Petya is a malicious form of ransomware that targets Microsoft Windows-based computers. It is part of a family of hazardous malware that can encrypt the master boot record and hard drive, preventing your computer from booting up. To unlock the data, you must pay a ransom fee to the attacker for the encryption key or find alternative methods to restore your files.
Table of Contents
What is Petya Ransomware?
Petya is a ransomware threat that targets Windows PCs and doesn't discriminate amongst their location where it may affect systems across the globe. Petya primarily infects the master boot record and encrypts data on the hard drive of an infected PC where it may prevent the system from booting virtually turning it into a useless peice of equipment. To unlock the data, affected users must pay a ransom to the crooks in charge in exchange for a decryption key.
How Does Petya Work?
Besides the master boot record (MBR), which is responsible for loading the operating system, Petya ransomware also affects the master file table (MFT), a quick reference guide for every single file on a drive. After installation, the computer is forced to restart, and the ransomware displays its ransom note, preventing access to any files. To spread within local networks, Petya uses remote code execution, PSEXEC.exe, EternalBlue, and WMIC.exe. To obtain usernames and passwords, it includes a customized version of Mimikatz, a penetration testing tool. To protect against Petya, best practices involve securing and using system administration utilities like PowerShell.
Petya is known to aggressively exploit a user's gullibility to gain computer access. It does this by requiring users to open a malicious email, download the attachment, open the attachment, and then also agree to give it administrative-level permission to alter the Windows operating system. Once Petya has been granted these privileges, it will encrypt the MBR or MFT and display a ransom message on the victim's computer. To prevent infection from Petya and other malware, users should be careful when granting administrative privileges, be skeptical of emails with links or attachments, update their software regularly, use an anti-malware tool, avoid clicking internet ads, and back up their files regularly.
What is the Difference Between Petya and NotPetya?
NotPetya is a type of ransomware that uses the EternalBlue Windows exploit to spread rapidly within a network, potentially infecting an entire organization within hours. Unlike other ransomware, NotPetya permanently encrypts any computer it touches, making it impossible to undo even if the ransom is paid. It is believed that the 2017 attack was not a ransom attempt but a cyberattack intended to disrupt and damage targeted systems in Ukraine. Although the EternalBlue vulnerability has been patched, it is still important to update software regularly to avoid this type of malware. NotPetya shares code with an older piece of ransomware called Petya, but security researchers have noticed that the resemblance is only skin deep.
What is the Difference Between WannaCry and Petya?
The well-known ransomware attacks of 2017, which included WannaCry and Petya/NotPetya, were two of the decade's most destructive and disruptive cyberattacks. Both relied on the same EternalBlue exploit, a now-obsolete vulnerability, to infect users. However, the two attacks differed in execution, with WannaCry operating along standard ransomware protocols and Petya/NotPetya proving to be much more adept at resisting containment attempts. In addition to the EternalBlue exploit, NotPetya had one crucial difference from WannaCry: it was impossible to undo the encryption it caused, even if the ransom was paid. This led many experts to conclude that NotPetya was not a ransom attempt but a state-sponsored cyber attack intended to cause damage and disruption. Fortunately, the EternalBlue exploit has since been patched, so it is unlikely that users will commonly encounter this strain of malware so long as they keep their software up-to-date.
How to Prevent Petya Ransomware Infection?
Petya encrypts the MFT and can take a computer offline. To prevent infection, it is crucial to be cautious when opening emails and to not give administrative privileges to any software that is not known to be legitimate.
Suppose a computer becomes knowingly infected with Petya ransomware. In that case, the most effective solution is to power it down before the ransomware completes its reboot and then reformat the hard drive, restoring files from a backup. Paying the ransom is not recommended as it can be risky, and cybercriminals may abscond with the payment. Petya differs from other ransomware in encrypting the entire hard drive rather than just personal files like documents or photos. As such, users must take precautions to protect their data and systems from Petya attacks. This includes regularly backing up essential data, keeping antivirus software up to date, and avoiding suspicious emails or websites.
Protect yourself from Petya and other ransomware attacks by following these best practices:
- Limit administrative privileges - only give them if you're sure the software is legitimate and necessary.
- Be wary of emails with links or attachments, and never click on suspicious ads.
- Install software updates as soon as they become available.
- Use reliable anti-malware software.
- Regularly back up your files to a cloud service or physical drive, then disconnect from the backup to prevent malware from affecting it.
Most conventional ransomware strains can be removed with anti-malware tools if you get infected. However, Petya is more complex as it encrypts the MFT, preventing your computer from loading its operating system (OS). To avoid this, you can shut down your computer before Petya completes the reboot. If you see the red skull & crossbones screen, it's too late, and your MFT has already been encrypted.
Wiper or Ransomware?
Petya is a ransomware and wiper threat that encrypts specific file types in user mode and overwrites the affected system's hard disk. It displays a ransom note to the user with an "installation key" randomly generated and unrelated to the Salsa20 key used for disk encryption, making it impossible to decrypt the disk.
Does Petya Have a Kill Switch?
Petya does not have a kill switch like WannaCry, but it searches for a specific file in the infected system spawned by the ransomware. It uses a modified PsExec program embedded in the ransomware and renamed DLLHOST.DAT to encrypt data. In a perfect world, a 'kill switch' would prevent the computer from loading its operating system and makes it impossible to access anything on the hard drive.
What Does PsExec Have to Do With Petya?
Petya uses PsExec and rundll32, two legitimate Windows executables, to access remote machines and spread the malicious payload. Although the ransomware appears sophisticated, its payment mechanism was amateurish, suggesting elaborate cyber criminals did not create it. Victims were asked to pay a ransom using the same Bitcoin address for every victim and communicate with the attackers via a single email address suspended by the email provider. Security experts have advised users and IT/system administrators to protect themselves against attacks, such as whitelisting specific executables and avoiding suspicious emails.
Who Is Affected?
NotPetya has caused havoc for organizations in multiple sectors, including finance, transportation, energy, commercial facilities, and healthcare. Microsoft Windows operating systems are particularly vulnerable to this malware if they have not been patched for the vulnerabilities in MS17‑010, CVE-2017-0144, and CVE-2017-0145 or are connected to a network of an affected organization. The aftermath of infection can be severe, leading to the loss of sensitive data, disruption of normal operations, financial losses associated with restoring files and systems, and damage to an organization's reputation.
If you are ever unsure about your system being protected, the best actions to take is to run an anti-malware application and ensure that you have backed up your system to a safe and secure backup method.