• home
  •  > 
  • Multimedia
  •  > 
  • Virus petya who. The Petya virus: how not to catch it, how to decrypt it, where it came from - the latest news about the Petya (ExPetr) ransomware

Virus petya who. The Petya virus: how not to catch it, how to decrypt it, where it came from - the latest news about the Petya (ExPetr) ransomware

Virus "Petya": how not to catch it, how to decipher it, where it came from - last news about the Petya ransomware virus, which by the third day of its “activity” had infected about 300 thousand computers in different countries world, and so far no one has stopped him.

Petya virus - how to decrypt, latest news. After an attack on a computer, the creators of the Petya ransomware demand a ransom of $300 (in bitcoins), but there is no way to decrypt the Petya virus, even if the user pays money. Kaspersky Lab specialists, who saw differences from Petit in the new virus and called it ExPetr, claim that decryption requires unique identificator specific installation Trojan

In previously known versions of similar encryptors Petya/Mischa/GoldenEye, the installation identifier contained the information necessary for this. In the case of ExPetr, this identifier does not exist, writes RIA Novosti.

The “Petya” virus – where it came from, the latest news. German security experts have put forward the first version of where this ransomware came from. In their opinion, the Petya virus began to spread through computers when M.E.Doc files were opened. This is an accounting program used in Ukraine after the ban on 1C.

Meanwhile, Kaspersky Lab says that conclusions about the origin and source of distribution ExPetr virus It’s too early to do that. It is possible that the attackers had extensive data. For example, email addresses from the previous newsletter or some others effective ways penetration into computers.

With their help, the “Petya” virus hit Ukraine and Russia, as well as other countries, with its full force. But the real scale of this hacker attack will become clear in a few days, reports.

“Petya” virus: how not to catch it, how to decipher it, where it came from - latest news about the Petya ransomware virus, which has already received a new name from Kaspersky Lab – ExPetr.

A brief excursion into the history of malware naming.

To bookmarks

Petya.A virus logo

On June 27, at least 80 Russian and Ukrainian companies were attacked by the Petya.A virus. The program blocked information on the computers of departments and enterprises and, like the well-known ransomware virus, demanded bitcoins from users.

Malicious programs are usually named by employees of antivirus companies. The exceptions are those encryptors, ransomware, destroyers and identity thieves, which, in addition to computer infections, cause media epidemics - increased hype in the media and active discussion on the network.

However, the Petya.A virus is a representative of a new generation. The name by which he introduces himself is part marketing strategy developers aimed at increasing its recognition and growing popularity on the darknet market.

Subcultural phenomenon

In those days when there were few computers and not all of them were connected to each other, self-propagating programs (not yet viruses) already existed. One of the first of these was , which jokingly greeted the user and offered to catch him and delete him. Next up was Cookie Monster, who demanded to “give him a cookie” by entering the word “cookie.”

Early malware also had a sense of humor, although it wasn't always in their names. Thus, Richard Scrant, designed for the Apple-2 computer, read a poem to the victim once every 50 computer startups, and the names of the viruses, often hidden in the code and not displayed, referred to jokes and subcultural words common among geeks of that time. They could be associated with metal band names, popular literature, and tabletop role-playing games.

At the end of the 20th century, the creators of viruses did not hide much - moreover, often, when a program got out of control, they tried to take part in eliminating the harm caused to it. This was the case with the Pakistani and destructive one, created by the future co-founder of the Y-Combinator business incubator.

One of the Russian viruses mentioned by Evgeniy Kaspersky in his 1992 book “ Computer viruses in MS-DOS." The Condom-1581 program from time to time showed the victim a program dedicated to the problems of clogging the world's oceans with human waste products.

Geography and calendar

In 1987, the Jerusalem virus, also known as the Israeli Virus, was named after the place where it was first discovered, and its alternative name Black Friday was due to the fact that it would activate and delete executable files if the 13th of the month fell on a Friday.

The Michelangelo virus, which caused panic in the media in the spring of 1992, was also named according to the calendar principle. Then John McAfee, later famous for creating one of the most intrusive antiviruses, during a Sydney cybersecurity conference, told journalists and the public: “If you boot an infected system on March 6, all the data on the hard drive will be corrupted.” What does Michelangelo have to do with this? March 6 was the Italian artist’s birthday. However, the horrors that McAfee predicted ended up being wildly exaggerated.

Functionality

The capabilities of the virus and its specificity often serve as the basis for the name. In 1990, one of the first polymorphic viruses was named Chameleon, and its wide possibilities hide its presence (and therefore belong to the category of stealth viruses), was named Frodo, hinting at the hero of “The Lord of the Rings” and the Ring hiding from the eyes of others. And, for example, the OneHalf virus of 1994 got its name due to the fact that it showed aggression only by infecting half of the disk of the attacked device.

Service titles

Most viruses have long been named in laboratories, where they are analyzed into parts by analysts.

Usually these are boring serial names and general “family” names that describe the category of the virus, what systems it attacks and what it does with them (like Win32.HLLP.DeTroie). However, sometimes, when hints left by the developers are revealed in the program code, viruses gain a little personality. This is how, for example, the MyDoom and KooKoo viruses appeared.

However, this rule does not always work - for example, the Stuxnet virus, which stopped uranium enrichment centrifuges in Iran, was not called Myrtus, although this word (“myrtle”) in the code was almost a direct hint at the participation of Israeli intelligence services in its development. IN in this case The name that had already become known to the general public, assigned to the virus in the first stages of its discovery, won.

Tasks

It often happens that viruses that require a lot of attention and get the energy to study it from antivirus companies beautiful names, which are easier to speak and write down - this happened with Red October, diplomatic correspondence and data that could affect international relations, as well as IceFog, large-scale industrial espionage.

File extension

Another popular way names - according to the extension that the virus assigns to infected files. Thus, one of the “military” viruses Duqu was named so not because of Count Dooku from “ Star Wars", but thanks to the ~DQ prefix, which marked the files it created.

The WannaCry virus, which made a splash this spring, also got its name, marking the data encrypted by it with the .wncry extension.

Earlier name Wanna virus Decrypt0r, it didn’t catch on - it sounded worse and had different spellings. Not everyone bothered to put "0" as an "o".

“You have become a victim of the Petya ransomware virus”

This is exactly what the most discussed today seems to be malware, completing encryption of files on the attacked computer. The Petya A. virus not only has recognizable name, but also a logo in the form of a pirate skull and crossbones, and a whole marketing promotion. Spotted together with its brother “Misha”, the virus attracted the attention of analysts precisely because of this.

From a subcultural phenomenon, having gone through a period when this kind of “hacking” required quite serious technical knowledge, viruses turned into a weapon of a cyber-gop-stop. Now they have to play by market rules - and whoever gets more attention brings big profits to their developers.

The Petya virus is a rapidly growing virus that affected almost all large enterprises in Ukraine on June 27, 2017. The Petya virus encrypts your files and then offers a ransom for them.

The new virus infects the computer's hard drive and works as a file encryptor virus. Through certain time, the Petya virus “eats” files on your computer and they become encrypted (as if the files were archived and a heavy password was set)
Files that have been affected by the Petya ransomware virus cannot be restored later (there is a percentage that you can restore them, but it is very small)
There is NO algorithm that restores files affected by the Petya virus
With the help of this short and MAXIMUM useful article you can protect yourself from #virusPetya

How to IDENTIFY the Petya or WannaCry virus and NOT get infected with the virus

When downloading a file via the Internet, check it with an online antivirus. Online antiviruses can detect a virus in a file in advance and prevent infection by the Petya virus. All you have to do is check the downloaded file using VirusTotal, and then run it. Even if you DOWNLOADED the PETYA VIRUS, but did NOT run the virus file, the virus is NOT active and does not cause harm. Only after launch harmful file you are launching a virus, remember this

USING THIS METHOD ONLY GIVES YOU EVERY CHANCE NOT TO BE INFECTED BY THE PETYA VIRUS
The Petya virus looks like this:

How to Protect Yourself from the Petya Virus

Company Symantec proposed a solution that allows you to protect yourself from the Petya virus by pretending that you already have it installed.
The Petya virus, when it enters a computer, creates in the folder C:\Windows\perfc file perfc or perfc.dll
To make the virus think that it is already installed and not continue its activity, create in the folder C:\Windows\perfc file with empty content and save it by setting the editing mode to “Read Only”
Or download virus-petya-perfc.zip and unzip the folder perfc to a folder C:\Windows\ and set the change mode to “Read Only”
Download virus-petya-perfc.zip



UPDATED 06/29/2017
I also recommend downloading both files simply in Windows folder. Many sources write that the file perfc or perfc.dll must be in the folder C:\Windows\

What to do if your computer is already infected with the Petya virus

Do not turn on a computer that has already infected you with the Petya virus. The Petya virus works in such a way that while the infected computer is turned on, it encrypts files. That is, as long as you keep the virus-infected one turned on Petya computer, more and more files are susceptible to infection and encryption.
Winchester of this computer worth checking out. You can check it with using LIVECD or LIVEUSB with antivirus
Bootable USB flash drive with Kaspersky Rescue Disk 10
Dr.Web LiveDisk bootable flash drive

Who Spread the Petya Virus Throughout Ukraine

Microsoft has expressed its point of view regarding global network infection in large Ukrainian companies. The reason was an update to the M.E.Doc program. M.E.Doc is a popular accounting program, which is why the company made such a big mistake when a virus got into the update and installed the Petya virus on thousands of PCs on which the M.E.Doc program was installed. And since the virus affects computers on the same network, it spread with lightning speed.
#: Petya virus affects android, Petya virus, how to detect and remove Petya virus, how to treat petya virus, M.E.Doc, Microsoft, create a folder Petya virus

Almost every user has anti-virus programs on their computer, but sometimes a Trojan or virus appears that can bypass the most better protection and infect your device, and even worse, encrypt your data. This time, the encrypting Trojan “Petya” or, as it is also called, “Petya”, became such a virus. The rate of spread of this threat is very impressive: in a couple of days he was able to “visit” Russia, Ukraine, Israel, Australia, the USA, all major European countries and more. It mainly affected corporate users (airports, power plants, tourism industry), but also affected ordinary people. In terms of its scale and methods of influence, it is extremely similar to the recently sensational one.

You definitely need to protect your computer to avoid becoming a victim of the new Petya ransomware Trojan. In this article I will tell you what kind of Petya virus this is, how it spreads, and how to protect yourself from this threat. In addition, we will touch upon the issues of Trojan removal and information decryption.

What is the Petya virus?

First, we should understand what Petya is. Petya virus is malicious software, which is a ransomware-type Trojan. These viruses are designed to blackmail owners of infected devices in order to obtain ransom from them for encrypted data. Unlike Wanna Cry, Petya doesn’t bother encrypting individual files - it almost instantly “takes away” your all hard entire disk.

The correct name of the new virus is Petya.A. Additionally, Kaspersky calls it NotPetya/ExPetr.

Description of the Petya virus

Once on your Windows computer, Petya encrypts almost instantly MFT(Master File Table - main table of files). What is this table responsible for?

Imagine that your HDD- This is the largest library in the entire universe. It contains billions of books. So how do you find the right book? Only using the library catalogue. It is this catalog that Petya destroys. Thus, you lose any possibility of finding any “file” on your PC. To be even more precise, after Petit’s “work”, your computer’s hard drive will resemble a library after a tornado, with scraps of books flying everywhere.

Thus, unlike Wanna Cry, which I mentioned at the beginning of the article, Petya.A does not encrypt separate files, spending an impressive amount of time on this - he simply takes away from you any opportunity to find them.

After all his manipulations, he demands a ransom from users - $300, which must be transferred to a Bitcoin account.

Who created the Petya virus?

When creating the Petya virus, an exploit (“hole”) in the Windows OS called “EternalBlue” was used. Microsoft released a patch that “closes” this hole several months ago, however, not everyone uses the licensed a copy of Windows and installs all system updates, right?)

The creator of “Petit” was able to wisely use the carelessness of corporate and private users and make money from it. His identity is still unknown (and is unlikely to be known)

How does the Petya virus spread?

The Petya virus most often spreads under the guise of attachments to emails and in archives with pirated infected software. The attachment can contain absolutely any file, including a photo or mp3 (as it seems at first glance). After you run the file, your computer will reboot and the virus will simulate a disk check for CHKDSK errors, and at this moment he will modify boot entry your computer (MBR). After this, you will see a red skull on your computer screen. By clicking on any button, you can access a text in which you will be asked to pay for decrypting your files and transfer the required amount to a bitcoin wallet.

How to protect yourself from the Petya virus?

  • The most important and basic thing is to make it a rule to install updates for your operating system! This is incredibly important. Do it right now, don't delay.
  • Pay special attention to all attachments that are attached to letters, even if the letters are from people you know. During the epidemic, it is better to use alternative sources of data transmission.
  • Activate the “Show file extensions” option in the OS settings - this way you can always see the true file extension.
  • Enable "User Account Control" in Windows settings.
  • You must install one of them to avoid infection. Start by installing an OS update, then install an antivirus - and you will be much safer than before.
  • Be sure to make “backups” - save all important data on external hard disk or to the cloud. Then, if the Petya virus penetrates your PC and encrypts all data, it will be quite easy for you to format your hard drive and install the OS again.
  • Always check for relevance antivirus databases your antivirus. All good antiviruses monitor threats and respond to them in a timely manner by updating threat signatures.
  • Install free utility Kaspersky Anti-Ransomware. It will protect you from encrypting viruses. Installing this software does not relieve you of the need to install an antivirus.

How to remove Petya virus?

How to remove Petya.A virus from your hard drive? This is an extremely interesting question. The fact is that if the virus has already blocked your data, then there will actually be nothing to delete. If you do not plan to pay ransomware (which you should not do) and will not try to recover data on the disk in the future, you can simply format the disk and reinstall the OS. After this, there will be no trace of the virus left.

If you suspect that there is an infected file on your disk, scan your disk with one of them, or install Kaspersky anti-virus and conduct a full system scan. The developer assured that his signature database already contains information about this virus.

Petya.A decryptor

Petya.A encrypts your data with a very strong algorithm. On this moment There is no solution to decrypt blocked information. Moreover, you should not try to access data at home.

Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The virus struck the world several months ago, but a cure for decrypting the data it encrypted has never been found.

Therefore, if you have not yet become a victim of the Petya virus, listen to the advice I gave at the beginning of the article. If you still have lost control of your data, then you have several options.

  • Pay money. There is no point in doing this! Experts have already found out that the creator of the virus does not restore the data, and cannot restore it, given the encryption technique.
  • Remove the hard drive from your device, carefully place it in the cabinet and press the decoder to appear. By the way, Kaspersky Lab is constantly working in this direction. Available decryptors are available on the No Ransom website.
  • Formatting the disk and installing the operating system. The downside is that all data will be lost.

Petya.A virus in Russia

In Russia and Ukraine, over 80 companies were attacked and infected at the time of writing, including such large ones as Bashneft and Rosneft. Infection of the infrastructure of such large companies indicates the seriousness of the Petya.A virus. There is no doubt that the ransomware Trojan will continue to spread throughout Russia, so you should take care of the security of your data and follow the advice given in the article.

Petya.A and Android, iOS, Mac, Linux

Many users are worried about whether the Petya virus can infect their devices under Android control and iOS. I’ll hasten to reassure them - no, it can’t. It is intended for Windows OS users only. The same applies to fans of Linux and Mac - you can sleep peacefully, nothing threatens you.

Conclusion

So today we discussed in detail new virus Petya.A. We understood what this Trojan is and how it works, we learned how to protect ourselves from infection and remove the virus, and where to get the Petya decryptor. I hope that the article and my tips were useful to you.

Companies around the world on Tuesday, June 27, suffered from a large-scale cyberattack of malware spreading through email. The virus encrypts user data on hard drives and extorts money in bitcoins. Many immediately decided that this was the Petya virus, described back in the spring of 2016, but antivirus manufacturers believe that the attack occurred due to some other, new malware.

Powerful hacker attack on the afternoon of June 27, it hit first Ukraine, and then several large Russian and foreign companies. The virus, which many mistook for last year's Petya, is spreading on computers with operating system Windows via a spam email with a link that, when clicked, opens a window requesting administrator rights. If the user allows the program access to his computer, the virus begins to demand money from the user - $300 in bitcoins, and the amount doubles after some time.

The Petya virus, discovered in early 2016, spread according to exactly the same pattern, so many users decided that this was it. But experts from antivirus software development companies have already stated that some other, completely new virus, which they will still study, is to blame for the attack that occurred. Experts from Kaspersky Lab have already given unknown virus name - NotPetya.

According to our preliminary data, this is not the Petya virus, as mentioned earlier, but a new malware unknown to us. That's why we called it NotPetya.

There will be two text fields, entitled Base64 encoded 512 bytes verification data and Base64 encoded 8 bytes nonce. In order to receive the key, you need to enter the data extracted by the program into these two fields.

The program will issue a password. You will need to enter it by inserting the disc and seeing the virus window.

Victims of a cyber attack

Ukrainian companies suffered the most from the unknown virus. The computers of the Boryspil airport, the Ukrainian government, shops, banks, media and telecommunications companies were infected. After this, the virus reached Russia. The victims of the attack were Rosneft, Bashneft, Mondelez International, Mars, Nivea.

Even some foreign organizations reported problems with IT systems due to the virus: the British advertising company WPP, the American pharmaceutical company Merck & Co, large Danish cargo carrier Maersk and others. Costin Raiu, head of the international research team at Kaspersky Lab, wrote about this on his Twitter.