Trend Micro researchers spotted a new Petya ransomware variant that is delivered to victims who believe they are linking to a resume stored on a cloud storage site like Dropbox, but instead are hit with malware that locks up their computer.
Using a cloud storage site as the infection source is not new, but using the cloud storage site to promote ransomware infections appears to be a new technique, Trend Micro Senior Global Marketing Manager Jon Clay said in comments emailed to SCMagazine.com.
The ransomware overwrites the affected system’s hard drive master boot record (MBR) in order to lock out users, according to a Mar. 25 blog post. The process of overwriting the MBR of the system and putting the ransom note in the startup process of the machine makes this variant of ransomware unique.
“It makes the system unusable and will display their ransom note during bootup,” Clay said, adding researchers are also seeing new and improved graphics with the ransom notes in their attack, possibly to improve the look and feel of the popups.
The scam starts with the attackers using phishing emails disguised to look and read like an applicant seeking a job, researchers said in the blog.
The email provides a link to, in the case studied by Trend Micro, a Dropbox storage location. The email is supposed to link to the applicant’s resume, but instead the link is connected to a self-extracting executable file that unleashes a trojan into the system.
Researchers said the trojan blinds any antivirus programs defending the computer before downloading and executing the ransomware.Trend Micro said the cybercriminals asked for 0.99 Bitcoins to unlock the computer.
Once executed, Petya overwrites the entire hard drive MBR to prevent the victim’s device from loading Windows normally or even restarting in Safe Mode. If the victim tries to reboot their computer they will be greeted by an ASCII skull and given an ultimatum to pay the ransom or have the files deleted.
Trend Micro has informed Dropbox about the malicious files hosted on their service.
A Dropbox spokesperson told SCMagazine.com via emailed comments that their team investigated the the incident and has since removed the links.
Clay said users can avoid infection by improving their email security and implementing messaging solutions that employ advanced detection features specific to phishing and socially engineered emails.
“We take any indication of abuse of the Dropbox platform very seriously and have a dedicated team that works around the clock to monitor and prevent misuse of Dropbox,” the spokesperson said. “Although this attack didn’t involve any compromise of Dropbox security, we have investigated and have put procedures in place to proactively shut down rogue activity like this as soon as it happens.”
Tim O’Brien director of threat research at the cloud security automation firm Palerra said in comments emailed to SCMagazine.com that “end user awareness and training regarding the screening of emails and downloading files is the first line of defense” to prevent infection.
UPDATE: This story has been updated to include comments from Dropbox.