Almost every user has anti-virus programs on their computer, but sometimes a Trojan or virus appears that can bypass the most better protection and infect your device, and even worse, encrypt your data. This time, the encrypting Trojan “Petya” or, as it is also called, “Petya” became such a virus. The rate of spread of this threat is very impressive: in a couple of days it was able to “visit” Russia, Ukraine, Israel, Australia, the USA, all major European countries and more. It mainly affected corporate users (airports, power plants, tourism industry), but ordinary people were also affected. In terms of its scale and methods of influence, it is extremely similar to the recently sensational one.

You certainly need to protect your computer so as not to become a victim of the new Trojan ransomware “Petya”. In this article I will tell you what kind of “Petya” virus this is, how it spreads, and how to protect yourself from this threat. In addition, we will touch upon the issues of Trojan removal and information decryption.

What is the Petya virus?

First, we should understand what Petya is. The Petya virus is malicious software that is a ransomware-type Trojan (ransomware). These viruses are designed to blackmail owners of infected devices in order to obtain ransom from them for encrypted data. Unlike Wanna Cry, Petya does not bother itself with encrypting individual files - it almost instantly “takes away” the entire HDD entirely.

The correct name of the new virus is Petya.A. Additionally, Kaspersky calls it NotPetya/ExPetr.

Description of the Petya virus

After hitting your computer running Windows systems, Petya encrypts almost instantly MFT(Master File Table – main table of files). What is this table responsible for?

Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the right book? Only through the library catalogue. It is this catalog that Petya destroys. Thus, you lose any possibility of finding any “file” on your PC. To be even more precise, after Petit’s “work”, your computer’s hard drive will resemble a library after a tornado, with scraps of books flying everywhere.

Thus, unlike Wanna Cry, which I mentioned at the beginning of the article, Petya.A does not encrypt separate files, spending an impressive amount of time on this - he simply takes away from you any opportunity to find them.

After all his manipulations, he demands a ransom from users - 300 US dollars, which must be transferred to a Bitcoin account.

Who created the Petya virus?

When creating the Petya virus, an exploit (“hole”) in the Windows operating system called “EternalBlue” was used. Microsoft released a patch that “closes” this hole several months ago, however, not everyone uses it licensed copy Windows installs all system updates, right?)

The creator of “Petya” was able to wisely use the carelessness of corporate and private users and make money from it. His identity is still unknown (and is unlikely to be known)

How does the Petya virus spread?

The Petya virus most often spreads under the guise of attachments to emails and in archives with pirated infected software. The attachment can contain absolutely any file, including a photo or mp3 (as it seems at first glance). After you run the file, your computer will reboot and the virus will simulate a disk check for CHKDSK errors, and at this moment it will modify your computer's boot record (MBR). After this, you will see a red skull on your computer screen. By clicking on any button, you can access a text in which you will be asked to pay for decrypting your files and transfer the required amount to a bitcoin wallet.

How to protect yourself from the Petya virus?

• The most important and basic thing is to make it a rule to install updates for your operating system! This is incredibly important. Do it right now, don't delay.
• Pay special attention to all attachments that are attached to letters, even if the letters are from people you know. During the epidemic, it is better to use alternative sources of data transmission.
• Activate the “Show file extensions” option in the OS settings - this way you can always see the true file extension.
• Enable “User Account Control” in Windows settings.
• You must install one of them to avoid infection. Start by installing an OS update, then install an antivirus - and you will be much safer than before.
• Be sure to make “backups” - save all important data to an external hard drive or to the cloud. Then, if the Petya virus penetrates your PC and encrypts all data, it will be quite easy for you to format your hard drive and install the OS again.
• Always check for relevance antivirus databases your antivirus. All good antiviruses monitor threats and respond to them in a timely manner by updating threat signatures.
• Install the free Kaspersky Anti-Ransomware utility. It will protect you from encrypting viruses. Installing this software does not relieve you of the need to install an antivirus.

How to remove Petya virus?

How to remove Petya.A virus from your hard drive? This is an extremely interesting question. The fact is that if the virus has already blocked your data, then there will actually be nothing to delete. If you do not plan to pay ransomware (which you should not do) and will not try to recover data on the disk in the future, you can simply format the disk and reinstall the OS. After this, there will be no trace of the virus left.

If you suspect that there is an infected file on your disk, scan your disk with one of them, or install Kaspersky anti-virus and conduct a full system scan. The developer assured that his signature database already contains information about this virus.

Petya.A decryptor

Petya.A encrypts your data with a very strong algorithm. On this moment There is no solution to decrypt blocked information. Moreover, you should not try to access data at home.

Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The virus hit the world several months ago, but a cure for decrypting the data it encrypted has never been found.

Therefore, if you have not yet become a victim of the Petya virus, listen to the advice I gave at the beginning of the article. If you do lose control of your data, then you have several options.

• Pay money. There is no point in doing this! Experts have already found out that the creator of the virus does not restore the data, and cannot restore it, given the encryption technique.
• Remove the hard drive from your device, carefully place it in the cabinet and press the decryptor to appear. By the way, Kaspersky Lab is constantly working in this direction. Available decryptors are available on the No Ransom website.
• Formatting the disk and installing the operating system. Minus - all data will be lost.

Petya.A virus in Russia

In Russia and Ukraine, over 80 companies were attacked and infected at the time of writing, including such large ones as Bashneft and Rosneft. Infection of the infrastructure of such large companies indicates the seriousness of the Petya.A virus. There is no doubt that the ransomware Trojan will continue to spread throughout Russia, so you should take care of the security of your data and follow the advice given in the article.

Petya.A and Android, iOS, Mac, Linux

Many users are worried about whether the Petya virus can infect their devices under Android control and iOS. I’ll hasten to reassure them - no, it can’t. It is intended for Windows OS users only. The same applies to fans of Linux and Mac - you can sleep peacefully, nothing threatens you.

Conclusion

So, today we discussed in detail the new Petya.A virus. We understood what this Trojan is and how it works, we learned how to protect ourselves from infection and remove the virus, and where to get the Petya decryptor. I hope that the article and my tips were useful to you.

, July 18, 2017

Answers to the most important questions about the Petna ransomware virus (NotPetya, ExPetr), a Petya-based ransomware that has infected many computers around the world.

This month we witnessed another massive ransomware attack, just weeks after . Within a few days, this modification of the ransomware received many different names, including Petya (the name of the original virus), NotPetya, EternalPetya, Nyetya and others. We initially called it the “Petya family virus”, but for convenience we will simply call it Petna.

There are a lot of ambiguities around Petna, even beyond its name. Is this the same ransomware as Petya, or a different version? Should Petna be considered a ransomware that demands a ransom or a virus that simply destroys data? Let us clarify some aspects of the past attack.

Is Petna still spreading?

Peak activity a few days ago. The spread of the virus began on the morning of June 27. On the same day, its activity reached its highest level, with thousands of attempted attacks occurring every hour. After this, their intensity decreased significantly during the same day, and only a small number of infections were observed subsequently.

Is this attack comparable to WannaCry?

No, judging by our coverage user base. We observed approximately 20,000 attempted attacks worldwide, which is dwarfed by the 1.5 million WannaCry attacks we thwarted.

Which countries have suffered the most?

Our telemetry data shows that the main impact of the virus was in Ukraine, where more than 90% of attempted attacks were detected. Russia, the USA, Lithuania, Belarus, Belgium and Brazil were also affected. In each of these countries, from several dozen to several hundred infection attempts were noted.

Which operating systems have been infected?

The largest number of attacks were recorded on devices running Windows control 7 (78%) and Windows XP (14%). Number of attacks over modern systems turned out to be significantly less.

How did the Petna virus get onto your PC?

Having analyzed the development paths of the cyber epidemic, we discovered the primary vector of infection, which is associated with the update of the Ukrainian accounting software M.E.Doc. This is why Ukraine suffered so seriously.

A bitter paradox: for security reasons, users are always advised to update their software, but in this case, the virus began to spread on a large scale precisely with the update of the software released by M.E.Doc.

Why were computers outside of Ukraine also affected?

One reason is that some of the affected companies have Ukrainian subsidiaries. Once a virus infects a computer, it spreads throughout the network. This is how he managed to reach computers in other countries. We continue to investigate other possible infection vectors.

What happens after infection?

Once a device is infected, Petna attempts to encrypt files with certain extensions. The list of target files is not so large compared to the lists of the original Petya virus and other ransomware, but it includes extensions of photos, documents, source codes, databases, disk images, and others. In addition, this software not only encrypts files, but also spreads like a worm to other devices connected to the local network.

How, the virus uses three different ways distribution: using EternalBlue (known from WannaCry) or EternalRomance exploits, through Windows network shares using stolen credentials from the victim (using utilities like Mimikatz, which can extract passwords), as well as trustworthy tools like PsExec and WMIC.

After encrypting files and spreading over the network, the virus tries to break loading Windows(modifying the master boot record, MBR), and after a forced reboot, encrypts the master file table (MFT) system disk. This prevents the computer from loading Windows anymore and makes the computer impossible to use.

Can Petna infect my computer with all security updates installed?

Yes, this is possible due to the horizontal spread of malware described above. Even specific device protected from both EternalBlue and EternalRomance, it can still be infected in a third way.

Is this Petua, WannaCry 2.0 or something else?

The Petna virus is definitely based on the original Petna ransomware. For example, in the part responsible for encrypting the main file table, it is almost identical to the previously encountered threat. However, it is not completely identical to older versions of the ransomware. It is believed that the virus was modified by a third party rather than the original author, known as Janus, who also commented on the matter in Twitter, and later published the master decryption key for all previous versions of the program.

The main similarity between Petna and WannaCry is that they used the EternalBlue exploit to spread.

Is it true that the virus does not encrypt anything, but simply destroys data on disks?

It is not true. This malware only encrypts files and the master file table (MFT). Another question is whether these files can be decrypted.

Is there a free decryption tool available?

Unfortunately no. The virus uses a fairly powerful encryption algorithm that cannot be overcome. It encrypts not only the files, but also the master file table (MFT), which makes the decryption process very difficult.

Is it worth paying the ransom?

No! We never recommend paying a ransom, as this only supports criminals and encourages them to continue such activities. Moreover, it is likely that you will not get your data back even if you pay. In this case, this is more obvious than ever before. And that's why.

The official email address indicated in the ransom request window [email protected], to which victims were asked to send a ransom, was shut down by the email service provider shortly after the virus attack. Therefore, the creators of the ransomware cannot find out who paid and who did not.

Decryption of the MFT partition is impossible in principle, since the key is lost after the ransomware encrypts it. IN previous versions virus, this key was stored in the victim identifier, but in the case of the latest modification, it is just a random string.

In addition, the encryption applied to the files is very chaotic. How

You may already be aware of the hacker threat recorded on June 27, 2017 in the countries of Russia and Ukraine, which were subjected to a large-scale attack similar to WannaCry. The virus locks computers and demands a ransom in bitcoins for decrypting files. In total, more than 80 companies in both countries were affected, including Russia's Rosneft and Bashneft.

The ransomware virus, like the infamous WannaCry, has blocked all computer data and demands a ransom in bitcoins equivalent to $300 be transferred to the criminals. But unlike Wanna Cry, Petya doesn’t bother with encrypting individual files - it almost instantly “takes away” your all hard entire disk.

The correct name of this virus is Petya.A. ESET report reveals some of the capabilities of Diskcoder.C (aka ExPetr, PetrWrap, Petya or NotPetya)

According to statistics from all victims, the virus was distributed in phishing emails with infected attachments. Usually a letter comes with a request to open Text Document, and how do we know the second file extension txt.exe is hidden, but priority is latest extensions file. By default, the Windows operating system does not display file extensions and they look like this:

In 8.1, in the Explorer window (View\Folder Options\Uncheck Hide extensions for registered file types)

In 7 in the Explorer window (Alt\Tools\Folder Options\Uncheck Hide extensions for known file types)

And the worst thing is that users are not even bothered by the fact that letters come from unknown users and ask them to open incomprehensible files.

After opening the file, the user sees " blue screen of death".

After the reboot, it looks like the “Scan Disk” is launched; in fact, the virus encrypts the files.

Unlike other ransomware, once this virus runs, it immediately restarts your computer and when it boots up again, a message appears on the screen: “DO NOT TURN OFF YOUR PC! IF YOU STOP THIS PROCESS, YOU MAY DESTROY ALL YOUR DATA! PLEASE MAKE SURE YOUR COMPUTER IS CONNECTED TO CHARGER!” Although it may look like system error, in fact, Petya is currently silently performing encryption in stealth mode. If the user tries to reboot the system or stop file encryption, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!” Finally, after pressing the key, a new window will appear with a ransom note. In this note, the victim is asked to pay 0.9 bitcoins, which is approximately $400. However, this price is only for one computer. Therefore, for companies that have many computers, the amount can be in the thousands. What also makes this ransomware different is that it gives you a full week to pay the ransom, instead of the usual 12-72 hours that other viruses in this category give.

Moreover, the problems with Petya do not end there. Once this virus enters the system, it will try to rewrite the boot Windows files, or the so-called boot recording master, necessary to boot the operating system. You will not be able to remove Petya virus from your computer unless you restore the Master Boot Recorder (MBR) settings. Even if you manage to correct these settings and remove the virus from your system, unfortunately, your files will remain encrypted because virus removal does not decrypt the files, but simply removes the infectious files. Of course, removing the virus is important if you want to continue working with your computer

Once on your Windows computer, Petya almost instantly encrypts MFT (Master File Table). What is this table responsible for?

Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the right book? Only through the library catalogue. It is this catalog that Petya destroys. Thus, you lose any possibility of finding any “file” on your PC. To be even more precise, after Petya “works”, your computer’s hard drive will resemble a library after a tornado, with scraps of books flying everywhere.

Thus, unlike Wanna Cry, Petya.A does not encrypt individual files, spending a significant amount of time on this - it simply takes away any opportunity for you to find them.

Who created the Petya virus?

When creating the Petya virus, an exploit (“hole”) in the Windows OS called “EternalBlue” was used. Microsoft has released a patch kb4012598(from previously released lessons on WannaCry, we already talked about this update, which “closes” this hole.

The creator of Petya was able to wisely use the carelessness of corporate and private users and make money from it. His identity is still unknown (and is unlikely to be known)

How to remove Petya virus?

How to remove Petya.A virus from your hard drive? This is an extremely interesting question. The fact is that if the virus has already blocked your data, then there will actually be nothing to delete. If you do not plan to pay ransomware (which you should not do) and will not try to recover data on the disk in the future, you can simply format the disk and reinstall the OS. After this, there will be no trace of the virus left.

If you suspect that there is an infected file on your disk, scan your disk with an antivirus from ESET Nod 32 and conduct a full system scan. The NOD 32 company assured that its signature database already contains information about this virus.

Petya.A decryptor

Petya.A encrypts your data with a very strong encryption algorithm. There is currently no solution to decrypt blocked information.

Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The WannaCry virus hit the world a few months ago, but a cure for decrypting the data it encrypted has never been found.

The only option is if you previously had shadow copies of the files.

Therefore, if you have not yet become a victim of the Petya.A virus, update your OS system, install an antivirus from ESET NOD 32. If you still lose control of your data, then you have several options.

Pay money. There is no point in doing this! Experts have already found out that the creator of the virus does not restore the data, and cannot restore it, given the encryption technique.

Try to remove the virus from your computer, and try to restore your files using a shadow copy (the virus does not affect them)

Remove the hard drive from your device, carefully place it in the cabinet and press the decryptor to appear.

Formatting the disk and installing the operating system. Minus - all data will be lost.

Petya.A and Android, iOS, Mac, Linux

Many users are worried about whether the Petya virus can infect their Android and iOS devices. I’ll hasten to reassure them - no, it can’t. It is intended for Windows OS users only. The same applies to fans of Linux and Mac - you can sleep peacefully, nothing threatens you.

The attack of the Petya virus came as an unpleasant surprise to residents of many countries. Thousands of computers were infected, causing users to lose important data stored on their hard drives.

Of course, now the hype around this incident has subsided, but no one can guarantee that this will not happen again. That is why it is very important to protect your computer from possible threats and not take unnecessary risks. How to do this most effectively will be discussed below.

Consequences of the attack

To begin with, we should remember what consequences Petya.A’s short-lived activity led to. In just a few hours, dozens of Ukrainian and Russian companies were affected. In Ukraine, by the way, the work of computer departments of such institutions as “Dneprenergo”, “ Nova Poshta" and "Kyiv Metro". Moreover, some government organizations, banks and mobile operators were not protected from the Petya virus.

In the countries of the European Union, the ransomware also managed to cause a lot of trouble. French, Danish, English and international companies have reported temporary disruptions due to the Petya computer virus attack.

As you can see, the threat is really serious. And even though the attackers chose large financial organizations as their victims, ordinary users suffered no less.

How does Petya work?

To understand how to protect yourself from the Petya virus, you first need to understand how it works. So, once on the computer, the malicious program downloads a special ransomware from the Internet, which infects Master Boot Record. This is a separate area on the hard drive, hidden from the user's eyes and intended for loading the operating system.

For the user, this process looks like the standard operation of the Check Disk program after a sudden system crash. The computer suddenly reboots, and a message appears on the screen about checking hard disk for errors and please do not turn off the power.

As soon as this process comes to an end, a screensaver appears with information about the computer being blocked. The creator of the Petya virus requires the user to pay a ransom of $300 (more than 17.5 thousand rubles), promising in return to send the key necessary to resume the operation of the PC.

Prevention

It is logical that it is much easier to prevent infection computer virus“Petya,” than to deal with its consequences later. To secure your PC:

• Always install the latest updates for your operating system. The same, in principle, applies to everything software installed on your PC. By the way, “Petya” cannot harm computers running MacOS and Linux.
• Use the latest versions of the antivirus and do not forget to update its database. Yes, the advice is banal, but not everyone follows it.
• Do not open suspicious files sent to you by email. Also, always check apps downloaded from dubious sources.
• Do it regularly backups important documents and files. It is best to store them on a separate medium or in the “cloud” (Google Drive, Yandex. Disk, etc.). Thanks to this, even if something happens to your computer, valuable information will not be damaged.

Creating a stop file

Leading developers antivirus programs found out how to remove the Petya virus. More precisely, thanks to their research, they were able to understand what the ransomware is trying to find on the computer at the initial stages of infection local file. If he succeeds, the virus stops working and does not harm the PC.

Simply put, you can manually create a kind of stop file and thus protect your computer. For this:

• Open the Folder Options settings and uncheck “Hide extensions for known file types.”
• Create a new file using Notepad and place it in the C:/Windows directory.
• Rename the created document, calling it "perfc". Then go to and enable the Read Only option.

Now the Petya virus, once on your computer, will not be able to harm it. But keep in mind that attackers may modify them in the future. malware and the method of creating a stop file will become ineffective.

If infection has already occurred

When the computer reboots on its own and Check Disk starts, the virus just begins to encrypt files. In this case, you can still have time to save your data by following these steps:

• Immediately turn off the power to the PC. This is the only way you can prevent the spread of the virus.
• Next, you should connect your hard drive to another PC (not as a boot drive!) and copy important information from it.
• After this, you need to completely format the infected hard drive. Naturally, then you will have to reinstall on it operating system and other software.

Alternatively, you can try using a special boot disk to cure the Petya virus. Kaspersky Anti-Virus, for example, provides a program for these purposes Kaspersky Rescue Disk, which bypasses the operating system.

Is it worth paying to extortionists?

As mentioned earlier, the creators of Petya are demanding a ransom of $300 from users whose computers were infected. According to the extortionists, after paying the specified amount, victims will be sent a key that will eliminate the blocking of information.

The problem is that a user who wants to return his computer to normal needs to write to the attackers at email. However, all ransomware emails are quickly blocked by authorized services, so it is simply impossible to contact them.

Moreover, many leading anti-virus software developers are confident that it is completely impossible to unlock a computer infected by Petya using any code.

As you probably understand, you shouldn’t pay extortionists. Otherwise, you will not only be left with a non-working PC, but also lose a large amount of money.

Will there be new attacks?

The Petya virus was first discovered back in March 2016. Then security specialists quickly noticed the threat and prevented its mass spread. But already at the end of June 2017, the attack repeated again, which led to very serious consequences.

It is unlikely that everything will end there. Ransomware attacks are not uncommon, so it is important to keep your computer protected at all times. The problem is that no one can predict in what format the next infection will occur. Be that as it may, it is always worth following the simple recommendations given in this article in order to reduce risks to a minimum.

Virus "Petya": how not to catch it, how to decipher it, where it came from - last news about the Petya ransomware virus, which by the third day of its “activity” had infected about 300 thousand computers in different countries of the world, and so far no one has stopped it.

Petya virus - how to decrypt, latest news. After an attack on a computer, the creators of the Petya ransomware demand a ransom of $300 (in bitcoins), but there is no way to decrypt the Petya virus, even if the user pays money. Kaspersky Lab specialists, who saw differences in the new virus from Petit and named it ExPetr, claim that decryption requires a unique identifier for a specific Trojan installation.

Previously known versions similar encryptors Petya/Mischa/GoldenEye, the installation identifier contained the information necessary for this. In the case of ExPetr, this identifier does not exist, writes RIA Novosti.

The “Petya” virus – where it came from, the latest news. German security experts have put forward the first version of where this ransomware came from. In their opinion, the Petya virus began to spread through computers when M.E.Doc files were opened. This is an accounting program used in Ukraine after the ban on 1C.

Meanwhile, Kaspersky Lab says that it is too early to draw conclusions about the origin and source of spread of the ExPetr virus. It is possible that the attackers had extensive data. For example, email addresses from the previous newsletter or some others effective ways penetration into computers.

With their help, the “Petya” virus hit Ukraine and Russia, as well as other countries, with its full force. But the real scale of this hacker attack will become clear in a few days, reports.

“Petya” virus: how not to catch it, how to decipher it, where it came from - latest news about the Petya ransomware virus, which has already received a new name from Kaspersky Lab - ExPetr.