"This is an unusual piece of malware which rewrites the MBR (Master Boot Record – a special boot sector which contains a loader for the installed operating system, as well as information on how the partitions on a computer’s hard drive are organized) and prevents the system from booting up. Furthermore, it encrypts the MFT (Master File Table) – the ‘header’ for all of the files contained on a hard drive, roughly speaking," Sinitsyn explained.
He also added that there are no clues in the malware's code that point to the authors’ possible identity. However, the web page to which 'Petya' directs its victims to pay the ransom contains the following message in the 'Support' section: "Please write your message in English, our Russian speaking staff is not always available."
Sinitsyn said that it is safe to assume that at least one member of the criminal gang behind the malware speaks Russian.
He also added that after a computer gets infected by the encryption virus, it is usually too late to do anything about it.
"The best defense is to regularly create reserve copies of all your important data and keep them on a removable storage device disconnected from the computer. Still, if a computer gets infected by the 'Petya ransomware' and there are no reserve copies, there’s still an option to use some data recovery software. It is possible, because it’s the MFT (the 'header') that gets encrypted while the files themselves remain untouched. But such a procedure needs to be dealt with by professionals," Sinitsyn said.
Kaspersky Lab also reported that it has managed to successfully detect and prevent a ‘Petya ransomware’ infection on at least 128 German users’ computers.
