Petya 2017 Ransomware Description
The Petya 2017 Ransomware is a worm that encrypts files across multiple drives and network-accessible systems and reboots the PC to display a ransom note. This threat's campaign is focusing on government and critical entities in private infrastructures, such as companies in the power sector, throughout the world. While this worm is more sophisticated than most file-encoding threats, victims still can use the same defenses: updating their software, backing up their files, and letting their anti-malware solutions remove the Petya 2017 Ransomware automatically.
Petya Making a Name for Itself Once Again
A wave of file-encrypting attacks against a range of diverse organizations is being carried out with the help of what's either an update or a near-clone of the old Petya Ransomwar. The new variant, being dubbed as the Petya 2017 Ransomware currently, was earlier assumed to be the byproduct of Russian-sponsored cyber-terrorism, although recent attacks including Russian targets (such as Rosneft) are raising doubts about that assumption. Along with locking files, the Petya 2017 Ransomware uses multiple and advanced methods of compromising networks and locking the user out of Windows.
The Petya 2017 Ransomware's infection methods are as sophisticated as its payload, with the first attacks using update-hijacking exploits for the tax accounting program MEDoc. Access to a single machine also allows the Petya 2017 Ransomware, which has full-fledged worm features, to compromise the rest of the network (for example, by collecting login credentials, reusing any active sessions or abusing file-sharing settings).
Besides its system-compromising capabilities, malware experts are confirming that the core of the Petya 2017 Ransomware's payload consists of the following:
- The Petya 2017 Ransomware uses a variable encryption routine across all accessible systems (as per above details) and creates a separate decryption key for each drive thus affected. It locks files of over sixty formats, including DOC, DOCX, PHP, XLS and others.
- The Petya 2017 Ransomware hijacks the MBR to subvert the loading of the OS and sets a scheduled task forcing the PC to reboot ten minutes after its attack's completion. Although at first, the Petya 2017 Ransomware uses this feature for displaying a fake disk-repair message, it transitions into a ransom note asking for hundreds of dollars in Bitcoins to be paid to the provided address quickly.
Keeping Global Threat Actors from Turning Power into Money
The Petya 2017 Ransomware is a well-coordinated campaign, with victims in various industries reporting of as many as thousands of compromises in the course of single days. Ukraine has been a target of especial interest to the worm's threat actors, but infections elsewhere are being verified, including in Europe and the United States. Since this worm boasts of significant lateral movement-based features, malware experts recommend taking any steps necessary to isolate a compromised machine from others operating on the same network immediately.
Microsoft has responded promptly to this series of attacks and is offering a variety of recommendations for self-defense, in addition to the standard recommendation of updating all potentially vulnerable software. Surprisingly, for such an advanced worm, the Petya 2017 Ransomware also includes a remarkable limitation: it self-terminates, without encrypting media, whenever the file 'perfc' (without an extension) exists within the Windows directory. Users can create this file preemptively as a form of makeshift inoculation against current versions of the threat. While most anti-malware programs should remove the Petya 2017 Ransomware appropriately, undoing its boot-up modifications will require repairing the operating system.
The Petya 2017 Ransomware is a well-planned, file-ransoming campaign that's collected thousands of dollars in Bitcoins already. Even more worryingly, this worm is responsible for forcing nuclear plants and similar entities to shut down all systems and revert to manual operating methods, raising the question of just how high in stakes this group of threat actors is willing to gamble.
Use SpyHunter to Detect and Remove PC Threats
If you are concerned that malware or PC threats similar to Petya 2017 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.
Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.
File System Modifications
The following files were created in the system:
file.exeFile name: file.exe
Size: 230.91 KB (230912 bytes)
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 30, 2020
dirOrder-20062017.docFile name: Order-20062017.doc
Size: 6.21 KB (6215 bytes)
Detection count: 31
Mime Type: unknown/doc
Group: Malware file
Last Updated: June 29, 2017
8baa0535ff2f2f3b0f2c0b45b537b4f8File name: 8baa0535ff2f2f3b0f2c0b45b537b4f8
Size: 68.09 KB (68096 bytes)
Detection count: 24
Group: Malware file