Petya 2017 Ransomware

Posted: June 29, 2017
Threat Metric
Threat Level: 10/10
Infected PCs 159

Petya 2017 Ransomware Description

The Petya 2017 Ransomware is a worm that encrypts files across multiple drives and network-accessible systems and reboots the PC to display a ransom note. This threat's campaign is focusing on government and critical entities in private infrastructures, such as companies in the power sector, throughout the world. While this worm is more sophisticated than most file-encoding threats, victims still can use the same defenses: updating their software, backing up their files, and letting their anti-malware solutions remove the Petya 2017 Ransomware automatically.

Petya Making a Name for Itself Once Again

A wave of file-encrypting attacks against a range of diverse organizations is being carried out with the help of what's either an update or a near-clone of the old Petya Ransomwar. The new variant, being dubbed as the Petya 2017 Ransomware currently, was earlier assumed to be the byproduct of Russian-sponsored cyber-terrorism, although recent attacks including Russian targets (such as Rosneft) are raising doubts about that assumption. Along with locking files, the Petya 2017 Ransomware uses multiple and advanced methods of compromising networks and locking the user out of Windows.

The Petya 2017 Ransomware's infection methods are as sophisticated as its payload, with the first attacks using update-hijacking exploits for the tax accounting program MEDoc. Access to a single machine also allows the Petya 2017 Ransomware, which has full-fledged worm features, to compromise the rest of the network (for example, by collecting login credentials, reusing any active sessions or abusing file-sharing settings).

Besides its system-compromising capabilities, malware experts are confirming that the core of the Petya 2017 Ransomware's payload consists of the following:

  • The Petya 2017 Ransomware uses a variable encryption routine across all accessible systems (as per above details) and creates a separate decryption key for each drive thus affected. It locks files of over sixty formats, including DOC, DOCX, PHP, XLS and others.
  • The Petya 2017 Ransomware hijacks the MBR to subvert the loading of the OS and sets a scheduled task forcing the PC to reboot ten minutes after its attack's completion. Although at first, the Petya 2017 Ransomware uses this feature for displaying a fake disk-repair message, it transitions into a ransom note asking for hundreds of dollars in Bitcoins to be paid to the provided address quickly.

Keeping Global Threat Actors from Turning Power into Money

The Petya 2017 Ransomware is a well-coordinated campaign, with victims in various industries reporting of as many as thousands of compromises in the course of single days. Ukraine has been a target of especial interest to the worm's threat actors, but infections elsewhere are being verified, including in Europe and the United States. Since this worm boasts of significant lateral movement-based features, malware experts recommend taking any steps necessary to isolate a compromised machine from others operating on the same network immediately.

Microsoft has responded promptly to this series of attacks and is offering a variety of recommendations for self-defense, in addition to the standard recommendation of updating all potentially vulnerable software. Surprisingly, for such an advanced worm, the Petya 2017 Ransomware also includes a remarkable limitation: it self-terminates, without encrypting media, whenever the file 'perfc' (without an extension) exists within the Windows directory. Users can create this file preemptively as a form of makeshift inoculation against current versions of the threat. While most anti-malware programs should remove the Petya 2017 Ransomware appropriately, undoing its boot-up modifications will require repairing the operating system.

The Petya 2017 Ransomware is a well-planned, file-ransoming campaign that's collected thousands of dollars in Bitcoins already. Even more worryingly, this worm is responsible for forcing nuclear plants and similar entities to shut down all systems and revert to manual operating methods, raising the question of just how high in stakes this group of threat actors is willing to gamble.

Use SpyHunter to Detect and Remove PC Threats

If you are concerned that malware or PC threats similar to Petya 2017 Ransomware may have infected your computer, we recommend you start an in-depth system scan with SpyHunter. SpyHunter is an advanced malware protection and remediation application that offers subscribers a comprehensive method for protecting PCs from malware, in addition to providing one-on-one technical support service.

Download SpyHunter's Malware Scanner

Note: SpyHunter's free version is only for malware detection. If SpyHunter detects malware on your PC, you will need to purchase SpyHunter's malware tool to remove the malware threats. Learn more on SpyHunter. If you would like to uninstall SpyHunter for any reason, please follow these uninstall instructions. To learn more about our policies and practices, visit our EULA, Privacy Policy and Threat Assessment Criteria.

Why can't I open any program including SpyHunter? You may have a malware file running in memory that kills any programs that you try to launch on your PC. Tip: Download SpyHunter from a clean computer, copy it to a USB thumb drive, DVD or CD, then install it on the infected PC and run SpyHunter's malware scanner.

Technical Details

File System Modifications

Tutorials: If you wish to learn how to remove malware components manually, you can read the tutorials on how to find malware, kill unwanted processes, remove malicious DLLs and delete other harmful files. Always be sure to back up your PC before making any changes.

The following files were created in the system:



file.exe File name: file.exe
Size: 230.91 KB (230912 bytes)
MD5: af2379cc4d607a45ac44d62135fb7015
Detection count: 40
File type: Executable File
Mime Type: unknown/exe
Group: Malware file
Last Updated: September 30, 2020
dirOrder-20062017.doc File name: Order-20062017.doc
Size: 6.21 KB (6215 bytes)
MD5: 415fe69bf32634ca98fa07633f4118e1
Detection count: 31
Mime Type: unknown/doc
Path: dir
Group: Malware file
Last Updated: June 29, 2017
8baa0535ff2f2f3b0f2c0b45b537b4f8 File name: 8baa0535ff2f2f3b0f2c0b45b537b4f8
Size: 68.09 KB (68096 bytes)
MD5: 8baa0535ff2f2f3b0f2c0b45b537b4f8
Detection count: 24
Group: Malware file
Home Malware Programs Ransomware Petya 2017 Ransomware

Leave a Reply

Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter. If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.