I was doing some research on this as I ended up with a sample that was not reported yet at the moment of the analysis. At the moment of writing this post, the ratio of detection in VT for that sample was very low:
Taking a look to the Tor websiteAfter the host is infected, it automatically reboots. Once booted, a screen like the one below is displayed:
Here I can already see the onion URL to access the webpage to pay the 'rescue'. Only the 1st link http://petya37h5tbhyvki.onion/bL25sw was active while doing this analysis.
When accessing the webpage, the first thing I find is a captcha
Then, I am informed that my system is infected with "military grade encryption" and that I need to purchase a key to decrypt the system
The process to obtains the key and requires to identify my infected system with the unique ID, which permits to obtains the BTC wallet where they money must be sent
The web looks quite professional and even there is a support link where the victim can send a message to the threat actors:
Moreover, the copyright message across the web is quite funny
In the news section, one can read that this 'project' (as they call it) was launched the 16/12/2015
To be continued..