Petya is a ransomware on Microsoft Windows that spreads via LAN. It mostly infects computers in Europe, but has began to spread into Asia. Some companies are still currently struggling replacing computers infected with Petya. There are two variants of Petya, the original 2016 variant, and the new 2017 variant, which many security researchers have called as NotPetya. NotPetya is actually a wiper and it completely destroys the computer.
NotPetya is now considered to be a destructive malware, similar to MEMZ (Destructive) (note however that while the user can recover from MEMZ, the damage that NotPetya caused is irreversible. The user's data is gone unless they had a backup) because the encryption keys are randomly generated and then destroyed. Many experts believe that NotPetya pretended to be a ransomware when instead, it was a data wiper. Petya (the 2016 variant), however, can be recovered and the master key used for encryption was released.
Similarly to WannaCry, this malware uses the EternalBlue exploit kit. As it is an a .DLL file, it can be run by system processes. When run, all files will be encrypted into unreadable scripts. It will also set up a task to restart the computer in one hour. It will also slowly start spreading to local networks, but on the 2016 variant, it will instead display a different Blue Screen of Death with a c0000350 error, and creates a fake CHKDSK screen. In reality, the files are being encrypted. On the 2016 variant, encryption takes slightly longer. After the encryption, the next screen displayed depends on the variant, in the 2016 variant, it displays a flashing skull, with text that reads:
PRESS ANY KEY!
The variants are Mischa (green-on-black) and Goldeneye.
On the 2017 variant, it displays only text. On the 2016 variant, it tells the user to go on a darknet page using Tor and tells the user to enter a personal encryption code on that page. However, the email was taken down shortly after the ransomware was released, making it impossible to decrypt files.
On the 2017 variant, it tells the user to send 300 bitcoins to an address, and the bitcoin wallet ID and a personal installation key to send to an email to get a decryption key. Like the 2016 variant, the email was since, shut down, and it is now impossible to recover files. But due to a bug, it actually corrupts the files instead of encrypting them. Sooner but also very, unfortunately, it was revealed to be a wiper in disguise, purposely created to not revert any changes. In 2018, the United States, UK, and Australia issued a statement that they believe Russia to be behind NotPetya.
On 30 August 2018, a regional court in Nikopol in the Dnipropetrovsk Oblast of Ukraine convicted an unnamed Ukrainian citizen to one year in prison after pleading guilty to having spread a version of Petya online.
Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not begun encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files. Also, update the computer to ensure that the EternalBlue exploit is patched.
The name "Petya" is a reference to the 1995 James Bond film GoldenEye, wherein Petya is one of the two Soviet weapon satellites which carry a "Goldeneye" – an atomic bomb detonated in low Earth orbit to produce an electromagnetic pulse. A Twitter account that Heise suggested may have belonged to the author of the malware, named "Janus Cybercrime Solutions" after Alec Trevelyan's crime group in GoldenEye, had an avatar with an image of GoldenEye character Boris Grishenko, a Russian hacker and antagonist in the film played by Scottish actor Alan Cumming.
Affected Companies and Organizations
- Rosneft (Russia)
- A.P. Moller-Maersk (Danish)
- WPP (United Kingdom)
- Merck & Co.
- Russian banks (Russia)
- Ukraine central bank and power grid (Ukraine)
- Boryspil Airport (Ukraine)
- Saint Gobain (France)
- Duetsche Post (Germany)
- Metro (Germany)
- Mondelez International (United States)
- Everaz (Russia)
- Norwegian unnamed international company (Norway)
- Mars Inc. (United States)
- Beiersdorf AG (India)
- Reckitt Benckiser (United Kingdom)