Security Blog

New Ransomware PETYA hides in application files

The IKARUS LAB discovers new Ransomware Trojans nearly every day. Among these new samples, PETYA is calling for (negative) attention.

The blackmailer apply politely and grammatically correct per e-mail to their future victims, as reported also using personalised salutation. For CV, certificates and work samples they link to a Dropbox account, as the data is “too big” to be sent via e-mail. The application dossier contains an executable that is camouflaged as self-distracting archive.


Trojan manipulates MBR

Double click activates the malware and then everything goes fast – until nothing goes any more: The master boot record is manipulated so that installed operating systems can’t boot any more. A blue screen forces the computer to restart, then data is encrypted and as a first greeting an ASCII skull is shown.

The further procedure is well-known: PETYA reports that all harddisks have been encrypted, to restore data a private key has to be bought via TOR browser and bitcoin.

PETYA Ransomware seems to aim at companies that use Microsoft Windows. We recommend recruiters and assistants should be aware of the current malware campaigns. Do not to download application files from Dropbox or other external sources!

Checklist precautions:

•    Install and update the anti-virus software, SPAM  filter, firewall and IPS as often as possible;
•    Configure SPAM and virus filter so they can block JavaScript content by non-confidential sources;
•    When possible, disable the Auto Run in JavaScript (directly in the SPAM-Filter, on the Mailserver or in the email program);
•    In doubt, delete e-mails with links or attachments by unknown senders as well as unexpected e-mails;
•    Keep your operating system, Webbrowsers, Java, Flash updated;
•    Prevent the AppData and Startup directories from running unknown executables;
•    Disable macros or use only the properly signed ones;
•    Inform yourself and your employees about current threats;
•    Keep your backup media disconnected from your PC/network.
•    Reinstall infected computer/systems


Immediate help in case of emergency

If you are already a victim, keep calm. The IKARUS Malware Emergency Response Team is available for advice and help to prevent further damage and reduce the risk!

Contact:, Tel. +43 1 58995-0



© 2019 IKARUS Security Software GmbH