Petya is the name given to the latest worldwide cyber attack that hit many countries in Europe, especially Ukraine and some parts of the United States. This malware attack crippled many companies and brought them to a standstill within a short period of time.
The first time the attack was found is June 27, 2017 in Ukraine. After infected quite a few computers, Petya spread quickly worldwide. Major companies that were hit included Maersk, DLA Piper, Mondelez and WPP along with many Ukrainian government organizations. Petya locked down computers running Windows operating system and demanded a ransom of about $300 as Bitcoin payment for unlocking them.
Part 1: What Is Ransomware?
Ransomware is a malware that is designed to encrypt files on a computer system and then asks for the payment of money usually in the form of digital payments such as Bitcoin for decrypting the files. If the ransom amount isn’t paid, all of the files on the computer that haven’t been backed up will be lost forever.
Part 2: How Does the Petya Ransomware Work??
Petya ransomware spreads using the EternalBlue exploit which is a vulnerability that is present in the Windows operating system. Moreover, it also makes use of two different Windows administrative tools as well for its propagation.
Petya tries to infect the system utilizing the vulnerability first and if it fails in that attempt, then falls back to the administrative tools instead. This dual method of propagation makes Petya a more formidable ransomware than other ransomware to have surfaced around the world recently. After having infected one computer, the malware tries to spread through to other computers that are on the same network.
After infecting a computer, Petya will reboot the computer quickly and all of your important files will be encrypted immediately. Worse, the virus continually attaches the system until it’s locked down totally. At that time, you can’t access all of the files. Finally, there will pop up a ransom note appears on the screen asking you to deposit an amount of $300 in the form of Bitcoin payments.
There is a Bitcoin payment address provided to the victims in which they need to deposit the ransom amount. An email address is also provided to communicate with the perpetrators of the attack which is to be used for the delivery of the digital key for unlocking the encrypted files on the infected system after the ransom amount has been paid.
Part 3: How Can It Be stopped??
Microsoft has release a patch to stop Petya attach. It can protect the computers from the EternalBlue vulnerability. You can update the system to gain the patch automatically. The patch will be downloaded and installed on computers.
For computers using an unregistered version, however, installation of this patch requires downloading it from the Microsoft website and then installing it manually. Moreover, anti-virus programs such as Symantec and Kaspersky have been updated to spot this malware and even protect the files from getting encrypted by it. Thus, installing an updated version of these anti-virus programs can also help you in stopping Petya from infecting your computer system.
In addition to the Windows patch and antivirus updates, another defensive measure that has been identified for this particular version of Petya is the presence of a read-only file by the name of C:\Windows\perfc.dat on the computer system. If this file is present on your computer, Petya won’t be able to encrypt the files on your system. However, do keep in mind that having this file won’t stop the malware from spreading to other computers that share the same network when your computer is on.
Part 4: What Should You Do If You Are Affected by the Ransomware??
If you happen to be a victim of this ransomware, your first action should be to power off your computer immediately. Petya starts the encryption process after rebooting the system under the guise of a chkdsk procedure. So, if you see a chkdsk operation running on your PC after a reboot, immediately powering it off would stop the malware from encrypting the files on your system.
If the ransomware displays the ransom note after the reboot, you should under no circumstance think about paying the ransom amount. The reason for this is that the email address that has been provided to you which is supposed to send you the digital key for unlocking your files has been suspended. So, you won’t be able to get it for decrypting your files. The only thing left for you to do in such a scenario is to stop the spread of the ransomware to other computers on the network. You can do this by disconnecting your PC from the internet and reinstalling all your files from backup after reformatting your hard drive.
Some preventive measures that can be taken to ward off ransomware attacks like Petya include regular backing up of your files as well as updating your anti-virus programs. Moreover, using a VPN when connected to a public Wi-Fi and refraining from opening suspicious email attachments are also some of the methods that can ensure protection from malicious malware like Petya.
According to security experts, the Petya ransomware is targeting the following Microsoft operating systems due to them having the EternalBlue vulnerability.
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
- Windows XP
- Windows Vista
- Windows Server 2012/2016/2018
Part 5: Can You Recover back Your Files??
After attacked by Petya, rebooting the machine can get your files back. However, it is not a foregone conclusion. There is a chance that rebooting the computer won’t recover your files and they will become encrypted by the malware. If you are faced with such a situation then the only way for you to recover back your files is to make use of a data recovery tool.
The recovery software can scan your computer for any deleted or encrypted files and can help you in recovering them. However, do keep in mind that not all data recovery software programs are capable of recovering lost files. You should only make use of a genuine and authentic recovery tool for this purpose.
Petya cyber attack is a ransomware that can encrypt the files in our computer. It obtains illegal income in this way. This cyber attack managed to infect many large companies in countries like Ukraine, Germany, Russia, and the United States. Downloading patches released by Microsoft and using updated versions of anti-virus programs like Kaspersky and Symantec. Switching off the computer upon infection can also help in stopping the malware from encrypting the files on the system.
Zahir Sahil Khalsa is a part-time tech blogger and have engaged in writing articles on a wide diversity of topics for many years, especially the tech news and posts, also working as a contributor at PCTransor. He is passionate about technology, especially Windows. He spent most of my time developing new skills and learning more about the tech world.