Signs of a computer infection with the petya virus. Petya, NotPetya or Petna? Everything you need to know about the new epidemic. What happens after infection
The attack of the Petya virus was an unpleasant surprise for residents of many countries. Thousands of computers have been infected, as a result of which users have lost important data stored on their hard drives.
Of course, now the excitement around this incident has subsided, but no one can guarantee that this will not happen again. That is why it is very important to protect your computer from a possible threat and not take unnecessary risks. How to do this most effectively, and will be discussed below.
The consequences of the attack
First of all, we should remember the consequences of Petya.A's short activity. In just a few hours, dozens of Ukrainian and Russian companies suffered. In Ukraine, by the way, the work of the computer departments of such institutions as Dniproenergo, Novaya Pochta and Kiev Metro was almost completely paralyzed. Moreover, some state organizations, banks and mobile operators did not protect themselves from the Petya virus.
In the countries of the European Union, the ransomware also managed to do a lot of trouble. French, Danish, British and international companies have reported temporary outages related to the Petya computer virus attack.
As you can see, the threat is really serious. And even despite the fact that the attackers chose large financial institutions as their victims, ordinary users suffered no less.
How does Petya work?
To understand how to protect yourself from the Petya virus, you must first understand how it works. So, once on a computer, the malware downloads a special encryptor from the Internet that infects the Master Boot Record. This is a separate area on the hard drive, hidden from the user's eyes and designed to boot the operating system.
For the user, this process looks like the standard operation of the Check Disk program after a sudden system crash. The computer restarts abruptly, and a message appears on the screen about hard disk for errors and please do not turn off the power.
As soon as this process comes to an end, a screen saver appears with information about locking the computer. The creators of the Petya virus require the user to pay a ransom of $300 (more than 17.5 thousand rubles), promising in return to send the key needed to resume the PC.
Prevention
It is logical that it is much easier to prevent infection with the Petya computer virus than to deal with its consequences later. To secure your PC:
- Always install the latest updates for the operating system. The same, in principle, applies to all software installed on your PC. By the way, "Petya" cannot harm computers running MacOS and Linux.
- Use the latest versions of the antivirus and do not forget to update its databases. Yes, the advice is banal, but not everyone follows it.
- Do not open suspicious files sent to you by email. Also, always check apps downloaded from dubious sources.
- Make regular backups of important documents and files. It is best to store them on a separate medium or in the "cloud" (Google Drive, Yandex.Disk, etc.). Thanks to this, even if something happens to your computer, valuable information will not be affected.
Create a stop file
The developers of leading anti-virus programs have figured out how to remove the Petya virus. More precisely, thanks to their research, they were able to understand that during the initial stages of infection, the ransomware tries to find a local file on the computer. If he succeeds, the virus stops its work and does not harm the PC.
Simply put, you can manually create a kind of stop file and thus protect your computer. For this:
- Open Folder Options and uncheck "Hide extensions for known file types".
- Create a new file with notepad and place it in the C:/Windows directory.
- Rename the created document by calling it "perfc". Then go to and enable the "Read Only" option.
Now the "Petya" virus, having got on your computer, will not be able to harm it. But keep in mind that attackers may modify the malware in the future and the stop file creation method will become ineffective.
If infection has already occurred
When the computer goes to reboot on its own and Check Disk starts, the virus is just starting to encrypt files. In this case, you can still save your data by doing the following:
- Power off your PC immediately. This is the only way you can prevent the spread of the virus.
- Next, connect your HDD to another PC (but not as a bootable one!) and copy important information from it.
- After that, you need to completely format the infected hard drive. Naturally, then you will have to reinstall on it operating system And so on software.
Also, you can try to use a special boot disk to cure the "Petya" virus. Kaspersky Anti-Virus, for example, provides for these purposes Kaspersky Rescue Disk, which works bypassing the operating system.
Should I pay extortionists?
As mentioned earlier, the creators of Petya are demanding a $300 ransom from users whose computers have been infected. According to the extortionists, after paying the specified amount, the victims will be sent a key that removes the blocking of information.
The problem is that a user who wants to return his computer to a normal state needs to write to the attackers at email. However, all E-Mail ransomware is promptly blocked by authorized services, so it is simply impossible to contact them.
Moreover, many leading developers of anti-virus software are sure that it is completely impossible to unlock a computer infected with Petya with any code.
As you probably understood, it is not worth paying extortionists. Otherwise, you will not only be left with a non-working PC, but also lose a large amount of money.
Will there be new attacks
The Petya virus was first discovered in March 2016. Then security experts quickly noticed the threat and prevented its mass distribution. But already at the end of June 2017, the attack was repeated again, which led to very serious consequences.
It is unlikely that everything will end there. Ransomware attacks are not uncommon, so it's important to keep your computer protected at all times. The problem is that no one can predict what format the next infection will take. Be that as it may, it is always worth following the simple recommendations given in this article in order to reduce the risks to a minimum in this way.
The attack of the virus on the computers of Ukrainian public and private companies began at 11:30 am. Under the blow were large banks, retail chains, operators cellular communication, state-owned companies, infrastructure facilities and service industries.
The virus covered the entire territory of Ukraine, by 17:00 there was information that an attack had also been recorded in the very west of the country, in Transcarpathia: here, in connection with the virus, branches of OTR Bank and Ukrsotsbank were closed.
“The site Korrespondent.net, popular in Ukraine, and the 24 TV channel are not working. The number of companies that have been affected by the attack is increasing by the hour. Currently, most of the bank branches do not work in Ukraine. For example, in the offices of Ukrsotsbank, computers simply do not boot. It is impossible to receive or send money, pay receipts, etc. At the same time, there are no problems in PrivatBank, ”the Kiev correspondent of RT reports.
The virus infects only computers that run on the operating system. Windows system. It encrypts the master file table hard drive and extorts money from users for decryption. In this, it is similar to the WannaCry ransomware virus, which has been attacked by many companies around the world. At the same time, the results of checking infected computers have already appeared, showing that the virus destroys all or most of the information on infected disks.
At the moment, the virus has been identified as mbr locker 256, but another name has become widespread in the media - Petya.
From Kyiv to Chernobyl
The virus has also hit the Kiev metro, where there are currently difficulties with paying with bank cards.
Many large infrastructure facilities were hit, such as the state railway operator Ukrzaliznytsia, Boryspil airport. However, while they are operating normally, the air navigation system has not been affected by the virus, although Boryspil has already published a warning about possible changes in the schedule, and the arrivals board does not work at the airport itself.
In connection with the attack, two of the largest postal operators in the country are experiencing difficulties in their work: the state-owned Ukrposhta and the private Novaya Pochta. The latter announced that today there would be no charge for the storage of parcels, and Ukrposhta is trying to minimize the consequences of the attack with the help of the SBU.
Due to the risk of infection, the websites of those organizations that have not been affected by the virus also do not work. For this reason, for example, the servers of the website of the Kyiv City State Administration, as well as the website of the Ministry of Internal Affairs of Ukraine, were disabled.
Ukrainian officials predictably claim that the attacks are coming from Russia. Oleksandr Turchynov, Secretary of the National Security and Defense Council of Ukraine, said this. “Already now, after conducting an initial analysis of the virus, we can talk about the Russian trace,” the official website of the department quotes him.
By 5:30 p.m., the virus had even reached the Chernobyl nuclear power plant. Volodymyr Ilchuk, head of the Chernobyl nuclear power plant shift, reported this to the Ukrayinska Pravda publication.
“There is preliminary information that some computers have been infected with a virus. Therefore, as soon as this hacker attack began, a personal command was given to computer workers at the places of personnel to turn off their computers,” Ilchuk said.
Attack on sweets and oil and gas
The hacker attack on Tuesday, June 27, also affected some Russian companies, including the oil and gas giants Rosneft and Bashneft, the metallurgical company Evraz, Home Credit Bank, whose branches have suspended work, as well as the Russian representative offices of Mars, Nivea, Mondelez International, TESA and a number of other foreign companies.
- Reuters
- MAXIM SHEMETOV
Around 14:30 Moscow time, Rosneft announced a powerful hacker attack on the company's servers. At the same time, the company's microblog on Twitter notes that the attack could have led to serious consequences, but thanks to the transition to backup system management of production processes, neither the extraction nor the preparation of oil were stopped.
After the cyberattack, the websites of the Rosneft and Bashneft companies became inaccessible for some time. Rosneft also declared the inadmissibility of spreading false information about the attack.
Spreaders of false panic messages will be considered as accomplices of the organizers of the attack and will be held accountable together with them.
— Rosneft Oil Company PJSC (@RosneftRu) June 27, 2017
“Distributors of false panic messages will be considered as accomplices of the organizers of the attack and will be held accountable together with them,” the company said.
At the same time, Rosneft noted that upon the fact of a cyber attack, the company turned to law enforcement, and expressed the hope that the incident had nothing to do with "current judicial procedures." On Tuesday, June 27, the arbitration court of Bashkiria began considering the merits of the claim of Rosneft, Bashneft and Bashkiria against AFK Sistema in the amount of 170.6 billion rubles.
WannaCry Jr.
At the same time, the hacker attack did not affect the operation of the computer systems of the presidential administration of Russia and the official website of the Kremlin, which, according to TASS, presidential press secretary Dmitry Peskov, "works stably."
The hacker attack also had no effect on the operation of Russian nuclear power plants, the Rosenergoatom concern noted.
Company Dr. Web on its website stated that, despite the resemblance, the current attack was carried out using a virus that is different from the already known malware-Petya ransomware, in particular, a mechanism for spreading the threat.
“Among the victims of the cyberattack were the networks of Bashneft, Rosneft, Mondelez International, Mars, Nivea, TESA and others,” the company said. At the same time, the press service of Mars in Russia said that the cyber attack caused problems with IT systems only for the Royal Canin brand, a pet food manufacturer, and not for the entire company.
The last major hacker attack on Russian companies and government institutions occurred on May 12 as part of a large-scale operation by unknown hackers who attacked Windows computers in 74 countries using the WannaCry encryption virus.
On Tuesday, the head of the International Committee of the Federation Council, Konstantin Kosachev, speaking at a meeting of the Federation Council Commission on the Protection of State Sovereignty, said that about 30% of all cyber attacks on Russia are carried out from the United States.
“No more than 2% of the total number of cyberattacks are committed from Russian territory to American computers, while 28–29% are from the United States to Russian electronic infrastructure,” RIA Novosti quoted Kosachev as saying.
According to the head of the international research team at Kaspersky Lab, Kostin Rayu, the Petya virus has spread to many countries around the world.
Petrwrap/Petya ransomware variant with contact [email protected] spreading worldwide, a large number of affected countries.
, July 18, 2017Answers to the most important questions about the Petna ransomware virus (NotPetya, ExPetr), a Petya-based ransomware that has infected many computers around the world.
This month, we witnessed another massive ransomware attack that came just a few weeks after the . Within a few days, this modification of the ransomware received many different names, including Petya (the name of the original virus), NotPetya, EternalPetya, Nyetya, and others. Initially, we called it the "Petya family virus", but for convenience we will simply call it Petna.
Around Petna there are enough ambiguities besides the name. Is this the same ransomware as Petya or a different version? Should Petna be considered a ransomware or a virus that simply destroys data? Let us clarify some aspects of the past attack.
Is the distribution of Petna still ongoing?
Peak activity a few days ago. The spread of the virus began on the morning of June 27. On the same day, his activity reached the highest level, there were thousands of attack attempts every hour. After that, their intensity decreased significantly during the same day, and only a small number of infections were observed thereafter.
Can this attack be compared to WannaCry?
No, judging by the reach of our user base. We have observed about 20,000 attack attempts worldwide, which is incommensurably less than the 1.5 million WannaCry attacks we have prevented.
Which countries have been affected the most?
Our telemetry data shows that the main impact of the virus was in Ukraine, where more than 90% of attack attempts were detected. Russia, the USA, Lithuania, Belarus, Belgium and Brazil also suffered. In each of these countries, from several dozen to several hundred infection attempts have been noted.
What operating systems have been infected?
The largest number of attacks were recorded on devices under Windows control 7 (78%) and Windows XP (14%). The number of attacks on more modern systems turned out to be much less.
How did the Petna virus get onto the PC?
After analyzing the development paths of the cyber epidemic, we found the primary vector of infection, which is associated with updating the Ukrainian accounting software M.E.Doc. That is why Ukraine has suffered so seriously.
A bitter paradox: for security reasons, users are always advised to update their software, but in this case, the virus began to spread on a large scale with a software update released by M.E.Doc.
Why did computers outside of Ukraine also suffer?
One reason is that some of the affected companies have Ukrainian subsidiaries. Once a virus infects a computer, it spreads within the network. That is how he managed to reach computers in other countries. We continue to explore other possible infection vectors.
What happens after infection?
Once a device is infected, Petna tries to encrypt files with certain extensions. The list of target files is not as large as the lists of the original Petya virus and other ransomware, but it includes extensions of photos, documents, source codes, databases, disk images, and others. In addition, this software not only encrypts files, but also how the worm spreads to other devices connected to the local network.
Like , the virus uses three different ways to spread: using EternalBlue (known from WannaCry) or EternalRomance exploits, through Windows network shares using credentials stolen from the victim (using utilities like Mimikatz that can extract passwords), as well as trustworthy tools like PsExec and WMIC.
After encrypting files and spreading over the network, the virus tries to break Windows boot(by changing the master boot record, MBR), and after a forced reboot, encrypts the master file table (MFT) of the system drive. This prevents the computer from booting into Windows and makes the computer unusable.
Can Petna infect my computer with all security patches installed?
Yes, this is possible due to the horizontal distribution of the malware described above. Even if a particular device is protected from both EternalBlue and EternalRomance, it can still be infected in a third way.
Is it Retua, WannaCry 2.0 or something else?
The Petna virus is definitely based on the original Petna ransomware. For example, in the part responsible for encrypting the main file table, it is almost identical to the previously encountered threat. However, it is not completely identical to older versions of the ransomware. It is assumed that the virus was modified by a third party, and not the author of the original version, known as Janus, who also spoke about this in Twitter, and later published a master decryption key for all past versions of the program.
The main similarity between Petna and WannaCry is that they used the EternalBlue exploit to spread.
Is it true that a virus does not encrypt anything, but simply destroys data on disks?
It is not true. This malware only encrypts files and the Master File Table (MFT). Another question is whether these files can be decrypted.
Is there a free decryption tool available?
Unfortunately no. The virus uses a fairly powerful encryption algorithm that cannot be overcome. It encrypts not only files, but also the master file table (MFT), which greatly complicates the decryption process.
Should I pay the ransom?
No! We never advise paying a ransom, as this only encourages criminals and encourages them to continue such activities. Moreover, it is likely that you will not get your data back even after paying. In this case, it is more obvious than ever before. And that's why.
The official email address provided in the ransom window [email protected], to which victims were asked to send a ransom, was shut down by the email service provider shortly after the virus attack. Therefore, the creators of the ransomware cannot find out who paid and who did not.
Decrypting the MFT partition is basically impossible because the key is lost after the ransomware encrypts it. In previous versions of the virus, this key was stored in the victim ID, but in the case of the latest modification, it is just a random string.
In addition, the encryption applied to the files is quite chaotic. How
Good afternoon friends. Most recently, we analyzed the virus WannaCry ransomware, which in a matter of hours spread to many countries of the world and infected many computers. And at the end of June, a new similar virus "Petya" appeared. Or, as it is most often called "Petya".
These viruses belong to ransomware Trojans and are quite similar, although they also have their differences, moreover, significant ones. According to official data, "Petya" first infected a decent number of computers in Ukraine, and then began his journey around the world.
The computers of Israel, Serbia, Romania, Italy, Hungary, Poland and others were affected. Russia is on the 14th place in this list. Then, the virus spread to other continents.
Basically, the victims of the virus were large companies (quite often oil companies), airports, mobile communication companies, etc., for example, Bashneft, Rosneft, Mars, Nestle and others suffered. In other words, the target of attackers are large companies from which you can take money.
What is "Petya"?
Petya is malware that is a Trojan ransomware. Such pests were created to blackmail the owners of infected computers by encrypting information located on the PC. The Petya virus, unlike WannaCry, does not encrypt individual files. This Trojan encrypts the entire disk completely. This is its greater danger than the WannaCry virus.
When Petya gets on the computer, it encrypts the MFT table very quickly. To make it clearer, let's use an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.
Even, not just a catalog, but sort of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult to understand the system in such rubbish. As soon as the pest enters the computer, it reboots the PC and after loading, a red skull appears. Then, when you click on any button, a banner appears with an offer to pay 300$ to the bitcoin account.
Virus Petya how not to Catch
Who could create Petya? There is no answer to this question yet. And in general, it is not clear whether the author will be installed (most likely not)? But it is known that the leak came from the United States. The virus, like WannaCry, is looking for a hole in the operating system. To patch this hole, it is enough to install the MS17-010 update (released a few months ago during the WannaCry attack). You can download it from the link. Or, from the official Microsoft website.
At the moment, this update is the best way to protect your computer. Also, do not forget about a good antivirus. Moreover, Kaspersky Lab stated that they have a database update that blocks this virus.
But, this does not mean that it is necessary to install Kaspersky. Use your antivirus, but don't forget to update its databases. Also, don't forget a good firewall.
How the Petya virus spreads
Most often, Petya gets to the computer through e-mail. Therefore, during the incubation of the Petya virus, it is not worth opening various links in letters, especially in unfamiliar ones. In general, make it a rule not to open links from strangers. So you protect yourself not only from this virus, but also from many others.
Then, once on the computer, the Trojan reboots and imitates a check for . Further, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for the decryption of files by transferring three hundred dollars to a Bitcoin wallet.
I will say right away that you do not need to pay in any case! You still won't decrypt it, just spend the money and make a contribution to the creators of the Trojan. This virus is not designed to be decrypted.
Petya virus how to protect yourself
Let's take a closer look at protecting against the Petya virus:
- I already mentioned system updates. This is the most important point. Even if your system is pirated, you need to download and install the MS17-010 update.
- IN Windows settings enable "Show file extensions". Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension .exe.
- Let's get back to the letters. Don't click on links or attachments from people you don't know. And in general, during the quarantine, do not follow the links in the mail (even from people you know).
- It is advisable to enable User Account Control.
- Copy important files to removable media. Can be copied to Cloud. This will get you out of a lot of problems. If Petya appears on your PC, it will be enough to install a new operating system, after formatting the hard drive.
- Install a good antivirus. It is desirable that it was also a firewall. Typically, such antiviruses have the inscription Security at the end. If you have important data on your computer, you should not save on antivirus.
- Having installed a decent antivirus, do not forget to update its databases.
Petya virus how to remove
It's a difficult question. If Petya has done work on your computer, there will essentially be nothing to delete. In the system, all files will be scattered. Most likely, you can no longer organize them. You don't have to pay the thieves. It remains to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.
Also, I want to add - this pest poses a threat to the Windows system. If you have any other system, for example, the Russian Rosa system, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have Android, IOS, etc. installed. Therefore, cell owners have nothing to worry about.
Also, if you are a simple person, and not the owner of a large company, most likely the attackers are not interested in you. They need large companies, for which $300 means nothing and who can really pay them this money. But, this does not mean that the virus cannot get on your computer. Better make sure!
Still, let's hope that the Petya virus bypasses you! Take care of your information on your computer. Good luck!
On Tuesday, June 27, Ukrainian and Russian companies reported a massive virus attack: computers at enterprises displayed a message demanding a ransom. I figured out who once again suffered because of hackers and how to protect themselves from the theft of important data.
Peter, enough
The energy sector was the first to be attacked: the Ukrainian companies Ukrenergo and Kyivenergo complained about the virus. The intruders paralyzed them computer systems, but this did not affect the stability of the power plants.
Ukrainians began to publish the consequences of infection on the network: judging by the numerous pictures, computers were attacked by a ransomware virus. On the screen of the affected devices, a message popped up stating that all data was encrypted, and device owners needed to pay a $300 ransom in bitcoins. At the same time, the hackers did not tell what would happen to the information in case of inactivity, and did not even set a countdown timer until the data was destroyed, as was the case with the WannaCry virus attack.
The National Bank of Ukraine (NBU) reported that due to the virus, the work of several banks was partially paralyzed. According to Ukrainian media, the attack affected the offices of Oschadbank, Ukrsotsbank, Ukrgasbank, and PrivatBank.
were infected computer networks"Ukrtelecom", airport "Borispol", "Ukrposhta", " New mail”, “Kyivvodokanal” and the Kyiv Metro. In addition, the virus hit Ukrainian mobile operators - Kyivstar, Vodafone and Lifecell.
Later, the Ukrainian media clarified that it was the Petya.A malware. It is distributed according to the usual scheme for hackers: phishing emails are sent to victims from dummies asking them to open an embedded link. After that, the virus enters the computer, encrypts the files and demands a ransom for their decryption.
The hackers indicated the number of their bitcoin wallet to which money should be transferred. Judging by the information about the transactions, the victims have already transferred 1.2 bitcoins (more than 168 thousand rubles).
More than 80 companies were affected by the attack, according to information security specialists from Group-IB. The head of their crime lab noted that the virus was not related to WannaCry. To fix the problem, he advised closing TCP ports 1024–1035, 135, and 445.
Who is guilty
She hastened to assume that the attack was organized from the territory of Russia or Donbass, but did not provide any evidence. Minister of Infrastructure of Ukraine saw hint in the word "virus" and wrote on his Facebook that "it is no coincidence that it ends in RUS", providing his guess with a winking emoticon.
Meanwhile, he claims that the attack has nothing to do with the existing "malware" known as Petya and Mischa. Security officials claim that the new wave hit not only Ukrainian and Russian companies, but also enterprises in other countries.
Nevertheless, the current “malware” in terms of interface resembles the well-known Petya virus, which a few years ago was distributed through phishing links. At the end of December, the unknown hacker responsible for creating the Petya and Mischa ransomware began sending infected emails with an embedded virus called GoldenEye, which was identical to previous ransomware versions.
The attachment to a regular letter, often received by the personnel department, contained information about a dummy candidate. In one of the files, one could indeed find a summary, and in the next, a virus installer. Then the main target of the attacker were companies in Germany. During the day, more than 160 employees of the German company fell into the trap.
It was not possible to calculate the hacker, but it is obvious that he is a fan of Bond. The Petya and Mischa programs are the names of the Russian satellites "Petya" and "Misha" from the film "Golden Eye", which according to the plot were electromagnetic weapons.
The original version of Petya began to actively distribute in April 2016. She skillfully disguised herself on computers and posed as legitimate programs, requesting extended administrator rights. After activation, the program behaved extremely aggressively: it set a hard deadline for paying the ransom, demanding 1.3 bitcoins, and after the deadline, it doubled the monetary compensation.
True, then one of the Twitter users quickly found the weaknesses of the ransomware and created a simple program that generated a key in seven seconds, allowing you to unlock the computer and decrypt all the data without any consequences.
Not the first time
In mid-May, computers around the world were attacked by a similar ransomware virus, WannaCrypt0r 2.0, also known as WannaCry. In just a few hours, he paralyzed the work of hundreds of thousands of workers on Windows devices in over 70 countries. Among the victims were Russian law enforcement agencies, banks and mobile operators. Once on the victim's computer, the virus encrypted the hard drive and demanded that the cybercriminals send $300 in bitcoins. Three days were allotted for reflection, after which the amount was doubled, and a week later the files were encrypted forever.
However, the victims were in no hurry to transfer the ransom, and the creators of the "malware"