBytesWritten,
0);
WriteFile(v3, L"1Mz7153HMuxXTuR2R1t78mGSdzaAtNbBWX\r\n\r\n", 0x4Cu, &NumberOfBytesWritten, 0);
WriteFile(
v3,
L"2.\tSend your Bitcoin wallet ID and personal installation key to e-mail ",
0x8Eu,
&NumberOfBytesWritten,
0);
WriteFile(v3, L"wowsmith123456@posteo.net.\r\n", 0x38u, &NumberOfBytesWritten, 0);
WriteFile(v3, L"\tYour personal installation key:\r\n\r\n", 0x48u, &NumberOfBytesWritten, 0);
WriteFile(v3, lpBuffer, 2 * wcslen((const unsigned __int16 *)lpBuffer), &NumberOfBytesWritten, 0);Last update 29 June 2017
