Petya Ransomware: What It Is, Who's Behind It, How to Stop It
We still don't have all the facts on the Petya ransomware worm that struck Europe yesterday (June 27), and more information is still coming out. But here's what we do know, and what you can do to protect yourself.
How did this begin?
The Petya ransomware worm began spreading Tuesday morning with a fake software update that was pushed out to businesses and other enterprises in Ukraine. The software concerned, called MEDoc, is a financial-monitoring application that all businesses in Ukraine must have installed.
MEDoc isn't itself at fault — someone apparently broke into its software-update servers to pull this off. (The thieves who attacked Target's point-of-sale systems in December 2013 did something similar.)
Russian antivirus firm Kaspersky Lab said Wednesday that it had found the Petya malware hidden on a Ukrainian website, possibly in an attempt to infect visitors to the site via drive-by downloads.
How did Petya spread?
From its initial infection point in Ukraine, the Petya worm quickly spread to companies in other European countries through enterprise networks. It's likely that foreign companies with operations or subsidiaries in Ukraine were infected as the worm traveled "upstream" through corporate VPNs to attack central servers, and from there, all Windows PCs on a company network.
There's some evidence that Petya also spread via infected email attachments, but that theory is not quite as well established.
What does Petya do?
Petya is really four things. It's a worm that uses Windows networking tools, and exploits used by the NSA, to spread through local networks. It's a piece of ransomware that encrypts the Master Boot Record — the guts of a Windows hard drive — to prevent a computer from starting up properly.
There's also a second piece of ransomware that encrypts various files on the machine if the Master Boot Record attack fails. And there's a fourth component that steals usernames and passwords from infected machines, possibly only so it can infect more machines.
Who is at risk?
The silver lining is that properly patched Windows systems that are not connected to enterprise networks, such as home computers, are at little risk of being infected by the Petya worm — at least for now. If you use a home computer to connect to a corporate VPN, however, you greatly increase the chances of your home network becoming infected.
Does the Petya worm infect Macs, iPhone, Android devices or Linux boxes?
Only Windows machines appear to be at risk.
Does fully patching a Windows computer stop Petya?
Even fully updated Windows computers on an enterprise network can be infected by the Petya worm. That's because once it establishes itself on even one machine inside an enterprise network, Petya will spread by stealing Windows administrative passwords and using standard Windows network-administration tools to install itself on every Windows machine it can.
Will antivirus software stop the Petya worm?
It should. All good antivirus software products should block the Petya worm from installing. That may change if the worm's code or behavior drastically changes.
Is Petya related to WannaCry?
Petya also uses the ETERNALBLUE exploit, also used by the otherwise unrelated WannaCry ransomware worm in mid-May, to spread among Windows machines in an enterprise network. If an enterprise server, or even any Windows computer, has specific network ports — in this case, ports 139 and 445 — open to the internet, then Petya could use that opening to infect the entire local network.
Who's behind Petya?
It's not clear who created and released Petya, but a lot of circumstantial evidence points to "patriotic" Russian hackers. Petya tried to render computers completely unusable, doesn't make it easy to pay the ransom or contact the ransom collectors, and takes sophisticated steps to evade detection by antivirus software.
Because of this, some softwareresearchers think the Petya worm's real aim is not to make money, but to disrupt the Ukrainian economy. Ukraine is fighting Russian-sponsored rebels in its eastern provinces, a few Ukrainian defense officials have been killed by car bombs in the past weeks, and the Petya worm shut down countless Ukrainian businesses on the day before a Ukrainian national holiday.
Why is it called Petya?
The ransomware component of this new worm bears at least superficial resemblance to the latest iterations of Petya, a ransomware strain first spotted in 2015. (Petya is Russian for "Pete.") But some researchers think this worm is an entirely new piece of malware that's just designed to look like the real Petya. The real Petya, for example, has a sophisticated ransom-collection and file-decrypting mechanism, and this new bug doesn't.
Should I pay the Petya ransom?
If your computer is encrypted by Petya, there's no point in paying the ransom. The email address that you have to contact to collect the decryption key, email@example.com, has been shut down by the email host. Unless new strains of the ransomware provide a different contact email address, there's no way to recover your files.
Is there a Petya "kill switch"?
No. However, there are a couple of ways that you might be able to prevent or stop the encryption process. First, if your computer randomly begins to shut down, abort the shutdown process and keep it running. The Petya worm has to reboot the machine in order encrypt the hard drive's Master Boot Record, which is essential to the Windows startup process.
Second, you can try to "immunize" your machine by creating a read-only file called "perfc" and putting it in the Windows directory. In some instances, if the Petya worm sees that file, it won't encrypt the machine — but it will continue to spread to other machines on the same network. However, we've seen reports that this method doesn't work on Windows 7, and that new versions of the Petya code may not have this function.
Lawrence Abrams from Bleeping Computer has created a tool that will create the "perfc" file for you. You'll need to have administrative permissions on the machine concerned, but once you do, just download the file and double-click it.