petya-wannacry

The ransomware program infected computers around the world

In the afternoon of June 27, a virus-extortionist began to spread in Ukraine and Russia. Now it is spreading around the world. Petya blocks access to data and requires $ 300 in bitcoins for unlocking. The virus in various modifications is on the web since 2016. Also, it spreads, like many other malicious programs, through a spam email.

There are clear coincidences with the attack of WannaCry. At the same time, we can say about more complex attack possibilities. Besides, this is a demonstration of how cybercrime develops on a scale and, again, reminds enterprises of the importance of taking responsible cyber security actions.

Microsoft experts believe that the virus-extortioner Ransom: Win32 / Petya spread with accounting software in Ukraine, M.E.Doc.

The mechanism of the work of extortion viruses

The mechanism was described in details in April 2016 in the blog of Malwarebytes Labs. Then the virus was distributed as a letter with a resume of the employee. By clicking on it, they opened a Windows program that required administrator rights. If the inattentive user agreed, the installer rewrote the boot area of the hard drive and showed the “blue screen of death”: a failure message prompting you to restart the computer.

At this stage, as the researchers write, that they hadn’t encrypted the hard drive yet. So, you can save the data. For example, if you shut down your computer and connect the hard drive to another, but do not boot from it. In this situation, all data can will survive.

After the restart, Petya launches a program that masks as the CHKDSK utility. In fact, it does not check the hard drive for errors but encrypts it. As researchers from Malwarebytes Labs have established, not entirely, but only partially. The encryption method used in Petya allows the specialists to restore all the data with the help of specialists.

After the encryption is complete, the computer displays a red screen with the message “You became a victim of the Petya extortion virus” and an offer to pay $ 300 in Bitcoins. Detailed instructions how to buy the necessary amount of bitcoins on the site in the “dark web.”

According to the screenshots of the modern version of Petya, now there is no site and detailed instructions: the infected users write to the specified mailing address and in exchange for proving the transfer of funds to get the code for decrypting the hard drive.

Versions

Researchers note that part of Petya, responsible for blocking access, intercepts the management of the computer at the earliest stage of the download. Highly qualified programmers wrote it.

Since the beginning of 2016, Petya has repeatedly changed. There are versions with yellow screen design with the demand for money. There are also those where the name of the virus is not clear.

How exactly it works and spreads a new version of Petya, which users encountered on June 27, no one has any versions. Judging by the extent of infection, the virus has modifications and some more complex distribution system. Github already has a link to one of the bitcoins-purses, which collects money from virus-infected computers.

The simplest method of protecting against Petya and similar extortion viruses is not to click on attachments in suspicious letters from people you do not know.