Petya

Petya is a large-scale ransomware attack launched in 2017 and designed to affect Microsoft Windows devices.

Petya/Golden Eye/NotPetya

Petya/GoldenEye (also known as NotPetya) is a large-scale ransomware attack launched in 2017. Designed to affect Microsoft Windows devices, Petya infected the master boot record of the attacked computer to execute a payload that encrypted the hard disk's file allocation table, preventing Windows from starting up properly.

Thus, infected computers were locked after being restarted, and Petya demanded a ransom be paid in cryptocurrency for restoring access to the system.

 

Attack timeline

Petya was first discovered in 2016, but it wasn't until June 27, 2017, that a massive cyber-attack was launched using a variant of the ransomware that spread to more than 60 countries. The threat, which was distributed via malicious email attachments, was first spotted in Ukraine, where more than 12,500 computers were affected, according to Microsoft. Since then, Petya spread to at least 64 more countries, including Russia, Poland, Italy and Germany..

On June 28, Microsoft published a post stating that the target of the attack was the M.E.Doc software, a tax preparation program used as propagation vector.

At the beginning of July, the group behind the attack made their first public statement, which was left on the Tor-only announcement service DeepPaste. In the message, the Petya authors offered the private encryption key used in the attack in exchange for 100 bitcoin, the equivalent of over $250,000. Total damages from Petya, as estimated by the White House, amounted to $10 billion, and the attack was linked to Russia's intelligence services.

 

Operation

Petya propagated via the EternalBlue exploit, which is generally believed to have been developed by the U.S. National Security Agency (NSA), and was used earlier in the year by the WannaCry ransomware. In addition to encrypting files on the compromised computer, this version of the malware was characterized by encrypting the MBR when it had admin permissions, thus blocking access to the computer.

It was distributed as a DLL with an export named with a parameter that changed with each sample and was generated on starting the encryption process. When run, Petya encrypted certain files on compromised system drives. Additionally, if it had administrator permissions, it also encrypted the system's boot sector, preventing access to the computer unless a decryption key was entered.

The sample created a scheduled task to shut down the computer afterward. Upon restarting the computer, Petya displayed a fake window indicating that a disk problem was being resolved. Afterward, it showed the window seeking the ransom.

 

How to protect yourself from Petya

  • Keep your operating system and security software up-to-date and make sure your firewall and your antivirus solution's latest security features are enabled.
  • Be cautious of documents contained in emails from untrusted senders.
  • Implement advanced security barriers, such as Panda Dome, with antivirus and anti-malware protection.
  • Scan all incoming and outgoing emails to detect threats, and filter executables to prevent them from getting to end users.
  • Make periodic backups of your data and make sure they are working properly and are not accessible to others on the network.