Good afternoon friends. Most recently, we analyzed the virus WannaCry ransomware, which in a matter of hours spread to many countries of the world and infected many computers. And at the end of June, a new similar virus "Petya" appeared. Or, as it is most often called "Petya".

These viruses belong to ransomware Trojans and are quite similar, although they also have their differences, moreover, significant ones. According to official data, "Petya" first infected a decent number of computers in Ukraine, and then began his journey around the world.

The computers of Israel, Serbia, Romania, Italy, Hungary, Poland and others were affected. Russia is on the 14th place in this list. Then, the virus spread to other continents.

Basically, the victims of the virus were large companies (quite often oil companies), airports, mobile communication companies, etc., for example, Bashneft, Rosneft, Mars, Nestle and others suffered. In other words, the target of attackers are large companies from which you can take money.

What is "Petya"?

Petya is malware that is a Trojan ransomware. Such pests were created to blackmail the owners of infected computers by encrypting information located on the PC. The Petya virus, unlike WannaCry, does not encrypt individual files. This Trojan encrypts the entire disk completely. This is its greater danger than the WannaCry virus.

When Petya gets on the computer, it encrypts the MFT table very quickly. To make it clearer, let's use an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.

Even, not just a catalog, but sort of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult to understand the system in such rubbish. As soon as the pest enters the computer, it reboots the PC and after loading, a red skull appears. Then, when you click on any button, a banner appears with an offer to pay 300$ to the bitcoin account.

Virus Petya how not to Catch

Who could create Petya? There is no answer to this question yet. And in general, it is not clear whether the author will be installed (most likely not)? But it is known that the leak came from the United States. The virus, like WannaCry, is looking for a hole in the operating system. To patch this hole, it is enough to install the MS17-010 update (released a few months ago during the WannaCry attack). You can download it from the link. Or, from the official Microsoft website.

At the moment, this update is the best way to protect your computer. Also, do not forget about a good antivirus. Moreover, Kaspersky Lab stated that they have a database update that blocks this virus.

But, this does not mean that it is necessary to install Kaspersky. Use your antivirus, but don't forget to update its databases. Also, don't forget a good firewall.

How the Petya virus spreads

Most often, Petya gets to the computer through e-mail. Therefore, during the incubation of the Petya virus, it is not worth opening various links in letters, especially in unfamiliar ones. In general, make it a rule not to open links from strangers. So you protect yourself not only from this virus, but also from many others.

Then, once on the computer, the Trojan reboots and imitates a check for . Further, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for the decryption of files by transferring three hundred dollars to a Bitcoin wallet.

I will say right away that you do not need to pay in any case! You still won't decrypt it, just spend the money and make a contribution to the creators of the Trojan. This virus is not designed to be decrypted.

Petya virus how to protect yourself

Let's take a closer look at protecting against the Petya virus:

1. I already mentioned system updates. This is the most important point. Even if your system is pirated, you need to download and install the MS17-010 update.
2. Turn on "Show file extensions" in Windows settings. Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension .exe.
3. Let's get back to the letters. Don't click on links or attachments from people you don't know. And in general, during the quarantine, do not follow the links in the mail (even from people you know).
4. It is advisable to enable User Account Control.
5. Copy important files to removable media. Can be copied to Cloud. This will get you out of a lot of problems. If Petya appears on your PC, it will be enough to install a new operating system, after formatting the hard drive.
6. Install a good antivirus. It is desirable that it was also a firewall. Typically, such antiviruses have the inscription Security at the end. If you have important data on your computer, you should not save on antivirus.
7. Having installed a decent antivirus, do not forget to update its databases.

Petya virus how to remove

This is a difficult question. If Petya has done work on your computer, there will essentially be nothing to delete. In the system, all files will be scattered. Most likely, you can no longer organize them. You don't have to pay the thieves. It remains to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.

Also, I want to add - this pest poses a threat to the Windows system. If you have any other system, for example, the Russian Rosa system, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have Android, IOS, etc. installed. Therefore, cell owners have nothing to worry about.

Also, if you are a simple person, and not the owner of a large company, most likely the attackers are not interested in you. They need large companies, for which $300 means nothing and who can really pay them this money. But, this does not mean that the virus cannot get on your computer. Better make sure!

Still, let's hope that the Petya virus bypasses you! Take care of your information on your computer. Good luck!

Today, a ransomware virus attacked many computers in the public, commercial and private sectors of Ukraine

Unprecedented hacker attack knocked out many computers and servers in government agencies and commercial organizations across the country

A large-scale and carefully planned cyber attack today disabled the critical infrastructure of many state-owned enterprises and companies. This was reported by the Security Service (SBU).

Starting from lunch, the Internet snowballed into reports of computer infections in the public and private sectors. Representatives of government agencies have reported hacker attacks on their IT infrastructure.

According to the SBU, the infection was mainly due to the opening of word- and pdf-files, which the attackers sent by e-mail. The Petya.A ransomware exploited a network vulnerability in the Windows operating system. To unlock the encrypted data, the cybercriminals demanded a payment in bitcoins in the amount of $300.

Secretary of the National Security and Defense Council Oleksandr Turchynov said that the government agencies that were included in the protected circuit - a special Internet node - were not damaged. Apparently, the Cabinet of Ministers did not properly implement the recommendations of the National Cyber ​​Security Focal Point because government computers were affected by Petya.A. The Ministry of Finance, Chernobyl, Ukrenergo, Ukrposhta, Novaya Pochta and a number of banks could not resist today's attack.

For some time, the Internet pages of the SBU, the cyber police and the State Service for Special Communications and Information Protection (GSSSZI) did not even open.

As of Tuesday evening, June 27th, none of the law enforcement agencies charged with combating cyber-attacks have revealed where Petya.A came from or who is behind him. The SBU, the Cyber ​​Police (whose website was down all day), and the SSISSI maintained Olympic silence on the extent of the harm caused by the ransomware virus.

The attack of the virus on the computers of Ukrainian public and private companies began at 11:30 am. Large banks, retail chains, mobile operators, state-owned companies, infrastructure facilities and service industries were under attack.

The virus covered the entire territory of Ukraine, by 17:00 there was information that an attack had also been recorded in the very west of the country, in Transcarpathia: here, in connection with the virus, branches of OTR Bank and Ukrsotsbank were closed.

“The site Korrespondent.net, popular in Ukraine, and the 24 TV channel are not working. The number of companies that have been affected by the attack is increasing by the hour. Currently, most of the bank branches do not work in Ukraine. For example, in the offices of Ukrsotsbank, computers simply do not boot. It is impossible to receive or send money, pay receipts, etc. At the same time, there are no problems in PrivatBank, ”the Kyiv correspondent of RT reports.

The virus only infects computers that run on the Windows operating system. It encrypts the hard drive's master file table and extorts money from users for decryption. In this, it is similar to the WannaCry ransomware virus, which has been attacked by many companies around the world. At the same time, the results of checking infected computers have already appeared, showing that the virus destroys all or most of the information on infected disks.

At the moment, the virus has been identified as mbr locker 256, but another name has become widespread in the media - Petya.

From Kyiv to Chernobyl

The virus has also hit the Kiev metro, where there are currently difficulties with paying with bank cards.

Many large infrastructure facilities were hit, such as the state railway operator Ukrzaliznytsia, Boryspil airport. However, while they are operating normally, the air navigation system has not been affected by the virus, although Boryspil has already published a warning about possible changes in the schedule, and the arrivals board does not work at the airport itself.

In connection with the attack, two of the largest postal operators in the country are experiencing difficulties in their work: the state-owned Ukrposhta and the private Novaya Pochta. The latter announced that today there would be no charge for the storage of parcels, and Ukrposhta is trying to minimize the consequences of the attack with the help of the SBU.

Due to the risk of infection, the websites of those organizations that have not been affected by the virus also do not work. For this reason, for example, the servers of the website of the Kyiv City State Administration, as well as the website of the Ministry of Internal Affairs of Ukraine, were disabled.

Ukrainian officials predictably claim that the attacks are coming from Russia. Oleksandr Turchynov, Secretary of the National Security and Defense Council of Ukraine, said this. “Already now, after conducting an initial analysis of the virus, we can talk about the Russian trace,” the official website of the department quotes him.

By 5:30 p.m., the virus had even reached the Chernobyl nuclear power plant. Volodymyr Ilchuk, head of the Chernobyl nuclear power plant shift, reported this to the Ukrayinska Pravda publication.

“There is preliminary information that some computers have been infected with a virus. Therefore, as soon as this hacker attack began, a personal command was given to computer workers at the places of personnel to turn off their computers,” Ilchuk said.

Attack on sweets and oil and gas

Several Russian companies were also hacked on Tuesday, June 27, including the oil and gas giants Rosneft and Bashneft, the metallurgical company Evraz, Home Credit Bank, whose branches have suspended work, as well as the Russian representative offices of Mars, Nivea, Mondelez International , TESA and a number of other foreign companies.

• Reuters
• MAXIM SHEMETOV

Around 14:30 Moscow time, Rosneft announced a powerful hacker attack on the company's servers. At the same time, the company's microblog on Twitter notes that the attack could have led to serious consequences, but due to the transition to a backup process control system, neither production nor oil preparation were stopped.

After the cyberattack, the websites of the Rosneft and Bashneft companies became inaccessible for some time. Rosneft also declared the inadmissibility of spreading false information about the attack.

Spreaders of false panic messages will be considered as accomplices of the organizers of the attack and will be held accountable together with them.

— Rosneft Oil Company PJSC (@RosneftRu) June 27, 2017

“Distributors of false panic messages will be considered as accomplices of the organizers of the attack and will be held accountable together with them,” the company said.

At the same time, Rosneft noted that the company applied to law enforcement agencies in connection with the cyber attack, and expressed the hope that the incident had nothing to do with “current judicial procedures.” On Tuesday, June 27, the arbitration court of Bashkiria began considering the merits of the claim of Rosneft, Bashneft and Bashkiria against AFK Sistema in the amount of 170.6 billion rubles.

WannaCry Jr.

At the same time, the hacker attack did not affect the operation of the computer systems of the presidential administration of Russia and the official website of the Kremlin, which, according to TASS, presidential press secretary Dmitry Peskov, "works stably."

The hacker attack also had no effect on the operation of Russian nuclear power plants, the Rosenergoatom concern noted.

Company Dr. Web stated on its website that, despite the resemblance, the current attack was carried out using a virus that differs from the already known Petya ransomware, in particular, the threat propagation mechanism.

“Among the victims of the cyberattack were the networks of Bashneft, Rosneft, Mondelez International, Mars, Nivea, TESA and others,” the company said. At the same time, the press service of Mars in Russia said that the cyber attack caused problems with IT systems only for the Royal Canin brand, a pet food manufacturer, and not for the entire company.

The last major hacker attack on Russian companies and government institutions occurred on May 12 as part of a large-scale operation by unknown hackers who attacked Windows computers in 74 countries using the WannaCry encryption virus.

On Tuesday, the head of the International Committee of the Federation Council, Konstantin Kosachev, speaking at a meeting of the Federation Council Commission on the Protection of State Sovereignty, said that about 30% of all cyber attacks on Russia are carried out from the United States.

“No more than 2% of the total number of cyberattacks are committed from Russian territory to American computers, while 28–29% are from the United States to Russian electronic infrastructure,” RIA Novosti quoted Kosachev as saying.

According to the head of the international research team at Kaspersky Lab, Kostin Rayu, the Petya virus has spread to many countries around the world.

Petrwrap/Petya ransomware variant with contact [email protected] spreading worldwide, a large number of affected countries.

On Tuesday, the Petya/PetWrap/NotPetya virus attacked institutions and firms in Russia, Ukraine, Europe and the United States, with about 2,000 victims in total. The malware encrypted data on computers and asked for a ransom in bitcoins. We tell what kind of virus it is, who suffered from it and who created it.

What is this virus?

Malicious software that masquerades as email attachments. If the user downloaded it and ran it as an administrator, then the program restarts the computer and starts the alleged disk check function, but in fact encrypts the boot sector first, and then the rest of the files. After that, the user sees a message demanding to pay an amount in bitcoins equivalent to $300 in exchange for a data decryption code.

❗️The "Petya" virus in action. Be careful, update windows, don't open any links sent by email pic.twitter.com/v2z7BAbdZx

— Letters (@Bykvu) June 27, 2017

How a virus works

This is how the Petya virus worked. Its first version was found in the spring of 2016. Kaspersky Lab claimed that data on an encrypted disk can be recovered. The decryption recipe was then published by Geektimes editor Maxim Agadzhanov. There are other versions of decryptors. How effective they are and whether they are suitable for new versions of the virus, we cannot confirm. Information security specialist Nikita Knysh writes on GitHub that they are not suitable. There are currently no means of combating the virus after infection.

What version of the virus we are dealing with now is unknown. Moreover, a number of experts believe that we are not dealing with Petya. The Security Service of Ukraine (SBU) stated that government institutions and firms of the country were attacked by the Petya.A virus and it is impossible to recover encrypted data. At Kaspersky Lab on Tuesday evening reported that “this is not Petya”, but some new type of virus called NotPetya experts. The same is considered in Doctor Web company. Yahoo News, citing unnamed experts, writes that we are talking about a Petya modification called PetrWrap. Symantec said that we are still talking about Petya.

Head of the international research team of Kaspersky Lab Costin Rayu writes that the virus spreads through letters from the address He also reported that Petya/PetWrap/NotPetya compiled on June 18th.

One version of the ransom page (photo: Avast Blog)

Kaspersky Lab also believes that the new virus used the same vulnerability in Windows as WannaCry. This malware hit computers around the world on May 12th. She also encrypted the data on the computer and demanded a ransom. Among the victims were the Russian Ministry of Internal Affairs and the mobile operator Megafon. Microsoft eliminated the vulnerability back in March: those who did not update the system suffered from WannaCry and Petya/PetrWrap/NotPetya.

Who suffered from it?

Ukraine

Photo from the Kharkiv supermarket ROST, whose computers were also affected by the virus

— Ukraine / Ukraine (@Ukraine) June 27, 2017

The official Twitter of Ukraine is trying to cheer up citizens with the help of the meme "This is fine"

Large companies Kyivvodokanal, Novus, Epicenter, Arcellor Mittal, Arterium, Farmak, Boris clinic, Feofaniya hospital, Ukrtelecom, Ukrposhta, the Ukrainian branch of the Auchan supermarket chain , gas stations Shell, WOG, Klo and TNK.

Media: Korrespondent.net, KP in Ukraine, Obozrevatel, Channel 24, STB, Inter, Novy Kanal, ATR, Radio Lux, Maximum and Era-FM.

A computer in the Cabinet of Ministers of Ukraine (photo: Pavel Rozenko)

The attack of the "Petya" virus was an unpleasant surprise for the inhabitants of many countries. Thousands of computers have been infected, as a result of which users have lost important data stored on their hard drives.

Of course, now the excitement around this incident has subsided, but no one can guarantee that this will not happen again. That is why it is very important to protect your computer from a possible threat and not take unnecessary risks. How to do this most effectively, and will be discussed below.

The consequences of the attack

First of all, we should remember the consequences of Petya.A's short activity. In just a few hours, dozens of Ukrainian and Russian companies suffered. In Ukraine, by the way, the work of the computer departments of such institutions as Dniproenergo, Novaya Pochta and Kyiv Metro was almost completely paralyzed. Moreover, some state organizations, banks and mobile operators did not protect themselves from the Petya virus.

In the countries of the European Union, the ransomware also managed to do a lot of trouble. French, Danish, British and international companies have reported temporary outages related to the Petya computer virus attack.

As you can see, the threat is really serious. And even despite the fact that the attackers chose large financial institutions as their victims, ordinary users suffered no less.

How does Petya work?

To understand how to protect yourself from the Petya virus, you must first understand how it works. So, once on a computer, the malware downloads a special encryptor from the Internet that infects the Master Boot Record. This is a separate area on the hard drive, hidden from the user's eyes and designed to boot the operating system.

For the user, this process looks like the standard operation of the Check Disk program after a sudden system crash. The computer restarts abruptly, and a message appears on the screen about checking the hard disk for errors and asking you not to turn off the power.

As soon as this process comes to an end, a screen saver appears with information about locking the computer. The creators of the Petya virus require the user to pay a ransom of $300 (more than 17.5 thousand rubles), promising in return to send the key needed to resume the PC.

Prevention

It is logical that it is much easier to prevent infection with the Petya computer virus than to deal with its consequences later. To secure your PC:

• Always install the latest updates for the operating system. The same, in principle, applies to all software installed on your PC. By the way, "Petya" cannot harm computers running MacOS and Linux.
• Use the latest versions of the antivirus and do not forget to update its databases. Yes, the advice is banal, but not everyone follows it.
• Do not open suspicious files sent to you by email. Also, always check apps downloaded from dubious sources.
• Make regular backups of important documents and files. It is best to store them on a separate medium or in the "cloud" (Google Drive, Yandex.Disk, etc.). Thanks to this, even if something happens to your computer, valuable information will not be affected.

Create a stop file

The developers of leading anti-virus programs have figured out how to remove the Petya virus. More precisely, thanks to their research, they were able to understand that during the initial stages of infection, the ransomware tries to find a local file on the computer. If he succeeds, the virus stops its work and does not harm the PC.

Simply put, you can manually create a kind of stop file and thus protect your computer. For this:

• Open Folder Options and uncheck "Hide extensions for known file types".
• Create a new file with notepad and place it in the C:/Windows directory.
• Rename the created document by calling it "perfc". Then go to and enable the "Read Only" option.

Now the "Petya" virus, having got on your computer, will not be able to harm it. But keep in mind that attackers may modify the malware in the future and the stop file creation method will become ineffective.

If infection has already occurred

When the computer goes to reboot on its own and Check Disk starts, the virus is just starting to encrypt files. In this case, you can still save your data by doing the following:

• Power off your PC immediately. This is the only way you can prevent the spread of the virus.
• Next, you should connect your hard drive to another PC (but not as a bootable one!) And copy important information from it.
• After that, you need to completely format the infected hard drive. Naturally, then you will have to reinstall the operating system and other software on it.

In addition, you can try to use a special boot disk to cure the Petya virus. Kaspersky Anti-Virus, for example, provides the Kaspersky Rescue Disk program for these purposes, which works bypassing the operating system.

Should I pay extortionists?

As mentioned earlier, the creators of Petya are demanding a $300 ransom from users whose computers have been infected. According to the extortionists, after paying the specified amount, the victims will be sent a key that removes the blocking of information.

The problem is that a user who wants to return his computer to a normal state needs to write to the attackers by e-mail. However, all E-Mail ransomware is promptly blocked by authorized services, so it is simply impossible to contact them.

Moreover, many leading developers of anti-virus software are sure that it is completely impossible to unlock a computer infected with Petya with any code.

As you probably understood, it is not worth paying extortionists. Otherwise, you will not only be left with a non-working PC, but also lose a large amount of money.

Will there be new attacks

The Petya virus was first discovered in March 2016. Then security experts quickly noticed the threat and prevented its mass distribution. But already at the end of June 2017, the attack was repeated again, which led to very serious consequences.

It is unlikely that everything will end there. Ransomware attacks are not uncommon, so it's important to keep your computer protected at all times. The problem is that no one can predict what format the next infection will take. Be that as it may, it is always worth following the simple recommendations given in this article in order to reduce the risks to a minimum in this way.