• home
  •  > 
  • OS problems
  •  > 
  • How does the Petya virus manifest itself? The Petya virus: how not to catch it, how to decrypt it, where it came from - the latest news about the Petya (ExPetr) ransomware

How does the Petya virus manifest itself? The Petya virus: how not to catch it, how to decrypt it, where it came from - the latest news about the Petya (ExPetr) ransomware

The Petya ransomware virus attacked computers in Ukraine, Russia, Sweden, Holland, Denmark and other countries. The emergence of the virus has just been recorded in Asia: in India, the cargo flow management system of the country’s largest container port has failed. However, Ukraine suffered the most - Kharkov airport is completely paralyzed, work has been restored at Boryspil airport, but the main server is still not working. In total, about 300 thousand computers are blocked; the user must pay $300 to unlock the data. So far, about $5,000 has been paid to the hackers from 20 users, Next Web reports.

Who is guilty?

At night, the cyber police department of the National Police of Ukraine reported on its Facebook page that the attack on Ukraine was carried out through the reporting and document management program “M.E.doc”:

Police report that the attack began at 10:30 Moscow time, after the software developers rolled out the next update. At the same time, the authors of programs for document automation themselves categorically deny their involvement and give detailed arguments:

Later, a message appeared on the Cyber ​​Police page that they were not accusing the M.E.doc company, but were only stating that facts had been identified that should be checked in detail. However, it is still not recommended to install the update:

Who is Petya?

As Positive Technologies experts told the site, this is a malware whose operating principle is based on encrypting the master boot record (MBR) of the boot sector of the disk and replacing it with its own.

Even after the computer has been infected, the user has 1-2 hours left in which to run the bootrec /fixMbr command to restore the MBR and restore the operating system, but the files will not be able to be decrypted.

In addition, Petya is able to bypass system security updates that were installed after the WannaCry attack, which is why it is so effective and spreads like an avalanche to other computers. It fights for control of all nodes in the domain, which is equivalent to complete compromise of the infrastructure.

At the beginning of May, about 230,000 computers in more than 150 countries were infected with a ransomware virus. Before the victims had time to eliminate the consequences of this attack, a new one, called Petya, followed. The largest Ukrainian and Russian companies, as well as government institutions, suffered from it.

The cyber police of Ukraine established that the virus attack began through the mechanism for updating the accounting software M.E.Doc, which is used to prepare and send tax reports. Thus, it became known that the networks of Bashneft, Rosneft, Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System did not escape infection. In Ukraine, the virus penetrated government computers, PCs of the Kyiv metro, telecom operators and even the Chernobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea were affected.

The Petya virus exploits the EternalBlue vulnerability in the Windows operating system. Symantec and F-Secure experts say that although Petya encrypts data like WannaCry, it is still somewhat different from other types of encryption viruses. “The Petya virus is a new type of extortion with malicious intent: it does not just encrypt files on the disk, but locks the entire disk, making it practically unusable,” explain F-Secure. “Specifically, it encrypts the MFT master file table.”

How does this happen and can this process be prevented?

Virus "Petya" - how does it work?

The Petya virus is also known by other names: Petya.A, PetrWrap, NotPetya, ExPetr. Once it gets into the computer, it downloads ransomware from the Internet and tries to attack part of the hard drive with the data necessary to boot the computer. If he succeeds, the system issues a Blue Screen of Death (“blue screen of death”). After the reboot, a message appears about checking the hard drive asking you not to turn off the power. Thus, the encryption virus pretends to be a system disk scanning program, encrypting files with certain extensions at the same time. At the end of the process, a message appears indicating that the computer is blocked and information on how to obtain a digital key to decrypt the data. The Petya virus demands a ransom, usually in Bitcoin. If the victim does not have a backup copy of his files, he is faced with the choice of paying $300 or losing all information. According to some analysts, the virus is only masquerading as ransomware, while its true goal is to cause massive damage.

How to get rid of Petya?

Experts have discovered that the Petya virus looks for a local file and, if this file already exists on the disk, exits the encryption process. This means that users can protect their computer from ransomware by creating this file and setting it as read-only.

Although this cunning scheme prevents the extortion process from starting, this method can be considered more like “computer vaccination.” Thus, the user will have to create the file themselves. You can do this as follows:

  • First you need to understand the file extension. In the Folder Options window, make sure that the Hide extensions for known file types checkbox is unchecked.
  • Open the C:\Windows folder, scroll down until you see the notepad.exe program.
  • Left click on notepad.exe, then press Ctrl + C to copy and then Ctrl + V to paste the file. You will receive a request asking for permission to copy the file.
  • Click the Continue button and the file will be created as a notepad - Copy.exe. Left-click on this file and press F2, then erase the file name Copy.exe and enter perfc.
  • After changing the file name to perfc, press Enter. Confirm the rename.
  • Now that the perfc file has been created, we need to make it read-only. To do this, right-click on the file and select “Properties”.
  • The properties menu for this file will open. At the bottom you will see "Read Only". Check the box.
  • Now click the Apply button and then the OK button.

Some security experts suggest creating C:\Windows\perfc.dat and C:\Windows\perfc.dll files in addition to the C:\windows\perfc file in order to more thoroughly protect against the Petya virus. You can repeat the above steps for these files.

Congratulations, your computer is protected from NotPetya/Petya!

Symantec experts offer some advice to PC users to prevent them from doing things that could lead to locked files or loss of money.

  1. Don't pay money to criminals. Even if you transfer money to the ransomware, there is no guarantee that you will be able to regain access to your files. And in the case of NotPetya / Petya, this is basically meaningless, because the goal of the ransomware is to destroy data, and not to get money.
  2. Make sure you back up your data regularly. In this case, even if your PC becomes the target of a ransomware virus attack, you will be able to recover any deleted files.
  3. Don't open emails with questionable addresses. Attackers will try to trick you into installing malware or try to obtain important data for attacks. Be sure to inform IT specialists if you or your employees receive suspicious emails or links.
  4. Use reliable software. Timely updating of antivirus programs plays an important role in protecting computers from infections. And, of course, you need to use products from reputable companies in this field.
  5. Use mechanisms to scan and block spam messages. Incoming emails should be scanned for threats. It is important to block any types of messages that contain links or typical phishing keywords in their text.
  6. Make sure all programs are up to date. Regular remediation of software vulnerabilities is necessary to prevent infections.

Should we expect new attacks?

The Petya virus first appeared in March 2016, and security specialists immediately noticed its behavior. The new Petya virus infected computers in Ukraine and Russia at the end of June 2017. But this is unlikely to be the end. Hacker attacks using ransomware viruses similar to Petya and WannaCry will be repeated, said Stanislav Kuznetsov, deputy chairman of the board of Sberbank. In an interview with TASS, he warned that such attacks will definitely happen, but it is difficult to predict in advance in what form and format they may appear.

If, after all the cyber attacks that have happened, you have not yet taken at least the minimum steps to protect your computer from a ransomware virus, then it is time to get serious about it.

The whole world is coming up with protection against the new virus, although it crawls through the same “holes” as WannaCry

After the spread of the WannaCry ransomware, computers around the world were once again subjected to cyber attacks. The Petya virus affected devices in various countries in Europe and the United States. However, most of the damage occurred on computers in Russia and Ukraine, where about 80 companies were affected. The ransomware virus demanded money or cryptocurrency from owners of affected PCs, but cyber specialists found a way not to fall for the scammers. Read about who Petya is and how to avoid meeting him in the material of Realnoe Vremya.

Victims of “Petit”: from Rosneft to the Chernobyl nuclear power plant

The massive spread of the Petya virus began on June 27. Ukraine was the first to suffer: the computers of large energy companies - Ukrenergo, DTEK and Kyivenergo - were attacked, local media reported. An employee of one of the companies told reporters that on the morning of June 27, his work computer rebooted, after which the system allegedly began checking the hard drive. Then he saw that the same thing was happening on all the computers in the office. He turned off the computer, but after turning it on, an inscription with a ransom demand appeared on the device’s screen. The virus also affected the PCs of some Ukrainian banks, the Treasury of Ukraine, the Cabinet of Ministers, the Ukrtelecom company and the Boryspil airport.

Petya also attacked the computer system for monitoring background radiation at the Chernobyl nuclear power plant. At the same time, all the station’s systems worked normally, and the radiation background did not exceed the control level, Meduza reports. On the evening of June 27, on the official Facebook page of the Ministry of Internal Affairs of Ukraine appeared appeal to residents of the country with a recommendation to turn off their computers until a way to combat the virus is developed.

In Russia, Rosneft servers were attacked by the Petya ransomware virus. Rosneft press secretary Mikhail Leontyev saw a connection between the hacker attacks of the Petya virus and the company’s claim against AFK Sistema. On Business FM, he called it rational to try to use a virus to destroy data on the management of Bashneft. Isolated cases of infection of information infrastructure objects of the Russian banking system have been recorded. Home Credit Bank stopped conducting operations due to cyber attacks, and the operation of the credit institution’s website was also disrupted. The branches operated only in advisory mode, while ATMs operated as normal, Interfax reports.

On June 28, the media also reported an attack on computers in the UK, Holland, Denmark, Spain, India, Lithuania, France and the USA.

Mikhail Leontyev saw a connection between the hacker attacks of the Petya virus and the claim against AFK Sistema. Photo polit.ru

WannaCry protection is powerless against Petit

Petya's operating principle is based on encrypting the master boot record (MBR) of the boot sector of the disk. This entry is the first sector on the hard disk; it contains a partition table and a bootloader program that reads from this table information about which partition of the hard disk the system will boot from. The original MBR is stored in the 0x22nd sector of the disk and is encrypted using a byte-byte XOR with 0x07. As a result, the information on the computer disk will be replaced by virus data, experts at Positive Technologies report.

After running the malicious file, a task is created to restart the computer, delayed for 1-2 hours. If the disk is successfully encrypted after a reboot, a message is displayed on the screen requiring you to pay a ransom of $300 (or give it in cryptocurrency) to receive the file unlock key. By the way, the email address that the extortionists used has already been blocked, which makes the money transfer useless.

Petya uses a Windows vulnerability - an exploit codenamed EternalBlue. The infamous WannaCry attack used the same vulnerability to invade computers. Thanks to the exploit, Petya spread through Windows Management Instrumentation (a tool for centralized management and monitoring of the operation of various parts of the computer infrastructure running the Windows platform) and PsExec (allows you to execute processes on remote systems), gaining maximum privileges on the vulnerable system. This allowed the virus to continue to work even with anti-WannaCry updates installed on computers.

Command bootrec /fixMbr and write to Notepad

Famous French hacker and software developer Mathieu Suchet on his Twitter

According to Positive Technologies, over 80 organizations in Russia and Ukraine were affected by Petya’s actions. Compared to WannaCry, this virus is considered more destructive, as it spreads using several methods - using Windows Management Instrumentation, PsExec and the EternalBlue exploit. In addition, the ransomware includes the free Mimikatz utility.

“This set of tools allows Petya to remain operational even in those infrastructures where the lesson of WannaCry was taken into account and the appropriate security updates were installed, which is why the encryptor is so effective,” Positive Technologies said.

As the head of the company’s information security threat response department, Elmar Nabigaev, told Gazeta.Ru,

If we talk about the reasons for the current situation, then the problem is again a careless attitude towards information security problems.

The head of the Avast virus laboratory, Jakub Kroustek, in an interview with Gazeta.Ru, said that it is impossible to establish for certain who exactly is behind this cyber-attack, but it is already known that the Petya virus is distributed on the darknet using the RaaS (malware as a service) business model.

“So, the share of program distributors reaches 85% of the ransom, 15% goes to the authors of the ransomware virus,” Kroustek said. He noted that the Petya authors provide all the infrastructure, C&C servers and money transfer systems, which helps attract people to spread the virus, even if they have no programming experience.

In addition, Avast said which operating systems were most affected by the virus.

Windows 7 was in first place - 78% of all infected computers. Next comes Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).

Kaspersky Lab considered that although the virus was similar to the Petya family, it still belonged to a different category, and gave it a different name - ExPetr, that is, “former Peter.”

Deputy Director for Development of the Aydeko company Dmitry Khomutov explained to a Gazeta.Ru correspondent that cyber attacks with the WannaCry and Petya viruses led to “what I had been warning about for a long time,” that is, to the global vulnerability of information systems used everywhere.

“Loopholes left by American corporations for intelligence agencies became available to hackers and were quickly combined with the traditional arsenal of cybercriminals - ransomware, botnet clients and network worms,” said Khomutov.

Thus, WannaCry taught the global community virtually nothing - computers remained unprotected, systems were not updated, and efforts to release patches even for outdated systems simply went to waste.

Experts urge not to pay the required ransom in bitcoins, since the email address that the hackers left for communication was blocked by the local provider. Thus, even in the case of “honest and good intentions” of cybercriminals, the user will not only lose money, but will also not receive instructions to unlock his data.

Petya harmed Ukraine the most. Among the victims were Zaporozhyeoblenergo, Dneproenergo, Kiev Metro, Ukrainian mobile operators Kyivstar, LifeCell and Ukrtelecom, the Auchan store, Privatbank, Boryspil airport and others.

Ukrainian authorities immediately blamed Russia for the cyberattack.

“The war in cyberspace, spreading fear and horror among millions of personal computer users and causing direct material damage due to the destabilization of business and government agencies, is part of the overall strategy of the hybrid war of the Russian empire against Ukraine,” said the Rada deputy from the Popular Front. "

Ukraine may have been hit harder than others due to the initial spread of Petya through an automatic update of M.E.doc, an accounting software program. This is how Ukrainian departments, infrastructure facilities and commercial companies were infected - they all use this service.

The press service of ESET Russia explained to Gazeta.Ru that in order to infect a corporate network with the Petya virus, one vulnerable computer that does not have security updates installed is enough. With its help, the malicious program will enter the network, gain administrator rights and spread to other devices.

However, M.E.doc issued an official refutation of this version.

“Discussion of the sources of occurrence and spread of cyber attacks is actively carried out by users on social networks, forums and other information resources, in the formulation of which one of the reasons is the installation of updates to the M.E.Doc program. The M.E.Doc development team refutes this information and states that such conclusions are clearly erroneous, because the M.E.Doc developer, as a responsible supplier of the software product, monitors the safety and purity of its own code,” the statement says.

Good afternoon friends. Quite recently we analyzed the virus WannaCry ransomware, which spread throughout many countries around the world in a matter of hours and infected many computers. And then at the end of June a new similar virus “Petya” appeared. Or, as it is most often called “Petya”.

These viruses are classified as ransomware Trojans and are quite similar, although they also have their own differences, significant ones at that. According to official data, “Petya” first infected a decent number of computers in Ukraine, and then began his journey around the world.

Computers in Israel, Serbia, Romania, Italy, Hungary, Poland and others were damaged. Russia is in 14th place on this list. Then, the virus spread to other continents.

Basically, the victims of the virus were large companies (quite often oil companies), airports, cellular communication companies, etc., for example, the companies Bashneft, Rosneft, Mars, Nestlé and others were affected. In other words, the attackers are targeting large companies from which they can take money.

What is “Petya”?

Petya is a malware that is a Trojan ransomware. Such pests are created with the aim of blackmailing owners of infected computers by encrypting information located on the PC. The Petya virus, unlike WannaCry, does not encrypt individual files. This Trojan encrypts the entire disk. This is why it is more dangerous than the WannaCry virus.

When Petya hits a computer, it very quickly encrypts the MFT table. To make it clearer, let's give an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.

Even, not just a directory, but sort of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult for a system to sort out such rubbish. Once the pest gets on the computer, it reboots the PC and after booting a red skull appears. Then, when you click on any button, a banner appears asking you to pay $300 to your Bitcoin account.

Virus Petya how not to catch it

Who could create Petya? There is no answer to this question yet. And in general, it’s not clear whether the author will be identified (most likely not)? But it is known that the leak originated from the USA. The virus, just like WannaCry, is looking for a hole in the operating system. To patch this hole, just install the MS17-010 update (released a few months ago during the WannaCry attack). You can download it from the link. Or, from the official Microsoft website.

At the moment, this update is the most optimal way to protect your computer. Also, do not forget about a good antivirus. Moreover, Kaspersky Lab stated that they have a database update that blocks this virus.

But this does not mean that you need to install Kaspersky. Use your antivirus, just don’t forget to update its database. Also, don't forget about a good firewall.

How does the Petya virus spread?


Most often, Petya gets onto your computer via email. Therefore, you should not open various links in letters, especially in unfamiliar ones, while the Petya virus is incubating. In general, make it a rule not to open links from strangers. This way you will protect yourself not only from this virus, but also from many others.

Then, once on the computer, the Trojan reboots and simulates checking for . Next, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for file decryption by transferring three hundred dollars to a Bitcoin wallet.

I’ll say right away that you don’t need to pay under any circumstances! They won’t decrypt it for you anyway, just spend your money and make a contribution to the creators of the Trojan. This virus is not intended for decryption.

Petya virus how to protect yourself

Let's take a closer look at protection against the Petya virus:

  1. I have already mentioned system updates. This is the most important point. Even if you have a pirated system, you need to download and install the MS17-010 update.
  2. In Windows settings, turn on “Show file extensions.” Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension - exe.
  3. Let's get back to the letters. Do not click on links or attachments from strangers. And in general, during quarantine, do not follow links in mail (even from people you know).
  4. It is advisable to enable User Account Control.
  5. Copy important files to removable media. Can be copied to the Cloud. This will help you avoid many problems. If Petya appears on your PC, it will be enough to install a new operating system after formatting the hard drive.
  6. Install a good antivirus. It is desirable that it also be a firewall. Typically, such antiviruses have the words “Security” at the end. If you have important data on your computer, you should not skimp on antivirus.
  7. Once you have installed a decent antivirus, do not forget to update its database.

Petya virus how to remove

It's a difficult question. If Petya has done work on your computer, there will essentially be nothing to delete. All files will be scattered throughout the system. Most likely, you will no longer be able to organize them. There is no point in paying attackers. All that remains is to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.

Also, I would like to add that this pest poses a threat specifically to the Windows system. If you have any other system, for example, the Russian Rosa system, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have Android, IOS, etc. installed. Therefore, cell phone owners have nothing to worry about.

Also, if you are a simple person and not the owner of a large company, most likely the attackers are not interested in you. They need large companies for which $300 means nothing and who can actually pay them this money. But this does not mean that the virus cannot get onto your computer. It's better to be safe!

Still, let's hope that the Petya virus will bypass you! Take care of your information on your computer. Good luck!