What is Petya?
- Ransomware is used to take over the victims’ computers, encrypting their files and then demanding payment of (the ransom) to restore the affected files.
- A worm is malware that is able to replicate itself.Wiper malware is designed with the intention of wiping the hard drive of the computer it infects.
Why Petya is wiper malware
According to experts, during the encryption of a hard drive, Petya does not create a copy of the original boot files, meaning that even if you were to pay for the release of your files, you’d never be able to get them back.
Where does it come from?
When the Petya outbreak happened
How Petya works
Once Petya has spread to your computer and successfully installed itself, it proceeds to modify the Master Boot Record of a computer. This allows it to hijack the normal boot-up process of your computer during the next system reboot. With your Master Boot Record now modified, Petya encrypts the hard disk while simulating a CHKDSK screen. This is when you’re greeted with the ominous ransom message below:
What’s interesting to note about Petya is that the Master Boot Record cannot be modified if the threat is executed as a normal user. This, however, doesn’t stop Petya from attempting to spread across your network.
Petya performs files encryption in two ways: After Petya has spread to other computers, it initiates user-mode encryption of files with specific extensions. This happens because the infection process includes the installation of a custom simulator that hides what’s happening from the user. This is the first of the two-step encryption process.
With a user’s files now quietly encrypted, Petya then begins the second encryption step: full disk encryption. Here is a list of the file types that Petya searches for and encrypts: .3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h. hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
How much damage has Petya inflicted
While Petya makes a ransom request of $300, it hit many large organisation across Europe, costing them what is estimated to be millions in damages. Shipping giant Maesk, British advertising agency WPP, Russian oil giant Rosneft, Ukraine government departments and also several ATM machines in the country were infected.
Petya came just weeks after Wannacry took the world ransom. While there’s no way to know when threats like these will surface, protecting against them is something that every computer user can do. Our advice: keep your computer updated with the latest security patches and antivirus software.