What is Petya? Ransomware suspected to behind huge worldwide cyberattack

What is the Petya ransomware, that is believed to be behind a huge ongoing cyberattack in several countries?iStock

A huge cyberattack affecting thousands of computers in 64 countries like Ukraine, Russia, US, India, France, Germany and Spain is currently ongoing, and cybersecurity experts believe that the Petya ransomware is behind it, packaged as PetrWrap.

So what is Petya? It is ransomware — a particularly nasty type of malware that encrypts data unless the victim pays a ransom in cryptocurrency to the software's creators. Similar to WannaCry, which infected hospitals and businesses in Europe, the US and Asia in May, Petya, is also spread via email.

Where does it come from?

Petya is distributed via malicious emails disguised as job applications. The email comes with a link to a Dropbox folder, which hosts a malicious .zip file purporting to be from an applicant. When the .zip file is opened, it contains a photograph of a young man (stolen from a stock images website) and either a .pdf file or a self-extracting archive pretending to be a CV.

Advertisement

If the victim opens the file, they are asked by Windows if they allow the file to make changes to their computer. The only way the victim can authorise the malware is if they have administrative privileges on the computer, so if your IT department prevents you from making changes to your computer, then it wouldn't be possible for the ransomware to run.

How does Petya hijack computers?

If the victim authorises the ransomware to make changes to their computer, then Petya immediately causes the computer to crash and show a blue screen of death. When the victim tries to restart their machine, they are greeted by a DoS-style message in the same format and layout as the Check Disk (CHKDSK) tool, which is used to repair problems with the Windows operating system.

The message typically demands the user pay $300 in bitcoin and promises that the victim will get their data restored if they pay. Users are also directed to an information website on Tor, where they are warned that the price of the ransom will double if they do not pay within seven days.

The malicious executable file overwrites the beginning of the victim's disk and makes an encrypted copy of all of their data, before initiating the blue screen of death.

How do you get rid of Petya?

Security experts from Kaspersky Lab currently believe that Petya is behind the current ongoing cyberattack. Cybersecurity researchers have previously developed decoders and tips for disabling Petya, but since the malware's creators constantly update it, the established solutions may no longer work.

But it's worth giving it a try, so here's what you can do.

How do disable Petya before it is installed

If you have opened an email attachment that you think might be dodgy, you can stop it from taking over. Access the Windows Task Manager by pressing the Ctrl + Shift + Esc keys together.

Advertisement

Then locate all unusual suspicious processes and end them.

Go to Start, type "msconfig" into the search field and press Enter. The System Configuration box comes up, where you can check all processes that load on Startup. Look for anything suspicious and kill it. Then use a reputable anti-virus software to scan your computer for any remaining malware and viruses.

What to do if you get the Blue Screen of Death

If you've got the blue screen of death, there is still a chance for you to recover your data. As mentioned above, when Petya starts, it only encrypts the beginning of the disc, but not the rest of the data.

Until it makes it way to the Master file table, you still have a shot, so if the blue screen of death comes up, immediately shut down your computer and remove the hard drive.

Advertisement

If you can manage to shut your computers down fast enough, IT Support teams can restore the original master boot record (MBR) using a Windows boot disk to prevent encryption of files.

In the past, you could also download an algorithm that creates a legitimate-looking key from an independent cybersecurity researcher. However, the decoder was last updated in May 2016, so it might not work anymore.

© Copyright 2017 IBTimes Co., Ltd. All Rights Reserved.