Protect yourself against this dangerous piece of ransomware; The Petya Virus: What It Is And How to Remove It
Petya is a family of encrypting malware that infects Microsoft Windows-based computers. Petya infects the master boot record to execute a payload that encrypts data on infected a hard drives’ systems. The data is unlocked only after the victim provides the encryption key, usually after paying the attacker a ransom for it.
If you tried to boot your Windows PC and instead of facing the welcoming Windows login screen, find yourself with a red background and an ASCII skull demanding you pay a ransom in Bitcoin, you may well have been infected with the Petya virus. It’s a nasty ransomware infection that tries to extort money from you by preventing you from using your system.
The Petya virus is only known to infect Windows machines, so if you have a MacOS system like a Mac or Macbook, you should be fine. You are vulnerable to other types of malware and ransomware though, so still maintain strong personal security practices just to make sure you stay safe online.
What is the Petya Virus?
The Petya virus is a class of malware known as ransomware, that is designed to make money for its nefarious creators by making it impossible for a computer user to access their most important files, or even properly boot their system, and then blackmail them into paying to get the files back.
The name comes from the 1995 James Bond movie, Goldeneye. In it, Petya is one of two satellites used to carry atomic bombs that could cause mass disruption through electromagnetic pulses. An alleged author of the malware also had a Twitter account which used an avatar of a character in the movie.
Petya first appeared in 2016 and proved to be a problematic malware attack over the next year or so. Variants of Petya ultimately caused more than $10 billion in damage to government and economic institutions, which ranks it as among the most damaging of cyberattacks ever.
There is a secondary version of Petya that’s been designated the name NotPetya by antivirus firm, Kaspersky Labs. It appeared a year after the original Petya ransomware virus and was used as a disruptive cyberattack tool in Ukraine, rather than a money making tool. It is unlikely to be deployed again as its attack vector has been patched.
Though first discovered in 2016, Petya began making news in 2017 when a new variant was used in a massive cyberattack against Ukrainian targets. It quickly spread worldwide, crippling businesses and causing more than $10 billion in damages.
The new variant, also dubbed “NotPetya” because of key differences with the original, spread using an exploit known as EternalBlue. The exploit was developed by—and later stolen from—the U.S. National Security Agency (NSA). Once on a compromised system, EternalBlue exploits a flaw in Windows networking protocols to silently spread across networks. Unlike most malware, NotPetya infected new systems without the user doing anything. That behavior made NotPetya more like a “ransomworm” than a traditional virus.
NotPetya was narrowly targeted, though quickly grew into a wider threat. And despite displaying the usual signs of a ransomware attack—such as the ransomware demand—wasn’t designed to actually collect any money. Those traits led researchers to conclude that the virus was a state-sponsored destructive attack, not an act of cybercrime.
How Does Petya Ransomware Virus Work?
If it gains access to a system, the Petya ransomware virus works by infecting the computer’s master boot record and overwrites the Windows bootloader, so that next time the system starts up, it will load Petya’s encryption algorithm. It then forces a reboot to start the most damaging aspect of the Petya infection.
Once the PC starts up again, the payload encrypts the Master File Table of the NTFS file system, making it impossible to access anything on the system via normal means. It then displays a ransomware message demanding a payment in Bitcoin to decrypt the system while the rest of the screen displays fake Windows chkdsk screens suggesting that it’s repairing the system.
There are a number of different variants of Petya. The original one required the user to give it administrative access, though future variants did not, or had additional payloads that would execute if not given such privileges. One in particular, would instigate “Mischa” if it wasn’t given admin privileges. That is a much more typical ransomware attack that would encrypt individual files on the system.
NonPetya, another variant, would also harvest passwords from an infected system and uses various techniques to spread itself to other computers on the same network.
According to the Ukrainian police, the NotPetya attack started by subverting the update function of that government’s accounting software. A second wave of attacks spread through malware-laden phishing emails.
Though it exploited the same flaw as an earlier ransomware strain called WannaCry, it had more options for spreading itself. That made NotPetya much more resilient to cyber defenses. At the same time, it wasn’t designed to spread beyond the initially infected environment. This limited the spread and is consistent with the theory that NotPetya was a narrowly targeted attack rather than a cyber criminal’s cash grab.
Once it has infected a system, Petya waits about an hour before rebooting the machine. It then displays the text “Repairing file system on C:” and warning users not to turn off their computers. As users wait, Petya is actually encrypting their files. Finally, the system reboots again, displaying the ransom demand.
The NotPetya ransom, however, is nearly impossible to pay. The attackers’ contact email was hard-coded to a webmail address that was quickly shut down. So there’s no way for victims to send the money or get the decryption key.
How Do I Know I Have the Petya Ransomware Virus?
You will know your system has been infected by Petya if it suddenly reboots, or you start it up and you’re faced with the intimidating red screen above. You may also see a ransomware message appear demanding payment in Bitcoin to remove the infection.
How Did I Get the Petya Ransomware Virus?
The original Petya ransomware virus was distributed in infected PDF files, typically through email attachments. You may have opened one of these infected files believing it to be a legitimate file sent by a colleague or friend.
Further variants of Petya, like NonPetya, used the EternalBlue exploit, a flaw in the Windows Server Message Block protocol, to infect systems. It is the same exploit path used by other common ransomware like WannaCry.
If you were infected by NonPetya, it’s possible that you were infected by another system on the same network as you that was infected by other means, as it can spread across local networks using a variety of attack vectors. It can use harvested passwords to run local programs and to further infect networked systems.
How Do I Get Rid of the Petya Virus?
If your system is infected with the Petya ransomware, whether it’s the original or one of the variants that came after, you may be in luck. While normal antivirus won’t help, a decryption tool was developed based on the master encryption key of the malware in 2017.
We would recommend making a copy of the infected drive before continuing with decryption, if you can. Make sure to only do so on a safe, non-networked system, so that the infection cannot spread any further.
Download links and full steps for removing the virus can be found on the Malwarebytes blog
How Can I Avoid Getting the Petya Ransomware Virus Again?
In 2019, you’re very unlikely to contract the Petya virus for a number of reasons. The first, is that the people behind the original’s creation are no longer distributing it. Furthermore, in the case of Petya variants, like NotPetya, the EternalBlue exploit used to infect systems has been patched by Microsoft.
As long as your PC is running the latest version of Windows with all of the latest security updates, you should be well protected.
To avoid the risk of running into any rogue Petya infections (and many other viruses and malware besides) don’t ever open email attachments, even from people you know. Have them distribute files to you via a cloud storage link instead.
Here are a few additional tips for keeping your system safe:
- Update your antivirus software and malware protection. Keep your antivirus software and malware protection up to date. New virus definitions are released regularly and these keep your PC informed on what to look for with new virus and malware based threats.
- Be wary of new programs. It’s important to know the source of the programs and apps you’ve downloaded. When installing them, don’t blindly accept everything it suggests. Be apprehensive about what boxes you tick.
- Stick to well known websites. Stay away from websites you’re not familiar with and never click on popup ads that might appear while you’re on a site. Clicking these ads could cause you to accidentally download other suspicious files such as malware or even Trojans.