Trojan.Ransom.Petya (Petya 2.0 2016 Ransomware, flashing lights warning)
Vložit
- čas přidán 26. 06. 2017
- / danooct1
/ danooct1
hopefully my explanation of how it spreads/works is accurate, but everything with it is pretty new so i might be wrong.
links for some good reading on the topic:
blog.malwarebytes.com/threat-...
blog.kryptoslogic.com/malware...
www.malwaretech.com/2017/06/p...
Special thanks to the following patrons for their support! I really appreciate it!
crymera
Mister Sparkly
John Kizer
Numou Impfox
Jacob W.
Joshua Mack
Thomas H Khoury
squigly-kip
Sleepy Owl
BluePolarBearz
Alice J
Blaise
CutePikachu
Renaud Bedard
Rosenator - Zábava
My mistake - this is actually the 2.0 version of Petya from 2016, and not the network spreading variant that hit Europe and other parts of the world yesterday. I'll try to have a new video up tonight if I can find the *correct* sample, maybe I'll even LAN a few computers together and let it go to town.
thanks to everyone who let me know about this!
danooct1 thanks
if you find the new sample, please showcase the spreading
Tanasije Tasa you need to disable smb and stop the winmgmt service
danooct1 will you be using the same variant (red) or are you going to use the yellow or green?
Is this new?
Now I know what to get if my neighbor is stealing my wifi
A WPA2-ready router, I hope!
I wanna cry right now
DJMAN These viral pun needs to stop spreading.
good
BlockBuilder57 good
please go away forever thanks
BlockBuilder57 nah I'm good
Fucking hell, this one is actually legitimately TERRIFYING, and not just because of the "screamer" (more of a flasher).
Can't really explain why, it just seems so...
Maybe because it uses the BIOS text, rather than opening a new window with the demand. This also means it doesn't actually boot to Windows, so you have to use another computer in order to get the key.
So anyone with only a single computer to their name is pretty well screwed unless they're willing to not only shell out the money for the ransomware, but also for an entirely new computer just to download Tor and *get* to that point in the first place. Really it'd just be cheaper to only get the new computer.
I wonder if there really is a key to restore the computer though, it may well be a scam
LegoLad659 Good to see that I'm not the only one who's kinda scared by these things.
didn't they change Tue name to Jumpscare?
WCry wasn't all that scary cause it was just an ugly pop up with broken English instructions that were bogus. This one actually locks you out of the system and essentially turns your computer into a glorified note pad
Well, the skull is pretty dope.
DevilsAvocado it gave me a seizure
NICE ASCII DRAW .RIGHT !!
I now realize how much of a blessing it is that I have nothing on my computer that I really need.
This is the "red" variant of Petya which can be decrypted due to vulnerabilities in the encryption itself. The new(ish?) green one has it fixed and there's no cure.
Mikel Mendioroz I can decrypt all versions in 2 mins.
xAffan
Proof or it’s BS.
and xAffan gave no proof
@@xAffan Proof.
@@Cloud_Strife1997 for everyone asking for proof, Petya has been decrypted by malware bytes lab so yeah
Read the title as Peta at first and was like "Oh boy"
we gonna get a rodeo with this one
XD
a Peta Ramsomware may encrypt your dog
AAAAAAAAAAAA
Fun fact:peta was map in Indonesia lol
- requires e-mail to get the key to unlock the files
- blocks *entire computer* which makes using e-mail obviously impossible.
logic so much.
@50 SUBS WITHOUT A VIDEO? yeah I dont think that will go well if you did it on your phone
10/10 logic amirite
Cool thing is that it does have a decryption key. I am not telling cuz
1. I dont know it, someone actually typed the decryption key in and it restored everything but I forgot it
2. The key is subject to change every now and then.
Everyone here had a soybot reddit moment r/soyboy r/openmouth
The logic, thats who have enought money for pay, also have another device
One of the few CZcams notifications i'll check out right away
This is how everyone imagined malware
Person1: oh hey what’s your dog’s name?
Person2: ransomware.
P1: How about you Petya ransomware?
P2: *intense pupper petting*
good joke
haha i didn't realize that's what it sounds like
I've seen this ransomware on the Russian channel.The worst part is that russian systems were encrypted, but channels focus on the fact that Ukrainian systems were encrypted as well.And most channels proudly announce that ransomware's name is the name of Ukrainian president Pyotr (Petya) Poroshenko.I hate this politician crap.
Our channels state that our country suffered the most. Also it is seemingly implied the virus originates from your country (although the name is equally popular in both countries).
Turtles Rock yes Greece is a country
@@isaacmoraesdornelasdesouza3314 what's a Greece?
@[screams in Russian]
i think it's that stuff thats leftover on a frying pan if bacon is cooked
[this reply is a joke]
@@KawaiianArgument Exotic Butters. Exotic Butters. Exotic Butters.
Hey, just wanted to say that I love these virus videos you make! in the last week I've been binge watching a ton of em, so I hope I've made you that sweet ad money so you can continue doing this awesome stuff!
(*insert floppy drive seek test here*)
Kinda hard to have sympathy for companies when wannacry just happened and they don't learn from mistakes. Just sucks that hospitals can be affected by this and put people's lives at risk
Thanks for keeping my PC safe with your knowledge! Glad to have a youtuber like you
im so glad i turned on notifications for this channel omg this is the earliest ive been ? great video !!
GOT YOUR COMPUTER, GIMME YA MONEY, FUCCBOI!
「Big Ol' Bear」 Trojan.ransom.fuccboi
ReHeated "Batch" *throws up*
*Reinstalls windows with all saved stuff backed up*
No u
Boii yeeet
Did you happen to test the supposed killswitch for Petya? In which you would create an extension-less "perfc" file and place it in C:\Windows?
I don't know why but I really like how your videos end with the captions just saying [Chiptune] at the end.
This is nice to think about.
"Do we want to make changes. You bet we do."
danooct1 - June 27, 2017, or October 24, 2016, at 12:24 pm.
"We'll run this dropper which will infect our pc, search for more computers to infect and ultimatly crash the system so the new bootloader can take hold and decrypt your drive. So let's run it!"
Dan. Dan never changes.
friend: where is petya ur girlfriend
me:she ransomware
Your girlfriend is named Pyotr?
@@stereocomponent and u lesbian
Why is gay and lesbian an insult
this pun is so underrated
@Badger Drawz Not sure why you felt the need to bring incels into that, or is it just another buzzword you like to fling around?
This is so Dan stuff!
Jealous
Aurα вírdч i mean if you into that shit but its pretty gay tbh
Aurα вírdч Not a programmer but you love 'coding' hm
Petya плохой.
Не будь как Petya.
I am not Russian.
He said "Petya is bad. Don't be like Petya."
Ок
Я Петя кста
Миша, Петя по утру вызывали сатану.
That flashing skull is, like, specifically designed to cause seizures oh my gosh. Thanks for putting the flash warning!
hey Dan, nice double upload
I didn't know another attack happened till you uploaded this video. Thank you for showing us. This one spread very fast and it wasn't to long ago that we had Wannacry attack. Sadly like people say...This won't be the last we see ransomware. They will always be made to find new exploits and still demand money. Viruses just keep getting scarier and scarier.
Its fantastic how a 226KB file can do all of this so fast.
*- Computer?*
*Computer machine broke.-*
*-Understandable have a great day.*
D Mack GREAT DAY*
D Mack MY COM🅱️UTER IS greaaaaaaat. Have a nice day 🅱️eter
Petya: encrypts the sistem
Victim: re-install the sistem
Petya creator: You are not supposed to do that
Victim: This Is what i call a "pro gamer move"
👽👌
you still lose your data if you haven't backed it up externally
Data has left the chat
What if deepfreeze was on?
wouldn't you need to fix the MBR since it got destroyed from petya
Jesus ;_; ill be keeping an eye on my systems network for a while now...
ZeroVoiden Alex it is like the Virus you always feared
Whenever I see freaky viruses like this where they genuinely scare me and make me fear for my sanity and machine, I think I might have a bad case of cyberphobia which sounds silly since I love electronics, guess they need a new name for computer viruses :/ Keep your machines properly protected folks!
DarkStarAngelo Not sure it'd be a phobia as that is generally an exaggerated fear (at least as I see it) Viruses and stuff are things that are legitimately scary. Luckily a lot of them can be avoided.
I guess you could say I am terrified of them. I keep my PC locked up as tight as possible but if even the smallest bug makes its way through, I start to freak out and wonder how it got in. But I manage to compose myself and get rid of the threat asap!
I'm here for Victor Montoya, thanks you for this video dude :D
Nice video, Dan.
I looked up one of the bitcoin addresses I saw in a screenshot of this ransomware, and people have sent almost $9,000 to it so far. I wonder how many addresses there are besides that one.
Gee, that scary encryption message must have been encrypted with Google Translate grade translation algorithm.
Nice, Petya is back.
saw this thing at russian news channel yesterday
Drunkycat I heard this virus actually comes from Russia
Randomizer Petya is a Russian name. That's quite obvious.
ESET company said that virus began to spread from Ukraine.
He's a Petya Bukalo, a guy from Ukraine, he said to everyone "ДА ИДИ ТЫ НА!" - "GO TO HELL!", even to his teacher. Watch "Ростян" channel for more information.
дороу
Thanks for video presenting this ransomware.
I love the ending song
gasp, new video
Just to elaborate, a "network" constitutes as computers that are linked together and can access each other's files and whatnot and _not_ computers that are simply connected to the same router, right?
Smedis2 A router acts as a local network, so yes, the virus will spread to anything using the same router
"Happy, happy Halloween, Halloween, Halloween!/ Happy, happy Halloween, Silver Shamrock!"
keep it up Dan!!!
The pirates have hijacked my pc!!! Damn!.
What's the ending song from? I want it as my ringtone. But as the chiptune version.
Thanks daniel ! Now all your subs know how this ransomware looks like ! And... they don't need to try to install this ransomware to look what he looks like.
(sorry if my english is awful i'm frensh)
:!: Dan3A :!:, this was the older version though. He'll test the other one later.
The decryption key may be stored in the boot sector itself, and it's looking for the end-user to type that key in. Maybe infect a physical computer, pull the drive, put it in another computer and use a hex editor to see if you could maybe pull the decryption key from the boot sector?
這個中文字幕啊,excited!
That one guy who's willing to sacrifice a couple of virtual machines just to let us know how such evil programs work....
Great job, buddy.
So my moms computer had what was probably a petya variant. I shut it down during chkdisk. After realizing her harddrive was fine ( ie hadn't actually failed and wasnt a real chkdisk), I brought it to a reputable it guy the next town over (since none are near me). It took him 3 days and my moms computer getting reinfected along with his computers but he fixed it! I think he got unlimited data (a good data connection is rare up here cuz I'm out in the boonies of northeastern mn) and turned his phone into a mobile hotspot. As long as I live in the area, he has my buisness at least. Thanks techbytes!
I turned on my PC this morning and my monitor was flashing colors and my heart was pounding.
But it was my only my left monitor and it proceeded to boot normally.
Give me a download link of that
This is a WinRAR Extractor looking at the icon, you should try opening the file through WinRAR and see what it extracts
Damian9303 I wouldn't be surprised it if was only given that icon in an attempt to fool people.
Damian9303 It's a disguised executable, not a WinRAR extractor...
Kyoshiro Tasya Executables can be extracted into sections like .rsrc, .text etc...
1:58 My uncle was watching this with me and started breakdancing, he has some kickass moves.
Sounds like... "this is Petya! Run somewhere! Quick!"
this is why is a good idea to back up your system and anything in portent just in case.
Exactly.
Good vid Dan
Out of curiosity, at 1:20 when you say it's possible to recover your PC with a live CD how do you?
TekWarfare No it isnt.
OH YEAH NEW DAN VIDEO
Why's that the video stops playing when I'm logged on, and plays perfectly while anonymous?
You are a villain of all malwares!
*"I've pet your master file!"*
Would this be able to spread through a Tunngle LAN network?
dancoot1 do you have any websites ware i can get hold of some of the malware you have
Oh man, imagine this on a college intranet.
can i use this video for a school project that i will be doing?
Yes to do it!!!
This hit my school
Clicks on video.
*Likes*
Continues to watch 😀
The skull screen looks like the "Apple" virus for DOS.
ASCII
But what if you go in the websites that the EncryptedScreen says in step 2???
The skull looks pretty neat, I'm not gonna lie.
Now that's a plus to living in a countryside!
i have a question i have few old computers of mine and my parents with personal data that been infected by ransomeware and i was wondering
if you got or know where to find tools to get those files back
Depends on the ransomware and encryption algorithm
Я русский сижу и крепеж с произношения "петюа"))))
This is a 2015 version, there is a decryptor for it.
What is it with ransomware and bad spelling?
@@HiddenButcher It was made in Russia to attack Ukrainian computers.
Russians. They can barely speak english too so lol.
I think I have seen this already, DiskKiller!
im in the patrons!
Me watching this at 1 A.M.: Oooh interesting
My eyes: Please just end my suffering already
MVP: User Account Control.
Ransomware with creativity? That's a new one.
Stuff like this keeps getting released.. makes me a bit worried. What sort of places would this virus come from? I want to know what to avoid.
payday121 Mostly as file attachment form e-mail (pdf, M$ Office file with macro) or form infected network.
And as danooct has shown, .exe's disguised as .zip files.
lol from the point of view of Russian or Ukrainian, you actually pronounce "Petya" wrong but soo cutely :)
What's the outer music called it's kind of calming
Can confirm germany is down with the new one now. Love how the providers say its a technical issue though.
hi notification squad
i only came here because it was danooct1
And now we must thanks NSA to create the tool for recently ransomware use
(sorry if my eng suck)
Hưng Kềnh *And now we must thank the NSA for creating the tool for recent ransomware usage.
You were still understandable though! :D
and that's why you always want to have a power supply with a switch on it
“...so a new bootloader can take hold and encrypt your drive, *_SO LET’S RUN IT!_*
Hey Dan, this one was hitting Germany over a year ago. March 2016 to be precise. In April a free decryption tool was released, here is a HowTo showing that: Aa-60SFbz0s
But unfortunately the sites used in that video are down nowadays.
Anyways, there have been a decryption - hope that helps ;-)
Okay.. found out myself. This is petya 2.0
olpqay The sites are taken down but i have a seperate decrypter.
Just saying, I did a report on computer malware in high school a year ago and that was one of the ransomwares I covered. Very sad it only now makes headlines.
It is March 2016 version. Current virus is completely different.
Now im scared to turn on my computer...
Wait, wouldn't replacing the bootloader make the computer fail secure boot? (on modern machines) Or does this ransomware have a separate payload for that setup?
Super Smash Dolls no i dont think so
@Danooct1 have you ever had an accidental infection?
Can we run it inside a VM which is inside another VM just to be on a safe side