Petya Ransomware and Its Infection

Petya Ransomware is a vicious form of the virus that locks a computer’s hard drive as well as individual data files stored on it. And we are seeing that the widespread attack affected global and national organisations including the Ukranian National Bank, British advertising firm WPP and logistics company Maersk.

What is Petya?

Petya is more than typical Ransomware or we can say that it’s upgraded version of WannaCry.
It has been in existence since 2016. Ransomware only encrypt the data files but Petya ransomware doesn’t just encrypt files, it also overwrites and encrypts the master boot record (MBR).

You can see in this image how the hackers demanding $300 bitcoins to recover affected files from Petya Ransomware.

Petya Ransomware
Credit: Setupactivate

How does Petya spread and infect computers?

The MEDoc accounting software is used to drop and install Petya into organizations’ networks. Once in the network it uses two methods to spread.

One of the ways in which Petya propagates itself is by exploiting the MS17-010 vulnerability, also known as EternalBlue. It also spreads by acquiring user names and passwords and spreading across network shares.

Who is impacted?

Petya is primarily impacting organizations in Europe.

How does it differ from WannaCry?

Security experts said the virus program could have spread in a similar way to the WannaCry attack that hit hundreds of thousands of computers including the NHS earlier this year. Like WannaCry, Petya could have used Eternal Blue, a tool created by the National Security Agency and leaked online by the Shadow Brokers that exploits a problem in Microsoft’s software.

Is this a targeted attack?

It’s unclear at this time, however, the initial infector is software used solely in Ukraine, and indicating that organizations there were the initial targets.

Am I protected from the Petya Ransomware?

Symantec Endpoint Protection (SEP) and Norton products proactively protect customers against attempts to spread Petya using Eternal Blue. SONAR behavior detection technology also proactively protects against Petya infections.

Symantec products using definitions version 20170627.009 also detect Petya components as Ransom.Petya.

Should I pay the ransom?

We recommend that users do not pay the ransom, particularly as there is no evidence that files will be restored.