Petya ransomware leverages Dropbox and overwrites hard drives

Petya ransomware overwrites MBRs and leverages Dropbox
Petya ransomware overwrites MBRs and leverages Dropbox

Trend Micro researchers spotted a new ransomware variant dubbed Petya that is delivered to victims who believe they are linking to a resume stored on a cloud storage site like Dropbox.

Using a cloud storage site as the infection source is not new, but using the cloud storage site to promote ransomware infections appears to be a new technique, Trend Micro senior global marketing manager Jon Clay said in comments emailed to SCMagazine.com.

The ransomware overwrites the affected system's hard drive master boot record (MBR) in order to lock out users, according to a 25 March blog post. The process of overwriting the MBR of the system and putting the ransom note in the startup process of the machine makes this variant of ransomware unique.

“It makes the system unusable and will display their ransom note during bootup,” Clay said, adding researchers are also seeing new and improved graphics with the ransom notes in their attack, possibly to improve the look and feel of the popups. 

The scam starts with the attackers using phishing emails disguised to look and read like an applicant seeking a job, researchers said in the blog.

The email provides a link to, in the case studied by Trend Micro, a Dropbox storage location. The email is supposed to link to the applicant's resume, but instead the link is connected to a self-extracting executable file that unleashes a trojan into the system.

Researchers said the trojan blinds any antivirus programmes defending the computer before downloading and executing the ransomware. Trend Micro said the cyber-criminals asked for 0.99 Bitcoins to unlock the computer.

Once executed, Petya overwrites the entire hard drive MBR to prevent the victim's device from loading Windows normally or even restarting in Safe Mode. If the victim tries to reboot their computer they will be greeted by an ASCII skull and given an ultimatum to pay the ransom or have the files deleted.

Trend Micro has informed Dropbox about the malicious files hosted on their service. These have reportedly been removed along with other related files.

Clay said users can avoid infection by improving their email security and implementing messaging solutions that employ advanced detection features specific to phishing and socially engineered emails.

Tim O'Brien director of threat research at the cloud infrastructure firm Palerra said in comments emailed to SCMagazine.com that “end user awareness and training regarding the screening of emails and downloading files is the first line of defence” to prevent infection.