What Is Petya Ransomware?

Petya ransomware is a family of particularly virulent malware that blocks access to computer systems until a victim pays a ransom. In contrast to other types of ransomware that encrypt individual files on hard drives and servers, Petya targets Microsoft Windows operating systems to encrypt the Master Boot Record (MBR) and Master File Table (MFT), preventing computers from booting.

While it’s not known exactly who is behind the Petya ransomware, analysts attribute the cyberattacks to cybercriminals seeking financial gain through ransom payments. Petya ransomware was originally detected in 2016.

In 2017, a new variant of Petya began to infect organizations around the world. Because it resembled Petya with a few significant differences, this new ransomware strain was dubbed NotPetya by cybersecurity experts. It used the same EternalBlue vulnerability seen previously in the WannaCry ransomware attack.

While NotPetya originally appeared to be ransomware, it was later discovered that this new variant functioned more as a wiper that encrypted files but offered no hope of recovery, since the links for payment in the ransom note were fake. Wiper malware is designed to destroy or corrupt data, not collect ransom.

Because the highly destructive NotPetya attacks originally targeted companies in Ukraine, security research analysts believe that the NotPetya strain may have been started by state-sponsored hackers with the approval of the Russian government.

The malware quickly spread across Europe, affecting organizations by exploiting vulnerabilities in outdated Windows systems. One of the most sophisticated NotPetya attacks was on the global shipping company Maersk.

NotPetya differed from Petya in its propagation techniques. NotPetya exploited Ukrainian companies through an update mechanism of MeDoc, or M.E.Doc accounting software. Additional propagation techniques included backdoors and the use of the Mimikatz tool used to steal a user’s Windows credentials. NotPetya also propagated by turning legitimate tools like PsExec and Windows Management Instrumentation (WMI) into Trojans.

Petya ransomware spreads principally through phishing emails that contain malicious attachments. These may include emails to Human Resources departments with fake job applications.

Petya ransomware replaces the MBR with malicious code that encrypts the hard drive’s file system. It then displays a ransom note after the system reboots, demanding a ransom payment in bitcoin in exchange for a decryption key.

Preventing ransomware like Petya and NotPetya requires IT and security teams to deploy multiple levels of anti-ransomware tools and cybersecurity defenses. These include:

• Updates and patches for operating systems and software: Regular updates and patches can help eliminate the vulnerabilities exploited by ransomware attacks. IT teams must especially pay attention to patches for vulnerabilities like EternalBlue and disable outdated protocols like SMBv1.
• Cybersecurity products: Technologies like firewalls, intrusion prevention systems (IPS), DNS and network filters, application allowlists, and Zero Trust solutions help to block threats and spot potentially suspicious activity.
• Antivirus and anti-malware: These solutions provide real-time protection against malware and exploits.
• Backups: Keeping backup copies of important files can help organizations recover more quickly after a Petya ransomware attack. In addition to frequent backups, IT teams must be sure to keep a copy of files in an offline backup to prevent infection by malware and ransomware.
• Training: Security awareness training educates employees on how to spot phishing attacks and on security habits that can help to avoid attacks like Petya ransomware.
• Email filtering: Scanning email for malware and malicious links, and blocking potential malicious attachments, can prevent Petya ransomware from reaching end users.
• Strong identity and access management: Adopting identity-centric defenses enables organizations with highly distributed IT environments to prevent unauthorized access by hackers seeking to spread malware and ransomware.

IT and security teams may remove Petya code in several steps.

• Isolation: IT teams must isolate infected systems from other parts of the network to prevent the infection from spreading.
• Identification: Correctly identifying the strain of ransomware is essential for determining the best way to eradicate the infection and to locate any potential decryption tools.
• Removal: IT teams can then deploy specialized tools to clean affected drives, remove exploit kits, and resolve any vulnerabilities that attackers may have used to reinstall the ransomware.
• Recovery: Affected files can be restored from a clean backup copy.
• Contact: Coordination with law enforcement officials can help to track down the cybercrime rings responsible for ransomware attacks.