Petya Ransomware and What We Know So Far
The ransomware known as "Petya" has been ravaging computer networks around the world
On Tuesday morning reports of a ransomware known as "Petya" was encrypting computers beginning in Ukraine. It quickly spread throughout business and enterprise computer networks in different countries. Although we do not have all the answers for Peyta here is what is known so far.
What is Petya?
Petya is a type of malware known as ransomware. Machines infected by the ransomware have their files encrypted to block the user from accessing their files until a sum of money is paid.
Where did it come from?
Petya is a ransomware disguised as a software update from MEDoc. MEDoc is a financial monitoring application that businesses in Ukraine must have installed however, their system was hacked and the malware was pushed out to businesses and enterprises in Ukraine.
How is it spreading?
Although the infection began in Ukraine, Peyta was able to quickly spread to other European companies via enterprise networks. It is speculated that it traveled through corporate VPNs to attack central servers and all other PCs running Windows in the company's network.
Who is at risk?
Windows systems that have not been patched and are connected to corporate networks. Home computers (for now) are at small risk for infection. Any users utilizing their home computers to connect to their corporate VPN greatly increase the risk of their home network becoming infected.
Is my device at risk?
As of now only systems running Windows are at risk.
Will antivirus protect me from Petya?
A good antivirus will prevent Petya from installing onto their machine. That is subject to change if the malware's code changes drastically. Good antivirus programs
Is Petya and WannaCry the same?
Both Petya and WannaCry utilize the ETERNALBLUE exploit. They have the ability to infect enterprise servers and move to infect the entire local networks.
Should I pay the ransom?
NO. As of yesterday there is no reason to pay ransom as the email address that was being used to verify the payment has been taken down by the email host Posteo. If your computer has been infected by the Petya ransomware there will be no way to confirm that the files will be recovered. It is never advisable to pay the ransom as this will only further the spread of ransomware malware.
How can Petya be stopped?
There is no known kill switch as of yet. There are a few ways however to prevent or possibly stop the encryption process.
If your computer begins a random shut down abort the process and keep your computer running. Petya must reboot the system in order to encrypt the hard drive.
A temporary "vaccine" has been pointed out by tech site BleepingComputer which involves creating a read only file called "perfc" and putting it in the Windows directory. Some instances have shown that if Petya finds that file it will not encrypt that machine, however, it will pass over and spread to other computers in the same network. There have reports that this method will not work on machines running Windows 7 and newer versions of Petya coding may not have this function.
BleepingComputer has also created a tool that will create the "perfc" file for you. The file only needs to be downloaded and double clicked.
Source: Tom's Guide