Recently, 360 Internet Security Center captured a counterfeiter of Petya ransomware, which destroyed the system by modifying the MBR (Master Boot Record) of the user’s computer. The attack method is similar to the early Petya ransom virus, but it has a larger difference.
The attack methods include controlling the domain control server, phishing email, eternal blue vulnerability attack and brute force attack. The attack power is very strong, which can cause a large number of hosts on the intranet in a short time. The host is required to pay 0.1 bitcoin ransom.
The ransomware will release three ransomware files (update.exe, update2.exe, update3.exe) to the machine. As far as the scripts are found, the intrusion only propagates update3.exe, and the other two are not transmitted.
The MBR ransomware that participated in the actual attack by forcibly writing data to overwrite the disk did not make any backup for file recovery in the process. After “encrypting” the MBR, call the system shutdown command to restart the machine and on the screen. The flashing symbol is displayed while leaving the ransom information as shown in the ransom of 0.1 bitcoin.
According to 360 security experts, the simple and rudimentary disk overwrite operation has caused partial data corruption in the partition table of the MBR. After the user successfully releases the ransomware information, the computer cannot recognize the system partition and cannot enter the operating system normally.
The 360 security brain proposes the following protection suggestions:
1. The internal LAN environment of the enterprise is complex and the management personnel should pay attention to the defense against the internal attacks of the LAN.
2. Patch in time to fix system and software security vulnerabilities.
3, Try to use a newer operating system, its security is higher, especially the newer version of Windows system uses the UEFI startup mode by default, this mode can immunely destroy the MBR virus attack to a certain extent.
4, Users can install 360 security guards to intercept such ransomware and can use 360 emergency disk to repair the partition table to protect computer security.