Petya Cyber Attack: What Is It and How Can It Be Stopped?

Petya is the name given to the latest worldwide cyber attack that hit many countries in Europe, especially Ukraine and some parts of the United States. This malware attack crippled many companies and brought them to a standstill within a short period of time. The attack started on 27th of June, 2017 and infected computers within Ukraine at first before spreading quickly to computers in other parts of the world. Major companies that were hit included Maersk, DLA Piper, Mondelez and WPP along with many Ukrainian government organizations. Petya locked down computers running Windows operating system and demanded a ransom of about $300 as Bitcoin payment for unlocking them.

petya cyber attack

Part 1: What Is Ransomware?

Ransomware is a malware that is designed to encrypt files on a computer system and then asks for the payment of money usually in the form of digital payments such as Bitcoin for decrypting the files. If the ransom amount isn’t paid, all of the files on the computer that haven’t been backed up will be lost forever.

Part 2: How Does the Petya Ransomware Work??

Petya ransomware spreads using the EternalBlue exploit which is a vulnerability that is present in the Windows operating system. Moreover, it also makes use of two different Windows administrative tools as well for its propagation. Petya tries to infect the system utilizing the vulnerability first and if it fails in that attempt, then falls back to the administrative tools instead. This dual method of propagation makes Petya a more formidable ransomware than other ransomware to have surfaced around the world recently. After having infected one computer, the malware tries to spread through to other computers that are on the same network.

Upon infecting a system, Petya immediately reboots it and begins encrypting the files that are present on it. If the malware isn’t stopped, it completely locks down the system and makes all of the files inaccessible. Once this process is completed, a ransom note appears on the screen of users asking them to deposit an amount of $300 in the form of Bitcoin payments. There is a Bitcoin payment address provided to the victims in which they need to deposit the ransom amount. An email address is also provided to communicate with the perpetrators of the attack which is to be used for the delivery of the digital key for unlocking the encrypted files on the infected system after the ransom amount has been paid.

Part 3: How Can It Be stopped??

Petya can be stopped by downloading a patch released by Microsoft which protects the computers from the EternalBlue vulnerability. This patch is automatically downloaded and installed on computers that are using a registered version of Windows and have the automatic updates option enabled on them. For computers using an unregistered version, however, installation of this patch requires downloading it from the Microsoft website and then installing it manually. Moreover, anti-virus programs such as Symantec and Kaspersky have been updated to spot this malware and even protect the files from getting encrypted by it. Thus, installing an updated version of these anti-virus programs can also help you in stopping Petya from infecting your computer system.

In addition to the Windows patch and antivirus updates, another defensive measure that has been identified for this particular version of Petya is the presence of a read-only file by the name of C:\Windows\perfc.dat on the computer system. If this file is present on your computer, Petya won’t be able to encrypt the files on your system. However, do keep in mind that having this file won’t stop the malware from spreading to other computers that share the same network when your computer is on.

Part 4: What Should You Do If You Are Affected by the Ransomware??

If you happen to be a victim of this ransomware, your first action should be to power off your computer immediately. Petya starts the encryption process after rebooting the system under the guise of a chkdsk procedure. So, if you see a chkdsk operation running on your PC after a reboot, immediately powering it off would stop the malware from encrypting the files on your system.

If the ransomware displays the ransom note after the reboot, you should under no circumstance think about paying the ransom amount. The reason for this is that the email address that has been provided to you which is supposed to send you the digital key for unlocking your files has been suspended. So, you won’t be able to get it for decrypting your files. The only thing left for you to do in such a scenario is to stop the spread of the ransomware to other computers on the network. You can do this by disconnecting your PC from the internet and reinstalling all your files from backup after reformatting your hard drive.

Some preventive measures that can be taken to ward off ransomware attacks like Petya include regular backing up of your files as well as updating your anti-virus programs. Moreover, using a VPN when connected to a public Wi-Fi and refraining from opening suspicious email attachments are also some of the methods that can ensure protection from malicious malware like Petya.

According to security experts, the Petya ransomware is targeting the following Microsoft operating systems due to them having the EternalBlue vulnerability.

Part 5: Can You Recover back Your Files??

After attack by Petya, rebooting the machine can get your files back. However, it is not a foregone conclusion. There is a chance that rebooting the computer won’t recover your files and they will become encrypted by the malware. If you are faced with such a situation then the only way for you to recover back your files is to make use of a data recovery tool. The recovery software can scan your computer for any deleted or encrypted files and can help you in recovering them. However, do keep in mind that not all data recovery software programs are capable of recovering lost files. You should only make use of a genuine and authentic recovery tool for this purpose like Recoverit.

Petya cyber attack is a ransomware that infects computer systems running the Windows operating system via the EternalBlue vulnerability. It encrypts the files present on the infected systems and then spreads to other computers sharing the same network. This cyber attack managed to infect many large companies in countries like Ukraine, Germany, Russia and the United States. Downloading patches released by Microsoft and using updated versions of anti-virus programs like Kaspersky and Symantec. Switching off the computer upon infection can also help in stopping the malware from encrypting the files on the system.

Hot Articles
See MoreSee Less

Recoverit 8.0 has been released.

Home | Resources | Computer Problem | Petya Cyber Attack: What Is It and How Can It Be Stopped?