On June 27, European countries were hit by a ransomware attack known under the harmless name Petya (various sources also include the names Petya.A, NotPetya and GoldenEye). The cryptographer demands a ransom in bitcoins equivalent to $300. Dozens of large Ukrainian and Russian companies have been infected, and the spread of the virus in Spain, France and Denmark is also recorded.
Who got hit?
Ukraine
Ukraine was one of the first countries to be attacked. According to preliminary estimates, about 80 companies and government agencies were attacked:
Today, the virus does not just encrypt individual files, but completely takes away the user's access to the hard drive. The ransomware virus also uses a fake Microsoft electronic signature, which shows users that the program was developed by a trusted author and guarantees security. After infecting a computer, the virus modifies a special code necessary to boot the operating system. As a result, when the computer starts, it is not the operating system that is loaded, but malicious code.
How to protect yourself?
- Close TCP ports 1024-1035, 135, and 445.
- Update the databases of your antivirus products.
- Since Petya is spread by phishing, do not open emails from unknown sources (if the sender is known, check if this email is safe), be careful about social media messages from your friends, as their accounts can be hacked.
- Virus looking for file C:\Windows\perfc, and if it doesn't find it, it creates and starts the infection. If such a file already exists on the computer, then the virus finishes its work without infection. You need to create an empty file with that name. Let's consider this process in more detail.
— Hacker Fantastic (@hackerfantastic)
Good afternoon friends. Most recently, we analyzed the virus WannaCry ransomware, which in a matter of hours spread to many countries of the world and infected many computers. And at the end of June, a new similar virus "Petya" appeared. Or, as it is most often called "Petya".
These viruses belong to ransomware Trojans and are quite similar, although they also have their differences, moreover, significant ones. According to official data, "Petya" first infected a decent number of computers in Ukraine, and then began his journey around the world.
The computers of Israel, Serbia, Romania, Italy, Hungary, Poland and others were affected. Russia is on the 14th place in this list. Then, the virus spread to other continents.
Basically, the victims of the virus were large companies (quite often oil companies), airports, mobile communication companies, etc., for example, Bashneft, Rosneft, Mars, Nestle and others suffered. In other words, the target of attackers are large companies from which you can take money.
What is "Petya"?
Petya is malware that is a Trojan ransomware. Such pests were created to blackmail the owners of infected computers by encrypting information located on the PC. The Petya virus, unlike WannaCry, does not encrypt individual files. This Trojan encrypts the entire disk completely. This is its greater danger than the WannaCry virus.
When Petya gets on the computer, it encrypts the MFT table very quickly. To make it clearer, let's use an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.
Even, not just a catalog, but sort of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult to understand the system in such rubbish. As soon as the pest enters the computer, it reboots the PC and after loading, a red skull appears. Then, when you click on any button, a banner appears with an offer to pay 300$ to the bitcoin account.
Virus Petya how not to Catch
Who could create Petya? There is no answer to this question yet. And in general, it is not clear whether the author will be installed (most likely not)? But it is known that the leak came from the United States. The virus, like WannaCry, is looking for a hole in the operating system. To patch this hole, it is enough to install the MS17-010 update (released a few months ago during the WannaCry attack). You can download it from the link. Or, from the official Microsoft website.
At the moment, this update is the best way to protect your computer. Also, do not forget about a good antivirus. Moreover, Kaspersky Lab stated that they have a database update that blocks this virus.
But, this does not mean that it is necessary to install Kaspersky. Use your antivirus, but don't forget to update its databases. Also, don't forget a good firewall.
How the Petya virus spreads
Most often, Petya gets to the computer through e-mail. Therefore, during the incubation of the Petya virus, it is not worth opening various links in letters, especially in unfamiliar ones. In general, make it a rule not to open links from strangers. So you protect yourself not only from this virus, but also from many others.
Then, once on the computer, the Trojan reboots and imitates a check for . Further, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for the decryption of files by transferring three hundred dollars to a Bitcoin wallet.
I will say right away that you do not need to pay in any case! You still won't decrypt it, just spend the money and make a contribution to the creators of the Trojan. This virus is not designed to be decrypted.
Petya virus how to protect yourself
Let's take a closer look at protecting against the Petya virus:
- I already mentioned system updates. This is the most important point. Even if your system is pirated, you need to download and install the MS17-010 update.
- Turn on "Show file extensions" in Windows settings. Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension .exe.
- Let's get back to the letters. Don't click on links or attachments from people you don't know. And in general, during the quarantine, do not follow the links in the mail (even from people you know).
- It is advisable to enable User Account Control.
- Copy important files to removable media. Can be copied to Cloud. This will get you out of a lot of problems. If Petya appears on your PC, it will be enough to install a new operating system, after formatting the hard drive.
- Install a good antivirus. It is desirable that it was also a firewall. Typically, such antiviruses have the inscription Security at the end. If you have important data on your computer, you should not save on antivirus.
- Having installed a decent antivirus, do not forget to update its databases.
Petya virus how to remove
This is a difficult question. If Petya has done work on your computer, there will essentially be nothing to delete. In the system, all files will be scattered. Most likely, you can no longer organize them. You don't have to pay the thieves. It remains to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.
Also, I want to add - this pest poses a threat to the Windows system. If you have any other system, for example, the Russian Rosa system, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have Android, IOS, etc. installed. Therefore, cell owners have nothing to worry about.
Also, if you are a simple person, and not the owner of a large company, most likely the attackers are not interested in you. They need large companies, for which $300 means nothing and who can really pay them this money. But, this does not mean that the virus cannot get on your computer. Better make sure!
Still, let's hope that the Petya virus bypasses you! Take care of your information on your computer. Good luck!
, July 18, 2017Answers to the most important questions about the Petna ransomware virus (NotPetya, ExPetr), a Petya-based ransomware that has infected many computers around the world.
This month, we witnessed another massive ransomware attack that came just a few weeks after the . Within a few days, this modification of the ransomware received many different names, including Petya (the name of the original virus), NotPetya, EternalPetya, Nyetya, and others. Initially, we called it the "Petya family virus", but for convenience we will simply call it Petna.
Around Petna there are enough ambiguities besides the name. Is this the same ransomware as Petya or a different version? Should Petna be considered a ransomware or a virus that simply destroys data? Let us clarify some aspects of the past attack.
Is the distribution of Petna still ongoing?
Peak activity a few days ago. The spread of the virus began on the morning of June 27. On the same day, his activity reached its highest level, with thousands of attack attempts every hour. After that, their intensity decreased significantly during the same day, and only a small number of infections were observed thereafter.
Can this attack be compared to WannaCry?
No, judging by the reach of our user base. We have observed about 20,000 attack attempts worldwide, which is incommensurably less than the 1.5 million WannaCry attacks we have prevented.
Which countries have been affected the most?
Our telemetry data shows that the main impact of the virus was in Ukraine, where more than 90% of attack attempts were detected. Russia, the USA, Lithuania, Belarus, Belgium and Brazil also suffered. In each of these countries, from several dozen to several hundred infection attempts have been noted.
What operating systems have been infected?
The largest number of attacks were recorded on devices running Windows 7 (78%) and Windows XP (14%). The number of attacks on more modern systems turned out to be much less.
How did the Petna virus get onto the PC?
After analyzing the development paths of the cyber epidemic, we found the primary vector of infection, which is associated with updating the Ukrainian accounting software M.E.Doc. That is why Ukraine has suffered so seriously.
A bitter paradox: for security reasons, users are always advised to update their software, but in this case, the virus began to spread on a large scale with a software update released by M.E.Doc.
Why did computers outside of Ukraine also suffer?
One reason is that some of the affected companies have Ukrainian subsidiaries. Once a virus infects a computer, it spreads within the network. That is how he managed to reach computers in other countries. We continue to explore other possible infection vectors.
What happens after infection?
Once a device is infected, Petna tries to encrypt files with certain extensions. The list of target files is not as large as the lists of the original Petya virus and other ransomware, but it includes extensions of photos, documents, source codes, databases, disk images, and others. In addition, this software not only encrypts files, but also how the worm spreads to other devices connected to the local network.
Like , the virus uses three different ways to spread: using EternalBlue (known for WannaCry) or EternalRomance exploits, through Windows network shares using credentials stolen from the victim (using utilities like Mimikatz that can extract passwords), as well as trustworthy tools like PsExec and WMIC.
After encrypting files and spreading over the network, the virus tries to break Windows boot (by changing the master boot record, MBR), and after a forced reboot, it encrypts the master file table (MFT) of the system drive. This prevents the computer from booting into Windows and makes the computer unusable.
Can Petna infect my computer with all security patches installed?
Yes, this is possible due to the horizontal distribution of the malware described above. Even if a particular device is protected from both EternalBlue and EternalRomance, it can still be infected in a third way.
Is it Retua, WannaCry 2.0 or something else?
The Petna virus is definitely based on the original Petna ransomware. For example, in the part responsible for encrypting the main file table, it is almost identical to the previously encountered threat. However, it is not completely identical to older versions of the ransomware. It is assumed that the virus was modified by a third party, and not the author of the original version, known as Janus, who also spoke about this in Twitter, and later published a master decryption key for all past versions of the program.
The main similarity between Petna and WannaCry is that they used the EternalBlue exploit to spread.
Is it true that a virus does not encrypt anything, but simply destroys data on disks?
It is not true. This malware only encrypts files and the Master File Table (MFT). Another question is whether these files can be decrypted.
Is there a free decryption tool available?
Unfortunately no. The virus uses a fairly powerful encryption algorithm that cannot be overcome. It encrypts not only files, but also the master file table (MFT), which greatly complicates the decryption process.
Should I pay the ransom?
Not! We never advise paying a ransom, as this only encourages criminals and encourages them to continue such activities. Moreover, it is likely that you will not get your data back even after paying. In this case, it is more obvious than ever before. And that's why.
The official email address provided in the ransom window [email protected], to which victims were asked to send a ransom, was shut down by the email service provider shortly after the virus attack. Therefore, the creators of the ransomware cannot find out who paid and who did not.
Decrypting the MFT partition is basically impossible because the key is lost after the ransomware encrypts it. In previous versions of the virus, this key was stored in the victim ID, but in the case of the latest modification, it is just a random string.
In addition, the encryption applied to the files is quite chaotic. How
This conclusion was the result of a study of two companies at once - Comae Technologies and Kaspersky Lab.
The original Petya malware, discovered in 2016, was a money-making machine. This sample is definitely not intended to earn money. The threat is designed to quickly spread and cause damage and disguises itself as a ransomware.
NotPetya is not a disk cleaner. The threat does not delete data, but simply renders it unusable by locking files and throwing away decryption keys.
Juan Andre Guerrero-Saade, a senior researcher at Kaspersky Lab, commented on the situation:
In my book, a ransomware infection without a possible decryption mechanism is equivalent to a disk wipe. By ignoring a viable decryption mechanism, the attackers have shown complete disregard for long-term monetary gain.
The author of the original Petya ransomware tweeted that he had nothing to do with the development of NotPetya. He has already become the second cybercriminal who denies involvement in the creation of a new similar threat. Earlier, the author of the AES-NI ransomware stated that he had nothing to do with XData, which was also used in targeted attacks on Ukraine. In addition, XData, like NotPetya, used the same distribution vector - the update servers of the Ukrainian accounting software manufacturer.
Many circumstantial indications support the theory that someone is hacking known ransomware and using modified versions to attack Ukrainian users.
Are destructive modules disguised as ransomware already a common practice?
Similar cases have already occurred before. The use of malicious modules to permanently damage files under the guise of ordinary ransomware is far from a new tactic. In today's world, this is already becoming a trend.
Last year, the Shamoon and KillDisk malware families included “ransomware components” and used similar techniques to destroy data. Now even industrial malware is getting disk cleanup features.
Classifying NotPetya as a data destruction tool could easily elevate malware to a cyberweapon. In this case, the analysis of the consequences of the threat should be considered from a different perspective.
Considering the starting point of infection and the number of victims, it becomes obvious that Ukraine was the target of the hacker attack. At the moment, there is no clear evidence pointing the finger at the attacker, but Ukrainian officials have already blamed Russia, which they have also blamed for past cyber incidents dating back to 2014.
NotPetya could be on par with the well-known Stuxnet and BlackEnergy malware families that have been used for political purposes and for destructive effects. The evidence clearly shows that NotPetya is a cyberweapon and not just a very aggressive kind of ransomware.
A number of Russian and Ukrainian companies were attacked by the Petya encryption virus. The online edition of the site talked with experts from Kaspersky Lab, the AGIMA interactive agency and found out how to protect corporate computers from a virus and how Petya is similar to the equally well-known WannaCry encryption virus.
Virus "Petya"
In Russia, the companies Rosneft, Bashneft, Mars, Nivea and chocolate manufacturer Alpen Gold Mondelez International. A ransomware virus in the radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected the computers of the Ukrainian government, Privatbank and telecom operators. The virus blocks computers and demands a ransom of $300 in bitcoins.
In a microblog on Twitter, the press service of Rosneft spoke about a hacker attack on the company's servers. "A powerful hacker attack was carried out on the company's servers. We hope that this has nothing to do with the current legal proceedings. The company turned to law enforcement agencies in connection with the cyber attack," the message says.
According to the company's press secretary Mikhail Leontiev, Rosneft and its subsidiaries are operating as usual. After the attack, the company switched to a backup process control system, so that oil production and preparation were not stopped. The Home Credit bank system was also attacked.
"Petya" does not infect without "Misha"
According to Executive Director of AGIMA Evgeny Lobanov, in fact, the attack was carried out by two ransomware viruses: Petya and Misha.
"They work in conjunction. "Petya" does not infect without "Misha". It can infect, but yesterday's attack was two viruses: first Petya, then Misha. "Petya" overwrites the boot device (where the computer boots from), and Misha - encrypts files according to a certain algorithm,” the specialist explained, “Petya encrypts the boot sector of the disk (MBR) and replaces it with its own, Misha already encrypts all files on the disk (not always).”
He noted that the WannaCry encryption virus, which attacked major global companies in May this year, is not similar to Petya, this is a new version.
"Petya.A is from the WannaCry (WannaCrypt) family, but the main difference is why it is not the same virus, it is that the MBR is replaced by its own boot sector - this is a novelty for Ransomware. The Petya virus appeared a long time ago, on GitHab (an online service for IT projects and joint programming - site) https://github.com/leo-stone/hack-petya" target="_blank"> there was a decryptor for this encryptor, but no decryptor is suitable for the new modification.
Yevgeny Lobanov stressed that the attack hit Ukraine harder than Russia.
“We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but not from its modifications. Our Internet is unsafe, in Ukraine it is even less. Basically, transport companies, banks, mobile operators were attacked ( Vodafone, Kyivstar) and medical companies, the same Pharmmag, Shell gas stations - all very large transcontinental companies," he said in an interview with the site.
The executive director of AGIMA noted that so far there are no facts that would indicate the geographical location of the spreader of the virus. In his opinion, the virus allegedly appeared in Russia. Unfortunately, there is no direct evidence for this.
“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was the development of Russian hackers, but it’s hard to say who changed it further. that being even in Russia, it is easy to get hold of a computer with geolocation in the United States, for example," the expert explained.
"If suddenly there was an "infection" of the computer - you can not turn off the computer. If you reboot, you will never log in again"
"If suddenly a computer is "infected" - you can not turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never log in again. This cuts off the waste paths, even if it appears " tablet" it will no longer be possible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides a 98 percent security guarantee. Unfortunately, not 100 percent yet. A certain modification of the virus (their three pieces) he is bypassing for now," Lobanov recommended. - However, if you did reboot and saw the beginning of the "check disk" process, at this moment you need to immediately turn off the computer, and the files will remain unencrypted ..
In addition, the expert also explained why Microsoft users are most often attacked, and not MacOSX (Apple's operating system - website) and Unix systems.
"Here it is more correct to speak not only about MacOSX, but also about all unix systems (the principle is the same). The virus only affects computers, without mobile devices. The attack affects the Windows operating system and threatens only those users who have disabled the automatic system update function. Updates as an exception, they are available even for owners of older versions of Windows that are no longer updated: XP, Windows 8 and Windows Server 2003," the expert said.
"MacOSX and Unix are not globally exposed to such viruses, because many large corporations use the Microsoft infrastructure. MacOSX is not affected because it is not so common in government agencies. There are fewer viruses under it, it is not profitable to make them, because the attack segment will be smaller than if attack Microsoft," the expert concluded.
"The number of attacked users has reached two thousand"
Press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that "this ransomware does not belong to the already well-known Petya ransomware family, although it shares several lines of code with it."
The Laboratory is sure that in this case we are talking about a new family of malicious software with functionality that is significantly different from Petya. Kaspersky Lab named a new encryptor ExPetr.
"According to Kaspersky Lab, the number of attacked users has reached two thousand. Most of the incidents were recorded in Russia and Ukraine, and cases of infection were also observed in Poland, Italy, Great Britain, Germany, France, the United States and a number of other countries. At the moment, our experts suggest "This malware used several attack vectors. It has been established that a modified EternalBlue exploit and an EternalRomance exploit were used to spread in corporate networks," the press service said.
Experts are also exploring the possibility of creating a decryption tool that could decrypt the data. The Lab also made recommendations for all organizations to avoid a virus attack in the future.
"We recommend that organizations update their Windows operating system. For Windows XP and Windows 7, install the MS17-010 security update and ensure that they have an effective data backup system. Timely and secure data backup allows you to restore original files, even if they were encrypted by malware," Kaspersky Lab experts advised.
The Laboratory also recommends that its corporate clients make sure that all protection mechanisms are activated, in particular, make sure that the connection to the cloud infrastructure of Kaspersky Security Network, as an additional measure, it is recommended to use the "Application Privilege Control" component to deny access to all groups of applications (and, accordingly, execution) of a file named "perfc.dat", etc.
"If you do not use Kaspersky Lab products, we recommend disabling the execution of a file called perfc.dat, as well as blocking the launch of the PSExec utility from the Sysinternals package using the AppLocker function, which is part of the OS (operating system - site) Windows," recommended in the laboratory.
On May 12, 2017, many are a data encryptor on computer hard drives. He blocks the device and demands a ransom.
The virus affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, the servers of mobile operators and several large banks were attacked.
The spread of the virus was stopped accidentally and temporarily: if hackers change just a few lines of code, the malware will start working again. The damage from the program is estimated at one billion dollars. After a linguistic forensic analysis, experts found that WannaCry was created by people from China or Singapore.
