Menu
Is free
registration
home  /  ON/ What kind of virus is Petya petya how it manifests itself. Apparat - New Society Magazine

What kind of virus is Petya petya how it manifests itself. Apparat - New Society Magazine

Britain, USA and Australia have officially accused Russia of spreading NotPetya

On February 15, 2018, the UK Foreign Office issued an official statement accusing Russia of organizing a cyberattack using the NotPetya ransomware virus.


According to the British authorities, the attack demonstrated further disregard for Ukraine's sovereignty, and as a result of these reckless actions, the work of many organizations across Europe was disrupted, resulting in multimillion-dollar losses.


The Ministry noted that the conclusion about the involvement of the Russian government and the Kremlin in the cyber attack was made on the basis of the conclusion of the UK National Cyber ​​Security Center, which "is almost completely convinced that the Russian military is behind the NotPetya attack." The statement said that its allies will not tolerate malicious cyber activity.

According to Australian Minister of Law Enforcement and Cybersecurity Angus Taylor, based on data from Australian intelligence agencies, as well as consultations with the United States and Great Britain, the Australian government concluded that attackers supported by the Russian government were responsible for the incident. "The Australian government condemns the behavior of Russia, which poses serious risks to the global economy, government operations and services, business activities, as well as the safety and well-being of individuals," - follows from the statement.

The Kremlin, which has previously repeatedly denied any involvement of the Russian authorities in the hacker attacks, called the British Foreign Ministry's statement part of a "Russophobic campaign."

Monument "Here lies the computer virus Petya, defeated by people on 06/27/2017"

A monument to the Petya computer virus was erected in December 2017 near the Skolkovo Technopark. A two-meter-high monument with the inscription: "Here lies the Petya computer virus, defeated by people on 06/27/2017." made in the form of a bitten hard drive, was created with the support of the INVITRO company, among other companies that suffered from the consequences of a massive cyber attack. A robot named Nu, who works at Phystech Park and (MIT), came to the ceremony to deliver a speech.

Attack on the government of Sevastopol

Specialists of the Main Directorate of Informatization and Communications of Sevastopol successfully repelled the attack of the network ransomware Petya on the servers of the regional government. Denis Timofeev, the head of the informatization department, announced this on July 17, 2017 at an apparatus meeting of the government of Sevastopol.

He stated that the Petya malware had no effect on the data stored on computers in government institutions Sevastopol.


The focus on the use of free software is laid down in the concept of informatization of Sevastopol, approved in 2015. It states that in the procurement and development of basic software, as well as software for information systems for automation, it is advisable to analyze the possibility of using free products that will reduce budgetary costs and reduce dependence on suppliers and developers.

Earlier, at the end of June, as part of a large-scale attack on the medical company "Invitro", its branch located in Sevastopol also suffered. Due to the defeat of the virus computer network the branch has temporarily suspended the release of test results pending elimination of the reasons.

"Invitro" announced the suspension of receiving tests due to a cyber attack

The medical company "Invitro" has suspended the collection of biomaterial and the issuance of patient test results due to a hacker attack on June 27. The director of corporate communications of the company Anton Bulanov told RBC about this.

According to the company’s message, in the near future, "Invitro" will go into normal operation. The results of studies carried out after this time will be delivered to patients after the elimination of the technical failure. On this moment laboratory Information system restored, the process of setting it up is in progress. “We regret the current force majeure situation and thank our clients for their understanding,” concluded in “Invitro”.

According to this information, clinics in Russia, Belarus and Kazakhstan were attacked by a computer virus.

Attack on Gazprom and other oil and gas companies

On June 29, 2017, it became known about a global cyberattack on Gazprom's computer systems. Thus, another Russian company has suffered from the Petya ransomware virus.

According to the Reuters news agency, citing a source in the Russian government and a person involved in the investigation of the incident, Gazprom suffered from the spread of the Petya malware, which attacked computers in more than 60 countries in total.

The newspaper's interlocutors did not provide details on how many and which systems were infected at Gazprom, as well as on the amount of damage caused by the hackers. The company declined to comment upon Reuters' request.

Meanwhile, a high-ranking RBC source in Gazprom told the publication that computers in the company's headquarters were working without interruption when the massive hacker attack began (June 27, 2017), and continue two days later. Two more sources of RBC in Gazprom also assured that “everything is calm” in the company and that there are no viruses.

In the oil and gas sector, the Petya virus affected Bashneft and Rosneft. The latter announced on June 28 that the company was operating normally, and “individual problems” were being promptly resolved.

Banks and industry

It became known about the infection of computers in Evraz, the Russian division of Royal Canin (produces uniforms for animals) and the Russian division of Mondelez (manufacturer of Alpen Gold and Milka chocolate).

According to the Ministry of Internal Affairs of Ukraine, a man posted a video on file-sharing sites and on social networks. detailed description the process of launching ransomware on computers. In the comments to the video, the man posted a link to his page in social network, onto which I downloaded the malware. During searches in the "hacker's" apartment, law enforcement officers seized computer technology used to distribute NotPetya. The police also found files with malware, after analysis of which it was confirmed that it resembles the NotPetya ransomware. As established by the cyberpolice officers, the ransomware program, the link to which was published by the resident of Nikopol, was downloaded by users of the social network 400 times.

Among those who downloaded NotPetya, law enforcement officers identified companies that deliberately infected their systems with ransomware in order to conceal criminal activity and evade government penalties. It is worth noting that the police do not associate the man's activities with the hacker attacks on June 27 of this year, that is, there is no question of any involvement in the authors of NotPetya. The acts imputed to him relate only to actions committed in July of this year - after a wave of large-scale cyberattacks.

A criminal case was initiated against the man under Part 1 of Art. 361 (unauthorized interference with computers) of the Criminal Code of Ukraine. Nikopolchanin faces up to 3 years in prison.

Distribution in the world

The spread of the Petya ransomware virus was recorded in Spain, Germany, Lithuania, China and India. For example, due to malware in India, the traffic control technology of the Jawaharlal Nehru container port, operated by A.P. Moller-Maersk, stopped recognizing cargo ownership.

The cyberattack was reported by the British advertising group WPP, the Spanish office of one of the world's largest law firms DLA Piper and the food giant Mondelez. French building materials manufacturer Cie was also among the victims. de Saint-Gobain and the pharmaceutical company Merck & Co.

Merck

The American pharmaceutical giant Merck, badly affected by the June NotPetya ransomware attack, is still unable to restore all systems and return to normal operation. This was reported in the company's 8-K report submitted to the US Securities and Exchange Commission (SEC) at the end of July 2017. More details.

Moller-Maersk and Rosneft

On July 3, 2017 it became known that the Danish shipping giant Moller-Maersk and Rosneft have restored the infected Petya ransomware virus IT systems are only almost a week after the attack that took place on June 27.


Shipping company Maersk, which accounts for one in seven freight containers shipped worldwide, also added that all 1,500 applications affected by the cyberattack would revert to regular work maximum by July 9, 2017.

Most of the damage was done to the IT systems of Maersk's APM Terminals, which operates dozens of cargo ports and container terminals in more than 40 countries. More than 100 thousand cargo containers per day pass through the ports of APM Terminals, whose work was completely paralyzed due to the spread of the virus. The Maasvlakte II terminal in Rotterdam resumed deliveries on 3 July.

On August 16, 2017 A.P. Moller-Maersk named the approximate amount of damage from a cyber attack using the Petya virus, the infection of which, as noted in the European company, passed through the Ukrainian program. According to preliminary calculations by Maersk, the financial losses from the operation of the Petya ransomware in the second quarter of 2017 ranged from $ 200 million to $ 300 million.

Meanwhile, almost a week to recover computer systems it also took Rosneft from the hacker attack, as reported by the company's press service on July 3, Interfax:


A few days earlier, Rosneft emphasized that it is not yet undertaking to assess the consequences of the cyber attack, but production has not suffered.

How Petya works

Indeed, the victims of the virus cannot unlock their files after infection. The fact is that its creators did not foresee such a possibility at all. That is, an encrypted disk cannot be decrypted a priori. The malware identifier is missing information required for decryption.

Initially, experts ranked the virus that infected about two thousand computers in Russia, Ukraine, Poland, Italy, Germany, France, and other countries, to the already well-known Petya ransomware family. However, it turned out that we are talking about a new family of malware. Kaspersky Lab christened new ransomware ExPetr.

How to fight

Combating Cyber ​​Threats Requires Combining Efforts of Banks, IT Businesses and the Government

Data recovery method from Positive Technologies

On July 7, 2017, Dmitry Sklyarov, an expert at Positive Technologies, presented a method for recovering data encrypted by the NotPetya virus. According to the expert, the method is applicable if the NotPetya virus had administrative privileges and encrypted the entire disk.

The possibility of data recovery is associated with errors in the implementation of the Salsa20 encryption algorithm, made by the attackers themselves. The efficiency of the method has been tested both on a test medium and on one of the encrypted hard drives a large company that was among the victims of the epidemic.

Data recovery companies and ISVs are free to use and automate the provided decryption script.

The results of the investigation have already confirmed the Ukrainian cyber police. Juscutum intends to use the findings of the investigation as key evidence in the future process against Intellect-Service.

The process will be civil. An independent investigation is being carried out by Ukrainian law enforcement agencies. Their representatives have previously announced the possibility of initiating a case against Intellect-Service employees.

M.E.Doc itself stated that what was happening was an attempt to raid the company. The manufacturer of the only popular Ukrainian accounting software believes that the search in the company, carried out by the Ukrainian cyber police, became part of the implementation of this plan.

Initial infection vector with the Petya encryptor

On May 17, an M.E.Doc update was released that does not contain the malicious backdoor module. This probably explains the relatively low number of XData infections, the company believes. The attackers did not expect the update to be released on May 17 and launched the encryptor on May 18, when most of the users had already installed the secure update.

The backdoor allows other malware to be downloaded and executed on the infected system - this is how the initial infection with the Petya and XData encryptors was carried out. In addition, the program collects proxy server settings and e-mail, including logins and passwords from the M.E.Doc application, as well as company codes according to EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine), which allows identifying victims.

“We have a number of questions to answer,” said Anton Cherepanov, senior virus analyst at Eset. - How long has the backdoor been used? What commands and malware other than Petya and XData were sent through this channel? What other infrastructures have been compromised but not yet exploited by the cyber group behind this attack? "

Based on a set of signs, including infrastructure, malicious tools, schemes and targets of attacks, Eset experts have established a connection between the Diskcoder.C (Petya) epidemic and the Telebots cyber group. It has not yet been possible to reliably determine who is behind the activities of this group.

Good afternoon friends. Most recently, we have analyzed the virus. WannaCry ransomware , which in a matter of hours spread to many countries of the world and infected many computers. And at the end of June, a new, similar virus "Petya" appeared. Or, as it is most often called "Petya".

These viruses are ransomware Trojans and are quite similar, although they have their own differences, moreover, significant ones. According to official data, Petya first infected a decent number of computers in Ukraine, and then began its journey around the world.

Computers of Israel, Serbia, Romania, Italy, Hungary, Poland and others were affected. Russia is in 14th place in this list. Then, the virus spread to other continents.

Basically, the victims of the virus were large companies(quite often oil), airports, companies cellular etc., for example, Bashneft, Rosneft, Mars, Nestlé and others suffered. In other words, cybercriminals target large companies from which they can take money.

What is Petya?

Petya is a Trojan ransomware malware. Such pests are created with the aim of blackmailing the owners of infected computers by encrypting information located on the PC. Petya's virus, unlike WannaCry, does not encrypt separate files... This Trojan encrypts the entire drive. This is its greater danger than the WannaCry virus.

When Petya hits the computer, it encrypts the MFT very quickly. To make it clearer, let's give an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.

Even, not just a directory, but kind of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult for a system to sort out such rubbish. Once the pest hits the computer, it reboots the PC and a red skull appears after loading. Then, when you click on any button, a banner appears with an offer to pay $ 300 to a Bitcoin account.

Petya's virus how not to catch

Who Could Create Petya? There is no answer to this question yet. And in general, it is not clear whether the author will be installed (most likely not)? But it is known that the leak originated from the United States. The virus, like WannaCry, looks for a hole in the operating system. To patch this hole, it is enough to install the MS17-010 update (it was released a few months ago during the WannaCry attack). You can download it here. Or, from the official Microsoft website.

At the moment, this update is the most optimal way to protect your computer. Also, do not forget about good antivirus... Moreover, Kaspersky Lab announced that they have a database update that blocks this virus.

But, this does not mean that you need to install Kaspersky. Use your antivirus, just do not forget to update its databases. Also, don't forget about a good firewall.

How the Petya virus spreads


Most often, Petya enters the computer through email... Therefore, during the incubation of Petya's virus, you should not open various links in letters, especially in strangers. In general, make it a rule not to open links from strangers. So you will protect yourself not only from this virus, but also from many others.

Then, once on the computer, the Trojan reboots and simulates a check for. Further, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for the decryption of files by transferring three hundred dollars to a Bitcoin wallet.

I will say right away that you do not need to pay in any case! It won't be decrypted for you anyway, just spend your money and make a contribution to the creators of the Trojan. This virus is not intended to be decrypted.

Petya virus how to protect yourself

Let's take a closer look at Petya protection:

  1. I have already mentioned about system updates. This is the most important point... Even if your system is pirated, you need to download and install the MS17-010 update.
  2. V Windows settings enable "Show file extensions". Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension - exe.
  3. Let's get back to the letters. Don't follow links or attachments from strangers. And in general, during quarantine, do not follow the links in the mail (even from people you know).
  4. It is advisable to enable User Account Control.
  5. Copy important files to removable media. Can be copied to Cloud. This will get you away from many problems. If Petya appears on your PC, it will be enough to install a new operating system after formatting the hard drive.
  6. Install a good antivirus. It is desirable that it also be a firewall. Usually, such antiviruses have the inscription Security at the end. If you have important data on your computer, you should not save on antivirus.
  7. Having installed a decent antivirus, do not forget to update its databases.

Petya virus how to remove

It's a difficult question. If Petya has worked on your computer, there will be essentially nothing to delete. All files will be scattered across the system. Most likely, you will no longer be able to organize them. It is not worth paying cybercriminals. It remains to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.

Also, I want to add - this pest is a threat to the Windows system. If you have any other system, for example, Russian system Rosa, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have Android system, IOS, etc. Therefore, cell phone owners have nothing to worry about.

Also, if you are a simple person, and not the owner of a large company, most likely the cybercriminals are not interested in you. They want big companies, for which $ 300 means nothing and which they can really pay with this money. But this does not mean that the virus cannot get onto your computer. Better to be on the safe side!

Hopefully, the Petya virus will bypass you! Protect your information on your computer. Good luck!

On June 27, European countries were struck by an attack by a ransomware virus known under the harmless name Petya (you can also find the names Petya.A, NotPetya, and GoldenEye in various sources). The ransomware demands a ransom in bitcoins equivalent to $ 300. Dozens of large Ukrainian and Russian companies have been infected, and the spread of the virus in Spain, France and Denmark is also recorded.

Who was hit?

Ukraine

Ukraine was one of the first countries to be attacked. According to preliminary estimates, about 80 companies and government agencies were attacked:

Today, the virus not only encrypts individual files, but completely takes away the user's access to the hard drive. Also, the ransomware virus uses fake electronic signature Microsoft, which shows users that the program is developed by a trusted author and guarantees security. After infecting the computer, the virus modifies special code required to boot the operating system. As a result, when the computer starts up, it is not the operating system that loads, but the malicious code.

How to protect yourself?

  1. Close TCP ports 1024-1035, 135 and 445.
  2. Update the databases of your antivirus products.
  3. Since Petya spreads via phishing, do not open emails from unknown sources(if the sender is known, check if this letter is safe), be careful about messages from social networks from your friends, as their accounts can be hacked.
  4. Virus looking for file C: \ Windows \ perfc, and if it does not find it, then it creates and begins the infection. If such a file already exists on the computer, then the virus stops working without infecting it. You need to create an empty file with this name. Let's take a closer look at this process.

- Hacker Fantastic (@hackerfantastic)

The Petya virus attack came as an unpleasant surprise for residents of many countries. Thousands of computers have been infected, as a result of which users have lost important data stored on their hard drives.

Of course, now the excitement around this incident has subsided, but no one can guarantee that this will not happen again. That is why it is very important to protect your computer from possible threats and not take unnecessary risks. How to do this most effectively will be discussed below.

Consequences of the attack

To begin with, one should recall the consequences of the short-lived activity of Petya.A. In just a few hours, dozens of Ukrainian and Russian companies were affected. In Ukraine, by the way, the work of computer departments of such institutions as Dniproenergo, Novaya Pochta and Kiev Metro was almost completely paralyzed. Moreover, some government organizations, banks and mobile operators did not protect themselves from the Petya virus.

In the countries of the European Union, the ransomware has also managed to do a lot of trouble. French, Danish, British and international companies reported temporary operational disruptions related to the Petya computer virus attack.

As you can see, the threat is really serious. And even though the attackers chose large financial institutions as their victims, ordinary users suffered no less.

How Petya works

To understand how to protect yourself from the Petya virus, you must first understand how it works. So, once on a computer, the malicious program downloads a special ransomware from the Internet that infects the Master Boot Record. This is a separate area on the hard disk, hidden from the user's eyes and intended for loading the operating system.

For the user, this process looks like the standard work of the Check Disk program after a sudden system crash. The computer restarts abruptly and a verification message appears on the screen hard disk for errors and please do not turn off the power.

As soon as this process comes to an end, a splash screen appears with information about locking the computer. The creator of the Petya virus is being asked to pay a ransom in the amount of $ 300 (more than 17.5 thousand rubles) from the user, promising in return to send the key necessary to resume the work of the PC.

Prophylaxis

It is logical that it is much easier to prevent infection computer virus"Petya" than to deal with its consequences later. To secure your PC:

  • Always install fresh updates for the operating system. The same, in principle, applies to everything software installed on your PC. By the way, "Petya" cannot harm computers running MacOS and Linux.
  • Use current versions antivirus and do not forget to update its databases. Yes, the advice is banal, but not everyone follows it.
  • Do not open suspicious files sent to your mail. Also, always check apps downloaded from questionable sources.
  • Do regularly backups important documents and files. It is best to store them on a separate medium or in the "cloud" (Google Drive, "Yandex. Disk", etc.). Thanks to this, even if something happens to your computer, valuable information will not suffer.

Create stop file

Developers leading antivirus software have figured out how to remove the Petya virus. More precisely, thanks to the research, they managed to understand that the ransomware tries to find a local file on the computer at the initial stages of infection. If it succeeds, the virus stops its work and does not harm the PC.

Simply put, you can manually create a kind of stop file and thus protect your computer. For this:

  • Open the folder options settings and uncheck the "Hide extensions for registered file types" checkbox.
  • Create with notepad new file and place it in the C: / Windows directory.
  • Rename the created document and name it "perfc". Then go to and enable the "Read Only" option.

Now the "Petya" virus, once it gets on your computer, will not be able to harm it. But keep in mind that attackers may modify the malware in the future and the method of creating a stop file will become ineffective.

If the infection has already occurred

When the computer goes to reboot on its own and Check Disk starts, the virus just starts encrypting files. In this case, you can still manage to save your data by following these steps:

  • Power off the PC immediately. This is the only way you can prevent the spread of the virus.
  • Next, you should connect your HDD to another PC (just not as a bootable one!) and copy important information from it.
  • After that, you need to completely format the infected hard drive. Naturally, then you will have to reinstall the operating system and other software on it.

Alternatively, you can try to use the special boot disk to cure the Petya virus. For example, Kaspersky Anti-Virus provides Kaspersky program Rescue Disk, which bypasses the operating system.

Is it worth paying ransomware

As mentioned earlier, the creators of "Petit" are demanding a ransom of $ 300 from users whose computers have been infected. According to the extortionists, after payment of the specified amount, the victims will be sent a key that removes the blocking of information.

The problem is that a user who wants to return his computer to a normal state needs to write to the cybercriminals by e-mail. However, all e-mails of ransomware are promptly blocked by authorized services, so it is simply impossible to contact them.

Moreover, many leading developers of antivirus software are sure that it is completely impossible to unlock a computer infected by Petya with any code.

As you probably understood, it is not worth paying the ransomware. Otherwise, you will not only be left with a non-working PC, but also lose a large amount of money.

Will there be new attacks

The Petya virus was first discovered back in March 2016. Then security experts quickly noticed the threat and prevented its mass spread. But already at the end of June 2017, the attack was repeated again, which led to very serious consequences.

It is unlikely that everything will end there. Ransomware attacks are not uncommon, so it is very important to keep your computer protected at all times. The problem is that no one can predict in what format the next infection will occur. Be that as it may, it is always worth following the simple recommendations given in this article in order to reduce the risks to a minimum in this way.

Companies around the world were hit by a massive cyberattack by email malware on Tuesday, June 27th. The virus encrypts user data on hard drives and extorts money in bitcoins. Many people immediately decided that it was the Petya virus, described back in the spring of 2016, but antivirus vendors believe that the attack was due to some other, new malicious program.

A powerful hacker attack on the afternoon of June 27 struck first in Ukraine, and then on several large Russian and foreign companies. The virus, which many have mistaken for last year's Petya, is spreading to computers with an operating theater Windows system via a spam email with a link, clicking on which opens a window requesting administrator rights. If the user allows the program to access his computer, then the virus begins to demand money from the user - $ 300 in bitcoins, and the amount doubles after some time.

The Petya virus, discovered in early 2016, spread in exactly the same way, so many users assumed that this was it. But experts from the antivirus software companies have already stated that some other person is to blame for the attack. new virus, which they will learn more. The experts from Kaspersky Lab have already gave unknown virus name - NotPetya.

According to our preliminary data, this is not a Petya virus, as mentioned earlier, but a new malware unknown to us. Therefore, we named it NotPetya.

There will be two text fields titled Base64 encoded 512 bytes verification data and Base64 encoded 8 bytes nonce. In order to get the key, you need to enter the data extracted by the program into these two fields.

The program will issue a password. It will need to be entered by inserting the disc and seeing the virus window.

Cyberattack victims

Ukrainian companies suffered the most from the unknown virus. The computers of the Boryspil airport, the Ukrainian government, shops, banks, media and telecommunications companies were infected. After that, the virus reached Russia. The victims of the attack were Rosneft, Bashneft, Mondelеz International, Mars, Nivea.

Even some foreign organizations reported problems with IT systems due to the virus: the British advertising company WPP, the American pharmaceutical company Merck & Co, the large Danish cargo carrier Maersk and others. Kostin Raiu, head of the international research team at Kaspersky Lab, wrote about this on Twitter.