the main / the Internet / What a new virus Petya. Apparat - New Society Magazine

What a new virus is Petya. Apparat - New Society Magazine

A number of Russian and Ukrainian companies were attacked by the Petya ransomware virus. The network edition of the site talked with experts from Kaspersky Lab, the AGIMA interactive agency and found out how to protect corporate computers from the virus and how Petya is similar to the equally well-known WannaCry ransomware virus.

Petya virus

In Russia, the companies Rosneft, Bashneft, Mars, Nivea and the chocolate manufacturer Alpen Gold Mondelez International. The ransomware virus is the radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected computers of the Ukrainian government, Privatbank and telecom operators. The virus blocks computers and demands a ransom of $ 300 in bitcoins.

In a microblog on Twitter, the press service of Rosneft spoke about a hacker attack on the company's servers. "A powerful hacker attack was carried out on the company's servers. We hope that this has nothing to do with the current court procedures. In fact, the company turned to law enforcement agencies in connection with the cyber attack," the message says.

According to the company's press secretary Mikhail Leontyev, Rosneft and its subsidiaries are operating normally. After the attack, the company switched to backup system management of production processes, so that oil production and treatment are not stopped. The Home Credit bank system was also attacked.

"Petya" does not infect without "Misha"

According to executive Director of AGIMA Evgeny Lobanova, in fact, the attack was carried out by two ransomware viruses: Petya and Misha.

"They work in conjunction. Petya does not infect without Misha. He can infect, but yesterday's attack was two viruses: first Petya, then Misha. Petya rewrites the boot device (where the computer boots from), and Misha - encrypts files according to a certain algorithm, - explained the specialist.- Petya encrypts boot sector disk (MBR) and replaces it with its own, Misha already encrypts all files on the disk (not always). "

He noted that the WannaCry ransomware virus that attacked major global companies in May this year does not look like Petya, this is a new version.

"Petya.A is from the WannaCry family (or rather WannaCrypt), but the main difference is why it is not the same virus, it is that the MBR is replaced by its own boot sector - this is a novelty for Ransomware. The Petya virus appeared a long time ago, on GitHab (an online service for IT projects and joint programming - site) https://github.com/leo-stone/hack-petya "target \u003d" _blank "\u003e there was a decryptor for this cryptor, but no decryptor is suitable for the new modification.

Yevgeny Lobanov stressed that the attack hit Ukraine harder than Russia.

“We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but we will not be protected from its modifications. Our Internet is insecure, in Ukraine it is even less. Basically, transport companies, banks, mobile operators ( Vodafone, Kyivstar) and medical companies, the same Farmmag, Shell petrol stations - all very large transcontinental companies, "he said in an interview with the site.

The executive director of AGIMA noted that so far there are no facts that would indicate the geographical location of the distributor of the virus. In his opinion, the virus presumably originated in Russia. Unfortunately, there is no direct evidence of this.

“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was a development of Russian hackers, but who changed it further - it's hard to say. that being even in Russia, it is easy to get hold of a computer with geolocation in the United States, for example, "the expert explained.

"If your computer is suddenly infected, you cannot turn off the computer. If you reboot, you will never enter the system again."

"If a computer is suddenly infected, you cannot turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never enter the system again. This chops off the exit paths, even if it appears." tablet "it will be impossible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides 98 percent of the security guarantee. Unfortunately, not yet 100 percent. A certain modification of the virus (their three pieces), he bypasses so far, "Lobanov recommended. - However, if you nevertheless rebooted and saw the beginning of the "disk check" process, at this moment you need to immediately turn off the computer, and the files will remain unencrypted ..

In addition, the expert also told why most often attacks are exposed to microsoft usersrather than MacOSX (Apple's operating system - site) and Unix systems.

"Here it is more correct to speak not only about MacOSX, but also about all unix systems (the principle is the same). The virus spreads only to computers, without mobile devices... The attack affects the Windows operating system and only threatens those users who have disabled the automatic system update function. Exceptional updates are available even to older owners windows versionsthat are no longer updated: XP, Windows 8 and Windows Server 2003 ", - said the expert.

"MacOSX and Unix are not globally exposed to such viruses, because many large corporations use the Microsoft infrastructure. MacOSX is not affected, since it is not so widespread in government agencies. There are fewer viruses under it, they are not profitable to do, because the attack segment will be less than if attack Microsoft ", - concluded the specialist.

"The number of attacked users has reached two thousand"

At the press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that "this ransomware does not belong to the already well-known Petya ransomware family, although it has several lines of code in common with it."

The Laboratory is confident that in this case we are talking about a new family of malicious software with functionality significantly different from Petya. Kaspersky Lab named new ransomware ExPetr.

"According to Kaspersky Lab, the number of attacked users has reached two thousand. Most of the incidents were recorded in Russia and Ukraine, as well as cases of infection were observed in Poland, Italy, Great Britain, Germany, France, the United States and several other countries. this moment our experts suspect that this malware used multiple attack vectors. It was found that a modified EternalBlue exploit and an EternalRomance exploit were used for distribution in corporate networks, "the press service said.

Experts are also exploring the possibility of creating a decoder tool with which the data could be decrypted. The Lab also made recommendations to all organizations to avoid a virus attack in the future.

"We recommend that organizations install Windows updates. Windows XP and Windows 7 should install security update MS17-010 and ensure they have an effective system. reserve copy data. Timely and secure data backup makes it possible to restore original files, even if they were encrypted by malware, "advised Kaspersky Lab experts.

The Laboratory also recommends to its corporate clients to ensure that all protection mechanisms are activated, in particular, to make sure that the connection to cloud infrastructure Kaspersky Security Network, as an additional measure, it is recommended to use the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) the file named "perfc.dat", etc.

"If you do not use Kaspersky Lab products, we recommend disabling the execution of the file named perfc.dat, and also blocking the launch of the PSExec utility from the Sysinternals package using the AppLocker function included in the OS (operating system - website) Windows", recommended in the laboratory.

May 12, 2017 many - data encryptor on hard drives computers. He locks the device and demands to pay the ransom.
The virus has affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, servers were attacked cellular operators and several large banks.

The spread of the virus was halted accidentally and temporarily: if hackers change just a few lines of code, the malware will start working again. The damage from the program is estimated at $ 1 billion. After a linguistic forensic analysis, experts found that WannaCry was created by immigrants from China or Singapore.

Antivirus programs are installed on the computer of almost every user, but sometimes a Trojan or virus appears that can bypass the most better protection and infect your device, or even worse, encrypt your data. This time, such a virus was the encrypted Trojan Petya or, as it is also called, Petya. The rate of spread of this threat is very impressive: in a couple of days it was able to "visit" Russia, Ukraine, Israel, Australia, the United States, all major European countries and not only. It mainly hit corporate users (airports, power plants, tourism), but ordinary people also suffered. In terms of its scale and methods of influence, it is extremely similar to the sensational one recently.

You must undoubtedly protect your computer in order not to fall prey to the new Petya ransomware Trojan. In this article I will tell you what this Petya virus is, how it spreads, and how to protect yourself from this threat. In addition, we will touch upon the issues of removing the Trojan and decrypting information.

What is Petya Virus?

First, we need to understand what Petya is. The Petya virus is malicious softwarewhich is a ransomware Trojan. These viruses are designed to blackmail the owners of infected devices in order to obtain a ransom from them for encrypted data. Unlike Wanna Cry, Petya doesn't bother to encrypt individual files - it almost instantly "takes away" all hDD entirely.

The correct name for the new virus is Petya.A. In addition, Kaspersky calls it NotPetya / ExPetr.

Description of the Petya virus

Upon entering your Windows computer, Petya encrypts almost instantly MFT (Master File Table). What is this table responsible for?

Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the book you want? Only using the library catalog. It is this directory that Petya destroys. Thus, you lose any opportunity to find any "file" on your PC. To be more precise, after Petit's “work”, your computer's hard drive will resemble a library after a tornado, with scraps of books flying everywhere.

Thus, unlike Wanna Cry, which I mentioned at the beginning of the article, Petya.A does not encrypt separate files, spending an impressive amount of time on it - it simply takes away every opportunity from you to find them.

After all his manipulations, he demands a ransom from users - $ 300, which must be transferred to a bitcoin account.

Who created the virus Peter?

When creating the virus, Petya used an exploit ("hole") in the Windows OS called "EternalBlue". Microsoft released a patch that "closes" this hole a few months ago, however, not everyone uses the licensed copy of Windows and installs all system updates, right?)

The creator of "Petit" was able to wisely use the carelessness of corporate and private users and make money on it. His identity is still unknown (and is unlikely to be known)

How does the Petya virus spread?

The Petya virus most often spreads under the guise of attachments to emails and in archives with pirated infected software. The attachment can contain absolutely any file, including a photo or mp3 (it seems at first glance). After you run the file, your computer will reboot and the virus will simulate a disk check for CHKDSK errors, and at this moment will modify boot record your computer (MBR). After that, you will see a red skull on your computer screen. By clicking on any button, you can access a text in which you will be asked to pay for decrypting your files and transfer the required amount to a bitcoin wallet.

How to protect yourself from Petya virus?

The most important and basic thing - make it a rule to install updates for your operating system! This is incredibly important. Do it now, don't delay.
Treat with particular attention to all attachments that are attached to letters, even if letters from people you know. During the epidemic, it is better to use alternative sources of data transmission.
Activate the option "Show file extensions" in the OS settings - so you can always see the true file extension.
Turn on "User Account Control" in Windows settings.
You need to install one of them to avoid infection. Start by installing an update for the OS, then install an antivirus and you will already be much more secure than before.
Be sure to make "backups" - save all important data on external hard disk or cloud. Then, if the Petya virus penetrates your PC and encrypts all data, it will be quite easy for you to format your hard disk and reinstall the OS.
Always check the relevance of your antivirus databases. All good antiviruses monitor threats and respond in a timely manner by updating threat signatures.
Install the free Kaspersky Anti-Ransomware utility. It will protect you from encryption viruses. Installing this software does not relieve you of the need to install an antivirus.

How to remove the Petya virus?

How to remove Petya.A virus from your hard drive? It is extremely interest Ask... The fact is that if the virus has already blocked your data, then, in fact, there will be nothing to delete. If you do not plan to pay the ransomware (which you should not do) and will not try to recover data on the disk in the future, you just need to format the disk and reinstall the OS. After that, there will be no trace of the virus.

If you suspect that an infected file is present on your disk, scan your disk with one of them, or install Kaspersky Anti-Virus and perform a full system scan. The developer assured that his signature database already contains information about this virus.

Decoder Petya.A

Petya.A encrypts your data with a very strong algorithm. There is currently no solution to decrypt locked information. Moreover, you should not try to access data at home.

Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The virus hit the world a few months ago, but no cure has been found to decrypt the data it encrypted.

Therefore, if you have not yet become a victim of the Petya virus, listen to the advice that I gave at the beginning of the article. If you still lost control of your data, then you have several ways.

Pay money. It makes no sense to do this!Experts have already found out that the creator of the virus does not restore data, nor can it recover, given the encryption method.
Remove the hard drive from your device, carefully put it in the cabinet and wait for the decoder to appear. By the way, Kaspersky Lab is constantly working in this direction. There are available decoders on the No Ransom website.
Formatting the disk and installing the operating system. Minus - all data will be lost.

Petya.A virus in Russia

In Russia and Ukraine, more than 80 companies have been attacked and infected at the time of this writing, including such large ones as Bashneft and Rosneft. Infection of the infrastructure of such large companies indicates the seriousness of the Petya.A virus. There is no doubt that the ransomware Trojan will continue to spread across Russia, so you should take care of the security of your data and follow the advice given in the article.

Petya.A and Android, iOS, Mac, Linux

Many users are worried - “but could the Petya virus infect their Android and iOS devices. I will hasten to calm them down - no, it cannot. It is intended for Windows users only. The same goes for Linux and Mac fans - you can sleep soundly, nothing threatens you.

Conclusion

So today we discussed in detail new virus Petya.A. We understood what this Trojan is and how it works, learned how to protect ourselves from infection and remove the virus, and where to get the Petya decryptor. Hope this article and my tips were helpful to you.

The Petya virus is a rapidly growing virus that laid down almost all large enterprises in Ukraine on June 27, 2017. The Petya virus encrypts your files and then offers a ransom for them.

The new virus infects the hard drive of the computer and works as a file encryption virus. After a certain time, the Petya virus "eats" files on your computer and they become encrypted (as if the files were archived and set a heavy password)
Files that have suffered from the Petya ransomware virus cannot be recovered later (there is a percentage that you will recover them, but it is very small)
There is NO algorithm that recovers files affected by the Petya virus
With this short and MOST useful article, you can protect yourself from the #Petya virus

How to DEFINE Petya or WannaCry Virus and NOT Get Infected

When downloading a file over the Internet, check it with an online antivirus. Online antiviruses can pre-detect the virus in the file and prevent Petya virus infection. All you have to do is check the downloaded file with VirusTotal, and then run it. Even if you DOWNLOADED THE PETYA VIRUS but did NOT run the virus file, the virus is NOT active and does no harm. Only after launching a harmful file do you launch a virus, remember this

USING EVEN ONLY THIS METHOD GIVES YOU ALL THE CHANCE TO NOT BE INVOLVED WITH THE PETYA VIRUS
The Petya virus looks like this:

How to Protect Yourself From Petya Virus

Company Symantecoffered a solution that allows you to protect yourself from the Petya virus, pretending that you already have it installed.
When the Petya virus enters the computer, it creates in the folder C: \\ Windows \\ perfc file perfc or perfc.dll
To make the virus think that it is already installed and not continue its activity, create in the folder C: \\ Windows \\ perfc file with empty content and save it by setting the change mode to "Read Only"
Or download virus-petya-perfc.zip and unzip the folder perfcto folder C: \\ Windows \\ and set the change mode to "Read Only"
Download virus-petya-perfc.zip

UPDATED 06/29/2017
I also recommend uploading both files simply in windows folder... Many sources write that the file perfc or perfc.dllshould be in the folder C: \\ Windows \\

What To Do If Your Computer Is Already Infected With Petya Virus

Do not turn on a computer that has already infected you with the Petya virus. The Petya virus works in such a way that while the infected computer is turned on, it encrypts files. That is, as long as you keep the computer affected by the Petya virus turned on, new and new files can be infected and encrypted.
Winchester this computer worth checking out. You can check it using LIVECD or LIVEUSB with antivirus
Bootable USB flash drive with Kaspersky Rescue Disk 10
Dr.Web LiveDisk bootable USB flash drive

Who Spread Petya's Virus All Over Ukraine

Microsoft has expressed its point of view on the global network infection in large Ukrainian companies. The reason was the update to the M.E.Doc program. M.E.Doc is a popular accounting program, which is why such a big puncture of the company, like getting a virus in an update and installing the Petya virus on thousands of PCs running the M.E.Doc program. And since the virus infects computers on the same network, it spread with lightning speed.
#: Petya virus infects Android, Petya virus, how to detect and remove Petya virus, How to treat petya virus, M.E.Doc, Microsoft, create a folder Petya virus

Today the ransomware virus has attacked many computers in the public, commercial and private sectors of Ukraine

An unprecedented hacker attack knocked out many computers and servers in government agencies and commercial organizations across the country

A large-scale and carefully planned cyber attack has disabled the critical infrastructure of many state-owned enterprises and companies. This was reported by the Security Service (SBU).

Starting from lunchtime, reports of computer infections in the public and private sectors began to appear like a snowball on the Internet. Representatives of government agencies have reported hacker attacks on their IT infrastructure.

According to the SBU, the infection was mainly due to the opening of word and pdf files that the attackers sent by e-mail. Petya.A ransomware exploited network vulnerability in operating room windows system... For unlocking encrypted data, cyber criminals demanded a payment in bitcoins in the amount of $ 300.

Secretary of the National Security and Defense Council Alexander Turchinov said that the state bodies that were included in the protected circuit - a special Internet node - were not damaged. Apparently, the Cabinet did not properly implement the recommendations of the National Cybersecurity Coordination Center because government computers were affected by Petya.A. The Ministry of Finance, ChNPP, Ukrenergo, Ukrposhta, Novaya Pochta and a number of banks did not resist today's attack.

For some time, the Internet pages of the SBU, the cyber police and the State Service for Special Communications and Information Protection (SSSSPI) did not even open.

As of Tuesday evening, June 27th, none of the law enforcement agencies charged with countering cyber attacks have disclosed where Petya.A came from or who is behind it. The SBU, the Cyberpolice (whose website did not work for a whole day), the SSSSZI maintained an Olympic silence about the extent of the damage caused by the ransomware virus.

The Computer Emergency Response Team (CERT-UA, part of the SCSSZI) has released tips to eliminate the consequences of the Petya Ransomware. For this, the technical experts recommended using ESET software. Later, the SBU also talked about how to protect or reduce the harm from the virus.

Petya virus: how not to catch, how to decipher, where it came from - last news about the ransomware Petya, which by the third day of its "activity" hit about 300 thousand computers in different countries of the world, and so far no one has stopped it.

Petya virus - how to decrypt, breaking news. After the attack on the computer, the creators of the ransomware Petya demand a ransom of $ 300 (in bitcoins), but there is no way to decrypt the Petya virus even if the user pays money. Experts at Kaspersky Lab, who discerned the differences in the new virus from Petya and named it ExPetr, argue that decryption requires unique identificator specific installation of the Trojan.

In the previously known versions of similar ransomware Petya / Mischa / GoldenEye, the installation ID contained the information required for this. In the case of ExPetr, this identifier is absent, writes RIA Novosti.

Petya virus - where did it come from, the latest news. German security experts have put forward the first version of where this ransomware got its way. In their opinion, the Petya virus began to roam computers by opening M.E.Doc files. This is an accounting program used in Ukraine after the 1C ban.

Meanwhile, Kaspersky Lab says that it is too early to draw conclusions about the origin and source of the ExPetr virus. It is possible that the attackers had extensive data. For example, an e-mail address from a previous mailing list or some other effective ways penetration into computers.

With their help, the Petya virus attacked Ukraine and Russia with all its power, as well as other countries. But the real scale of this hacker attack will be clear in a few days - reports.

Petya virus: how not to catch it, how to decipher it, where it came from - latest news about the ransomware Petya, which has already received a new name from Kaspersky Lab - ExPetr.

A brief excursion into the history of malware naming.

To bookmarks

Petya.A virus logo

On June 27, at least 80 Russian and Ukrainian companies were attacked by the Petya.A virus. The program blocked information on the computers of departments and enterprises and, like the well-known ransomware virus, demanded bitcoins from users.

Malicious programs are usually named by employees of antivirus companies. The only exceptions are those ransomware, ransomware, destroyers and identity thieves who, in addition to computer infections, cause media epidemics - heightened media hype and active discussion on the Internet.

However, the Petya.A virus is a representative of a new generation. The name he introduces himself to is part of the developers' marketing strategy aimed at increasing his awareness and growing popularity in the darknet market.

Subcultural phenomenon

In those days, when computers were few and far from all of them were interconnected, self-propagating programs (not viruses yet) already existed. One of the first of these was the one who jokingly greeted the user and offered to catch him and delete him. Next up was Cookie Monster, who demanded to "give him a cookie" by typing the word "cookie".

Early malware also had a sense of humor, although it wasn't always related to its name. So, Richard Scrant, designed for the Apple-2 computer, read a rhyme to the victim every 50 downloads of the computer, and the names of viruses, often hidden in the code, and not displayed, referred to jokes and subcultural words common among the geeks of that time. They could be associated with metal band names, popular literature, and board RPGs.

At the end of the 20th century, the creators of viruses did not hide much - moreover, often, when the program got out of control, they tried to take part in eliminating the harm caused to it. So it was with the Pakistani and destructive, created by the future co-founder of the Y-Combinator business incubator.

One of the Russian viruses mentioned by Evgeny Kaspersky in his 1992 book "Computer Viruses in MS-DOS" also demonstrated poetry. The Condom-1581 program from time to time demonstrated to the victim dedicated to the problems of pollution of the world's oceans with human waste products.

Geography and calendar

In 1987, the Jerusalem virus, also known as the Israeli Virus, was named after the place of its first detection, and its alternative name Black Friday was due to the fact that it activated and deleted executable files if the 13th day of the month fell on Friday.

The Michelangelo virus was named according to the calendar principle, which caused panic in the media in the spring of 1992. Then John McAfee, who later became famous for creating one of the most annoying antiviruses, during the Sydney conference on cybersecurity, journalists and the public: "If you boot an infected system on March 6, all data on the hard drive will go bad." What has Michelangelo to do with it? The Italian artist had his birthday on 6 March. However, the horrors that McAfee predicted are ultimately overly exaggerated.

Functionality

The capabilities of the virus and its specificity are often the basis of the name. In 1990, one of the first polymorphic viruses was named Chameleon, and its highly concealed presence (which means that it belongs to the category of stealth viruses) was named Frodo, alluding to the hero of The Lord of the Rings and the Ring hiding from the eyes of others. ... And, for example, the 1994 OneHalf virus got its name due to the fact that it showed aggression only by infecting half of the disk of the attacked device.

Service titles

Most viruses have long been named in laboratories, where they are taken apart by analytics.

Usually these are boring ordinal names and common "family" names that describe the category of the virus, what systems it attacks and what it does with them (like Win32.HLLP.DeTroie). However, sometimes, when in the code of the program it is possible to reveal the hints left by the developers, the viruses get a little personality. This is how, for example, the MyDoom and KooKoo viruses appeared.

However, this rule does not always work - for example, the Stuxnet virus, which stopped the uranium-enriching centrifuges in Iran, did not begin to be called Myrtus, although this word (“myrtle”) in the code was almost a direct allusion to the participation of Israeli special services in its development. In this case, the name given to the virus at the first stages of its detection, which has already become known to the general public, won.

Tasks

It often happens that viruses that require a lot of attention and effort for their study get beautiful names from antivirus companies that are easier to speak and write down - this happened with Red October, diplomatic correspondence and data that can affect international relations, as well as with IceFog , large-scale industrial espionage.

File extension

Another popular way of naming it is by the extension that the virus assigns to infected files. So, one of the "military" viruses Duqu, was named not because of Count Dooku from " Star Wars", And thanks to the ~ DQ prefix, which marked the files it creates.

This spring, the WannaCry virus, which marks the encrypted data with the .wncry extension, also got its name.

Earlier name wanna virus Decrypt0r did not take root - it sounded worse and had different interpretations when written. Not everyone bothered to put "0" for "o".

"You are a victim of the Petya ransomware virus"

This is how the most talked about malware today appears to have finished encrypting files on the attacked computer. The Petya A. virus has not only a recognizable name, but also a logo in the form of a pirate skull with bones, and a whole marketing promotion. Seen together with his brother "Misha", the virus attracted the attention of analysts precisely because of this.

From a subcultural phenomenon, having gone through a period when quite serious technical knowledge was required for this kind of "hacking", viruses have turned into a cyber-hop-stop tool. Now they have to play by the market rules - and who gets more attention brings their developers big profits.

According to Positive Technologies, over 80 organizations in Russia and Ukraine were affected by Petya's actions. Compared to WannaCry, this virus is recognized as more destructive, as it spreads in several ways - with using Windows Management Instrumentation, PsExec, and the EternalBlue exploit. In addition, the ransomware includes free utility Mimikatz.

“Such a set of tools allows Petya to remain operational even in those infrastructures where the WannaCry lesson was taken into account and the corresponding security updates were installed, which is why the encryption ransomware is so effective,” said Positive Technologies.

As the head of the threat response department told Gazeta.Ru information security company Elmar Nabigayev,

if we talk about the reasons for the current situation, then the problem is again in a careless attitude to the problems of information security.

The head of the Avast virus laboratory, Jakub Kroustek, told Gazeta.Ru that it was impossible to establish for certain who exactly was behind this cyber attack, but it is already known that the Petya virus spreads on the darknet according to the RaaS business model (malware as a service).

“Thus, the share of distributors of the program reaches 85% of the ransom, 15% goes to the authors of the ransomware virus,” said Kroustek. He noted that the authors of Petya provide all the infrastructure, C&C servers and money transfer systems, which helps to attract people to spread the virus, even if they have no programming experience.

In addition, Avast told which operating Systems suffered the most from the virus.

Windows 7 took the first place - 78% of all infected computers. Next up is Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).

Kaspersky Lab considered that although the virus is similar to the Petya family, it still belongs to a different category, and gave it a different name - ExPetr, that is, "former Peter".

Dmitry Khomutov, Deputy Director for Development at Aydeko, explained to the Gazeta.Ru correspondent that the cyberattacks by the WannaCry and Petya viruses led to what he had warned about for a long time, that is, to the global vulnerability of information systems used everywhere.

“The loopholes left by American corporations for the intelligence services became available to hackers and were quickly crossed with the traditional arsenal of cybercriminals - ransomware, botnet clients and network worms,” Khomutov said.

Thus, WannaCry taught the global community practically nothing - computers remained unprotected, systems were not updated, and efforts to release patches even for outdated systems were simply wasted.

Experts urge not to pay the required ransom in bitcoins, since the mailing address that the hackers left for communication was blocked by a local provider. Thus, even in the case of "honest and good intentions" of cybercriminals, the user will not only lose money, but will not receive instructions to unlock their data.

Petya hurt Ukraine the most. Among the victims were Zaporozhyeoblenergo, Dneproenergo, Kiev Metro, Ukrainian mobile operators Kyivstar, LifeCell and Ukrtelecom, Auchan store, Privatbank, Boryspil airport and others.

The Ukrainian authorities immediately blamed Russia for the cyber attack.

“A cyberspace war spreading fear and terror among millions of users personal computers and causing direct material damage due to the destabilization of the work of business and government agencies - this is part of the overall strategy of the hybrid war of the Russian empire against Ukraine, "said the Rada deputy from the Popular Front.

Ukraine may have suffered more than others due to the initial spread of Petya through automatic update M.E.doc - software for accounting. This is how Ukrainian departments, infrastructure facilities and commercial companies were infected - they all use this service.

The press service of ESET Russia explained to Gazeta.Ru that one vulnerable computer without security updates is enough to infect a corporate network with the Petya virus. With its help, the malware gets into the network, gains administrator rights and spreads to other devices.

However, M.E.doc came out with an official refutation of this version.

“The discussion of the sources of the emergence and spread of cyber attacks is actively conducted by users in social networks, forums and other information resources, in the wording of which one of the reasons indicates the installation of updates for the M.E.Doc program. The M.E.Doc development team denies this information and declares that such conclusions are definitely erroneous, because the M.E.Doc developer, as a responsible supplier software product, monitors the safety and purity of its own code ", - said in

Petya virus: how not to catch, how to decrypt, where it came from - the latest news about the ransomware Petya, which by the third day of its "activity" hit about 300 thousand computers in different countries of the world, and so far no one has stopped it.

Petya virus - how to decrypt, breaking news. After the attack on the computer, the creators of the ransomware Petya demand a ransom of $ 300 (in bitcoins), but there is no way to decrypt the Petya virus even if the user pays money. Experts at Kaspersky Lab, who discerned the differences in the new virus from Petya and named it ExPetr, argue that a unique identifier for a specific Trojan installation is required for decryption.

With their help, the Petya virus attacked Ukraine and Russia with all its power, as well as other countries. But the real scale of this hacker attack will be clear in a few days - reports.

Petya virus: how not to catch it, how to decipher it, where it came from - latest news about the ransomware Petya, which has already received a new name from Kaspersky Lab - ExPetr.

Britain, USA and Australia have officially accused Russia of spreading NotPetya

On February 15, 2018, the British Foreign Office issued an official statement in which it accused Russia of organizing a cyberattack using the NotPetya ransomware virus.

According to British authorities, the attack demonstrated further disregard for Ukraine's sovereignty, and as a result of these reckless actions, the work of many organizations across Europe was disrupted, resulting in multimillion-dollar losses.

The Ministry noted that the conclusion about the involvement of the Russian government and the Kremlin in the cyber attack was made on the basis of the conclusion of the UK National Cyber \u200b\u200bSecurity Center, which "is almost completely convinced that the Russian military is behind the NotPetya attack." The statement said that its allies will not tolerate malicious cyber activity.

According to Australian Minister of Law Enforcement and Cybersecurity Angus Taylor, based on data from Australian intelligence agencies, as well as consultations with the United States and Great Britain, the Australian government concluded that attackers supported by the Russian government were responsible for the incident. "The Australian government condemns Russia's behavior that poses serious risks to the global economy, government operations and services, business activities, and the safety and well-being of individuals," the statement reads.

The Kremlin, which has previously repeatedly denied any involvement of the Russian authorities in the hacker attacks, called the British Foreign Ministry's statement part of a "Russophobic campaign."

Monument "Here lies the Petya computer virus, defeated by people on 06/27/2017"

A monument to the Petya computer virus was erected in December 2017 near the Skolkovo Technopark building. A two-meter-high monument with the inscription: "Here lies the Petya computer virus defeated by people on 06/27/2017." designed in the form of a bitten hard disk, it was created with the support of the INVITRO company, among other companies that suffered from the consequences of a massive cyber attack. A robot named Nu, who works at Phystech Park and (MIT), came to the ceremony to make a speech.

Attack on the government of Sevastopol

Specialists of the Main Directorate of Informatization and Communication of Sevastopol have successfully repelled the attack of the network ransomware Petya on the servers of the regional government. Denis Timofeev, the head of the informatization department, announced this on July 17, 2017 at an apparatus meeting of the government of Sevastopol.

He stated that the Petya malware had no effect on the data stored on computers in government agencies Sevastopol.

The focus on the use of free software is laid down in the concept of informatization of Sevastopol, approved in 2015. It states that in the procurement and development of basic software, as well as software for information systems for automation, it is advisable to analyze the possibility of using free products that can reduce budgetary costs and reduce dependence on suppliers and developers.

Earlier, at the end of June, as part of a large-scale attack on the medical company "Invitro", its branch located in Sevastopol also suffered. Due to the defeat of a computer network virus, the branch temporarily suspended the issuance of test results until the causes were eliminated.

"Invitro" announced the suspension of receiving tests due to a cyber attack

The medical company "Invitro" suspended the collection of biomaterial and the issuance of patient test results due to a hacker attack on June 27. The director of corporate communications of the company Anton Bulanov told RBC about this.

According to the company’s message, in the near future, “Invitro” will go into normal operation. The results of studies carried out after this time will be delivered to patients after the elimination of the technical failure. At the moment, the laboratory information system has been restored, the process of its adjustment is in progress. “We regret the current force majeure situation and thank our clients for their understanding,” concluded in “Invitro”.

According to this data, the attack computer virus clinics in Russia, Belarus and Kazakhstan have undergone.

Attack on Gazprom and other oil and gas companies

On June 29, 2017, it became known about a global cyberattack on Gazprom's computer systems. Thus, another Russian company has suffered from the Petya ransomware virus.

According to the Reuters news agency, citing a source in the Russian government and a person involved in the investigation of the incident, Gazprom suffered from the spread of the Petya malware, which attacked computers in more than 60 countries in total.

The newspaper's interlocutors did not provide details about how many and which systems were infected at Gazprom, as well as the amount of damage caused by the hackers. The company declined to comment upon Reuters' request.

Meanwhile, a high-ranking RBC source in Gazprom told the publication that computers in the company's headquarters were working without interruption when the massive hacker attack began (June 27, 2017), and continue two days later. Two more sources of RBC in Gazprom also assured that everything is calm in the company and there are no viruses.

In the oil and gas sector, Bashneft and Rosneft were affected by the Petya virus. The latter announced on June 28 that the company was operating normally, and “certain problems” were being promptly resolved.

Banks and industry

It became known about the infection of computers in Evraz, the Russian branch of Royal Canin (produces uniforms for animals) and the Russian division of Mondelez (manufacturer of Alpen Gold and Milka chocolate).

According to the Ministry of Internal Affairs of Ukraine, a man posted a video on file-sharing sites and on social networks detailed description the process of launching ransomware on computers. In the comments to the video, the man posted a link to his page in social network, onto which I downloaded the malware. During searches in the "hacker's" apartment, law enforcement officers seized computer technologyused to distribute NotPetya. The police also found files with malware, after analysis of which it was confirmed that it resembles the NotPetya ransomware. As established by the cyberpolice officers, the ransomware program, the link to which was published by the resident of Nikopol, was downloaded by users of the social network 400 times.

Among those who downloaded NotPetya, law enforcement officers identified companies that deliberately infected their systems with ransomware in order to conceal criminal activity and evade government penalties. It is worth noting that the police do not associate the man's activities with the hacker attacks on June 27 this year, that is, there is no question of any involvement in the authors of NotPetya. The acts imputed to him relate only to the actions committed in July of this year - after a wave of large-scale cyber attacks.

A criminal case was initiated against the man under Part 1 of Art. 361 (unauthorized interference with computers) of the Criminal Code of Ukraine. Nikopolchanin faces up to 3 years in prison.

Distribution in the world

The spread of the Petya ransomware virus was recorded in Spain, Germany, Lithuania, China and India. For example, due to a malware program in India, the traffic control technology of the Jawaharlal Nehru container port, operated by A.P. Moller-Maersk, stopped recognizing cargo ownership.

The cyberattack was reported by the British advertising group WPP, the Spanish office of one of the world's largest law firms DLA Piper and the food giant Mondelez. French building materials manufacturer Cie was also among the victims. de Saint-Gobain and the pharmaceutical company Merck & Co.

Merck

The American pharmaceutical giant Merck, badly hit by the June NotPetya ransomware attack, is still unable to restore all systems and return to normal operation. This was reported in the company's 8-K report submitted to the US Securities and Exchange Commission (SEC) at the end of July 2017. More details.

Moller-Maersk and Rosneft

On July 3, 2017 it became known that the Danish shipping giant Moller-Maersk and Rosneft have restored the infected petya ransomware virus IT systems are only almost a week after the attack on June 27.

Shipping company Maersk, which accounts for one in seven freight containers shipped worldwide, also added that all 1,500 applications affected by the cyberattack would revert to regular work maximum by July 9, 2017.

Most of the damage was done to the IT systems of Maersk's APM Terminals, which operates dozens of cargo ports and container terminals in more than 40 countries. More than 100 thousand cargo containers per day pass through the ports of APM Terminals, whose work was completely paralyzed due to the spread of the virus. The Maasvlakte II terminal in Rotterdam resumed deliveries on 3 July.

On August 16, 2017 A.P. Moller-Maersk named the approximate amount of damage from a cyber attack using the Petya virus, the infection of which, as noted in the European company, passed through the Ukrainian program. According to preliminary calculations by Maersk, financial losses from the operation of the Petya ransomware in the second quarter of 2017 amounted to $ 200 million to $ 300 million.

Meanwhile, almost a week to recover computer systems the hacker attack also required Rosneft, as reported by the press service of the company to Interfax on July 3:

A few days earlier, Rosneft emphasized that it is not yet undertaking to assess the consequences of the cyber attack, but production has not suffered.

How Petya works

Indeed, the victims of the virus cannot unlock their files after infection. The fact is that its creators did not foresee such a possibility at all. That is, an encrypted disk cannot be decrypted a priori. The malware identifier lacks information required for decryption.

Initially, experts ranked the virus that infected about two thousand computers in Russia, Ukraine, Poland, Italy, Germany, France, and other countries, to the already well-known Petya ransomware family. However, it turned out that we are talking about a new family of malware. Kaspersky Lab has christened the new ransomware ExPetr.

How to fight

Fighting cyber threats requires the combined efforts of banks, IT businesses and the state

Data recovery method from Positive Technologies

On July 7, 2017, Dmitry Sklyarov, an expert at Positive Technologies, presented a method for recovering data encrypted by the NotPetya virus. According to the expert, the method is applicable if the NotPetya virus had administrative privileges and encrypted the entire disk.

The possibility of data recovery is associated with errors in the implementation of the Salsa20 encryption algorithm made by the attackers themselves. The efficiency of the method has been tested both on a test medium and on one of the encrypted hard drives large companyamong the victims of the epidemic.

Data recovery companies and independent developers are free to use and automate the presented decryption script.

The results of the investigation have already confirmed the Ukrainian cyber police. Juscutum intends to use the findings of the investigation as key evidence in the future process against Intellect-Service.

The process will be civil. An independent investigation is being carried out by Ukrainian law enforcement agencies. Their representatives have previously announced the possibility of initiating a case against Intellect-Service employees.

M.E.Doc itself stated that what was happening was an attempt to raid the company. The manufacturer of the only popular Ukrainian accounting software believes that the search in the company, carried out by the Ukrainian cyber police, became part of the implementation of this plan.

Initial infection vector with the Petya encryptor

On May 17, an M.E.Doc update was released that does not contain the malicious backdoor module. This probably explains the relatively low number of XData infections, the company believes. The attackers did not expect the update to be released on May 17 and launched the encryptor on May 18, when most of the users had already installed the secure update.

The backdoor allows other malware to be downloaded and executed on the infected system - this is how the initial infection with the Petya and XData encryptors was carried out. In addition, the program collects proxy server and e-mail settings, including logins and passwords from the M.E.Doc application, as well as company codes according to EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine), which allows identifying victims.

“We have a number of questions to answer,” said Anton Cherepanov, senior virus analyst at Eset. - How long has the backdoor been used? What commands and malware other than Petya and XData were sent through this channel? What other infrastructures have been compromised but not yet used by the cyber group behind this attack? "

Based on a set of signs, including infrastructure, malicious tools, schemes and targets of attacks, Eset experts have established a connection between the Diskcoder.C (Petya) epidemic and the Telebots cyber group. It has not yet been possible to reliably determine who is behind the activities of this group.