What is Petya?
This ransomware is a variant of an older attack, dubbed “Petya,” except this time the attack uses EternalBlue to target Windows systems—the same exploit behind the infamous WannaCry attack. While this variant appears to be an upgraded version of Petya, there is no confirmation that this attack is from the same author. It differs from typical ransomware as it doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).
In this latest attack, a ransom note is displayed on infected machines, demanding that $300 in bitcoins be paid to recover files.
What you should do:
As always, you are the last line of defense. Especially when large-scale outbreaks like Petya are occurring, you should try to be extra vigilant in how you carry out your day-to-day work.
- Verify who is sending you email
- Be suspicious of emails that don’t look quite right
- If there is a question, don’t open email attachments or click suspicious links
- Immediately report any potential breaches and suspicious activity
- Don’t visit questionable websites
What to do if you think you’re infected:
If your computer suddenly reboots into a screen that says it’s doing a CHKDSK (hard disk scan): Immediately press and hold the power button to turn the system off and call Decypher’s team at 970.373.5428 so a ticket can be opened. Doing this will potentially prevent the data on your system from being permanently encrypted and un-recoverable.
What Decypher is doing:
- Decypher have been patching systems to protect against the vulnerability “EternalBlue,” which is the mechanism used by WannaCry and Petya
- Decypher customers were updated with virus definitions that help protect from Petya at roughly 3:00 a.m. MST 6/27/2017
- Decypher is deploying specially modified files onto systems which reportedly help vaccinate against the malware
- In some cases, Decypher is disabling certain unneeded features of the Windows OS, which will prevent infection
What does Petya do?
Once the machine is infected, the computer will immediately restart to what looks like a ‘chkdsk,’ but isn’t. The machine files are being encrypted during this fake chkdsk stage. The ransomware doesn’t encrypt the entirety of the files with matching extensions, but instead encrypts up to the first megabyte of data. This is done presumably to save time during the encryption process, but also ensures that enough of the file is encrypted to be unlikely to restore without paying the ransom.
There is no way for a victim to retrieve their files other than to email the cybercriminal after paying the bitcoin address listed in the ransom. In fact, the email address listed in the ransom has, as of now, been shut down by the email provider. Essentially, this means victims are unable to get their files back, even after paying the ransom, as the payload author is now prevented from checking this email.
How does Petya spread and infect computers?
One of the methods Petya uses to propagate itself is by exploiting the MS17-010 vulnerability, also known as EternalBlue.
Who is impacted?
At the time of writing, Petya is primarily impacting organizations in Europe.
Is this a targeted attack?
It’s unclear at this time, however, previous strains of Petya have been used in targeted attacks against organizations.
If you have any questions about this attack or security in general, please reach out to us at 970.373.5428.
Microsoft Security Bulletin
Microsoft Security Update
Wired: Latest Ransomware Hackers Didn’t Make WannaCry’s Mistakes