The new Petya virus (Petya) disguises itself as a resume for personnel officers. Petya virus: everything you need to know about this virus

This conclusion was the result of a study of two companies at once - Comae Technologies and Kaspersky Lab.

The original Petya malware, discovered in 2016, was a money-making machine. This sample is definitely not intended to earn money. The threat is designed to quickly spread and cause damage and disguises itself as a ransomware.

NotPetya is not a disk cleaner. The threat does not delete data, but simply renders it unusable by locking files and throwing away decryption keys.

Juan Andre Guerrero-Saade, a senior researcher at Kaspersky Lab, commented on the situation:

In my book, a ransomware infection without a possible decryption mechanism is equivalent to a disk wipe. By ignoring a viable decryption mechanism, the attackers have shown complete disregard for long-term monetary gain.

The author of the original Petya ransomware tweeted that he had nothing to do with the development of NotPetya. He has already become the second cybercriminal who denies involvement in the creation of a new similar threat. Earlier, the author of the AES-NI ransomware stated that he had nothing to do with XData, which was also used in targeted attacks on Ukraine. In addition, XData, like NotPetya, used an identical distribution vector - update servers from a Ukrainian manufacturer software for accounting.

Many circumstantial indications support the theory that someone is hacking known ransomware and using modified versions to attack Ukrainian users.

Are destructive modules disguised as ransomware already a common practice?

Similar cases have already occurred before. The use of malicious modules to permanently damage files under the guise of ordinary ransomware is far from a new tactic. IN modern world it is already becoming a trend.

Last year, the Shamoon and KillDisk malware families included “ransomware components” and used similar techniques to destroy data. Now even industrial malware is getting disk cleanup features.

Classifying NotPetya as a data destruction tool could easily elevate malware to a cyberweapon. In this case, the analysis of the consequences of the threat should be considered from a different perspective.

Considering the starting point of infection and the number of victims, it becomes obvious that Ukraine was the target of the hacker attack. At the moment, there is no clear evidence pointing the finger at the attacker, but Ukrainian officials have already blamed Russia, which they have also blamed for past cyber incidents since 2014.

NotPetya could be on par with the well-known Stuxnet and BlackEnergy families of malware that have been used for political purposes and for destructive effects. The evidence clearly shows that NotPetya is a cyberweapon and not just a very aggressive kind of ransomware.

Good afternoon friends. Most recently, we analyzed the virus WannaCry ransomware, which in a matter of hours spread to many countries of the world and infected many computers. And at the end of June, a new similar virus "Petya" appeared. Or, as it is most often called "Petya".

These viruses belong to ransomware Trojans and are quite similar, although they also have their differences, moreover, significant ones. According to official data, "Petya" first infected a decent number of computers in Ukraine, and then began his journey around the world.

The computers of Israel, Serbia, Romania, Italy, Hungary, Poland and others were affected. Russia is on the 14th place in this list. Then, the virus spread to other continents.

Basically, the victims of the virus were large companies (quite often oil companies), airports, companies cellular communication etc., for example, Bashneft, Rosneft, Mars, Nestle and others suffered. In other words, the target of attackers are large companies from which you can take money.

What is "Petya"?

Petya is malware that is a Trojan ransomware. Such pests were created to blackmail the owners of infected computers by encrypting information located on the PC. The Petya virus, unlike WannaCry, does not encrypt individual files. This Trojan encrypts the entire disk completely. This is its greater danger than the WannaCry virus.

When Petya gets on the computer, it encrypts the MFT table very quickly. To make it clearer, let's use an analogy. If you compare the files with a large city library, he removes its catalog, and in this case it is very difficult to find the right book.

Even, not just a catalog, but sort of mixes pages (files) from different books. Of course, the system fails in this case. It is very difficult to understand the system in such rubbish. As soon as the pest enters the computer, it reboots the PC and after loading, a red skull appears. Then, when you click on any button, a banner appears with an offer to pay 300$ to the bitcoin account.

Virus Petya how not to Catch

Who could create Petya? There is no answer to this question yet. And in general, it is not clear whether the author will be installed (most likely not)? But it is known that the leak came from the United States. The virus, like WannaCry, is looking for a hole in the operating system. To patch this hole, it is enough to install the MS17-010 update (released a few months ago during the WannaCry attack). You can download it from the link. Or, from the official Microsoft website.

At the moment, this update is the best way to protect your computer. Also, don't forget about good antivirus. Moreover, Kaspersky Lab stated that they have a database update that blocks this virus.

But, this does not mean that it is necessary to install Kaspersky. Use your antivirus, but don't forget to update its databases. Also, don't forget a good firewall.

How the Petya virus spreads

Most often, Petya gets on a computer through email. Therefore, during the incubation of the Petya virus, it is not worth opening various links in letters, especially in unfamiliar ones. In general, make it a rule not to open links from strangers. So you protect yourself not only from this virus, but also from many others.

Then, once on the computer, the Trojan reboots and imitates a check for . Further, as I already mentioned, a red skull appears on the screen, then a banner offering to pay for the decryption of files by transferring three hundred dollars to a Bitcoin wallet.

I will say right away that you do not need to pay in any case! You still won't decrypt it, just spend the money and make a contribution to the creators of the Trojan. This virus is not designed to be decrypted.

Petya virus how to protect yourself

Let's take a closer look at protecting against the Petya virus:

1. I already mentioned system updates. This is the most important point. Even if your system is pirated, you need to download and install the MS17-010 update.
2. IN Windows settings enable "Show file extensions". Thanks to this, you can see the file extension and delete suspicious ones. The virus file has the extension .exe.
3. Let's get back to the letters. Don't click on links or attachments from people you don't know. And in general, during the quarantine, do not follow the links in the mail (even from people you know).
4. It is advisable to enable User Account Control.
5. Copy important files to removable media. Can be copied to Cloud. This will get you out of a lot of problems. If Petya appears on your PC, it will be enough to install a new operating system, after formatting the hard drive.
6. Install a good antivirus. It is desirable that it was also a firewall. Typically, such antiviruses have the inscription Security at the end. If you have important data on your computer, you should not save on antivirus.
7. Having installed a decent antivirus, do not forget to update its databases.

Petya virus how to remove

It's a difficult question. If Petya has done work on your computer, there will essentially be nothing to delete. In the system, all files will be scattered. Most likely, you can no longer organize them. You don't have to pay the thieves. It remains to format the disk and reinstall the system. After formatting and reinstalling the system, the virus will disappear.

Also, I want to add - this pest poses a threat to the Windows system. If you have any other system, for example, the Russian Rosa system, you should not be afraid of this ransomware virus. The same applies to phone owners. Most of them have android system, iOS, etc. Therefore, cell owners have nothing to worry about.

Also, if you are a simple person, and not the owner of a large company, most likely the attackers are not interested in you. They need large companies, for which $300 means nothing and who can really pay them this money. But, this does not mean that the virus cannot get on your computer. Better make sure!

Still, let's hope that the Petya virus bypasses you! Take care of your information on your computer. Good luck!

Britain, USA and Australia officially accused Russia of distributing NotPetya

On February 15, 2018, the UK Foreign Office issued an official statement accusing Russia of organizing a cyber attack using the NotPetya encryption virus.

According to the British authorities, this attack showed a further disregard for the sovereignty of Ukraine, and as a result of these reckless actions, the work of numerous organizations across Europe was disrupted, resulting in multimillion-dollar losses.

The Ministry noted that the conclusion about the involvement of the Russian government and the Kremlin in the cyber attack was made on the basis of the conclusion of the UK National Cyber ​​​​Security Center, which “is almost completely sure that the Russian military is behind the NotPetya attack.” Also in the statement said that its allies will not tolerate malicious cyber activity.

The Kremlin, which has previously repeatedly denied any involvement of the Russian authorities in hacker attacks, called the statement of the British Foreign Office part of the "Russophobic campaign"

Monument "Here lies the Petya computer virus defeated by people on 06/27/2017"

A monument to the computer virus Petya was installed in December 2017 near the building of the Skolkovo Technopark. A two-meter monument, with the inscription: "Here lies the Petya computer virus defeated by people on 06/27/2017." made in the form of a bitten hard disk , was created with the support of INVITRO , among other companies affected by the consequences of a massive cyber attack . A robot named Nu, who works at the Phystechpark and (MIT), came to the ceremony to give a solemn speech.

Attack on the government of Sevastopol

Specialists of the Main Directorate of Informatization and Communications of Sevastopol successfully repelled the attack of the Petya network encryption virus on the servers of the regional government. This was announced on July 17, 2017 at an operational meeting of the government of Sevastopol by the head of the informatization department Denis Timofeev.

He stated that the Petya malware had no effect on the data stored on computers in state institutions in Sevastopol.

The focus on the use of free software is embedded in the concept of informatization of Sevastopol, approved in 2015. It states that when purchasing and developing basic software, as well as software for information systems for automation, it is advisable to analyze the possibility of using free products that can reduce budget costs and reduce dependence on suppliers and developers.

Earlier, at the end of June, as part of a large-scale attack on the medical company Invitro, a branch of its branch located in Sevastopol was also damaged. Due to the virus computer network the branch temporarily suspended the issuance of test results until the causes are eliminated.

Invitro announced the suspension of taking tests due to a cyber attack

The medical company Invitro suspended the collection of biomaterial and the issuance of patient test results due to a hacker attack on June 27. This was announced to RBC by the director of corporate communications of the company Anton Bulanov.

As stated in the message of the company, in the near future "Invitro" will switch to normal operation. The results of studies conducted after this time will be delivered to patients after the technical failure has been eliminated. At present, the laboratory Information system restored, it is in the process of setting it up. “We regret the current force majeure situation and thank our customers for their understanding,” Invitro concluded.

According to these data, the attack computer virus underwent clinics in Russia, Belarus and Kazakhstan.

Attack on Gazprom and other oil and gas companies

On June 29, 2017, it became known about a global cyber attack on Gazprom's computer systems. So one more Russian company suffered from the Petya ransomware virus.

According to information Agency Reuters, citing a Russian government source and a person involved in the investigation of the incident, Gazprom suffered from the spread of the Petya malware, which attacked computers in a total of more than 60 countries around the world.

The interlocutors of the publication did not provide details about how many and which systems were infected in Gazprom, as well as the amount of damage caused by hackers. The company declined to comment at the request of Reuters.

Meanwhile, a high-ranking RBC source at Gazprom told the publication that computers in the company's central office were working without interruption when the large-scale hacker attack(June 27, 2017), and continue two days later. Two more sources of RBC in Gazprom also assured that “everything is calm” in the company and there are no viruses.

In the oil and gas sector, Bashneft and Rosneft suffered from the Petya virus. The latter announced on June 28 that the company is operating normally, and “certain problems” are being promptly resolved.

Banks and industry

It became known about the infection of computers in Evraz, the Russian branch of Royal Canin (produces uniforms for animals) and the Russian branch of Mondelez (manufacturer of Alpen Gold and Milka chocolate).

According to the Ministry of Internal Affairs of Ukraine, a man posted a video with detailed description the process of launching ransomware on computers. In the comments to the video, the man posted a link to his page in social network on which the malware was loaded. During searches in the “hacker’s” apartment, law enforcement officers seized computer equipment, used to distribute NotPetya. The police also found files with malware, after analysis of which its similarity to the NotPetya ransomware was confirmed. As the cyber police officers established, the ransomware, the link to which was published by the Nikopol resident, was downloaded by users of the social network 400 times.

Among those who downloaded NotPetya, law enforcement officers identified companies that deliberately infected their systems with ransomware to hide criminal activity and evade payment of penalties to the state. It is worth noting that the police do not link the man’s activities with the hacker attacks on June 27 of this year, that is, there is no question of his involvement in the authors of NotPetya. The acts imputed to him relate only to the actions committed in July of this year - after a wave of large-scale cyber attacks.

A criminal case was initiated against the man under Part 1 of Art. 361 (unauthorized intervention in the operation of computers) of the Criminal Code of Ukraine. Nikopolchanin faces up to 3 years in prison.

Distribution in the world

The spread of the Petya ransomware virus has been recorded in Spain, Germany, Lithuania, China and India. For example, due to a malware in India, the traffic management technology of the Jawaharlal Nehru container port, operated by A.P. Moller-Maersk, have ceased to recognize the belonging of the goods.

The cyberattack was reported by the British advertising group WPP, the Spanish office of one of the world's largest law firms DLA Piper and the food giant Mondelez. French building materials manufacturer Cie. de Saint-Gobain and pharmaceutical company Merck & Co.

Merck

American pharmaceutical giant Merck, hit hard by the June NotPetya ransomware attack, is still unable to restore all systems and return to normal operation. This was reported in the company's report on form 8-K, submitted to the US Securities and Exchange Commission (SEC) at the end of July 2017. Read more.

Moller-Maersk and Rosneft

On July 3, 2017, it became known that the Danish shipping giant Moller-Maersk and Rosneft restored IT systems infected with the Petya ransomware virus only almost a week after the June 27 attack.

The shipping company Maersk, which accounts for one in seven shipping containers shipped globally, also added that all 1,500 applications affected by the cyberattack will return to normal operation by July 9, 2017 at the latest.

The IT systems of Maersk-owned APM Terminals, which operates dozens of cargo ports and container terminals in more than 40 countries, were mostly affected. Over 100 thousand cargo containers per day pass through the ports of APM Terminals, whose work was completely paralyzed due to the spread of the virus. The Maasvlakte II terminal in Rotterdam restored supplies on 3 July.

August 16, 2017 A.P. Moller-Maersk named the approximate amount of damage from a cyber attack using the Petya virus, the infection of which, as noted by the European company, passed through the Ukrainian program. According to preliminary calculations by Maersk, financial losses from the Petya ransomware in the second quarter of 2017 amounted to between $200 million and $300 million.

Meanwhile, almost a week to recover computer systems Rosneft also needed a hacker attack, which was reported on July 3 by the company's press service, Interfax was told:

A few days earlier, Rosneft emphasized that it was not yet undertaking to assess the consequences of a cyber attack, but production was not affected.

How does Petya work?

Indeed, virus victims cannot unlock their files once infected. The fact is that its creators did not foresee such an opportunity at all. That is, an encrypted disk a priori cannot be decrypted. The malware ID lacks the information required for decryption.

Initially, experts ranked the virus, which affected about two thousand computers in Russia, Ukraine, Poland, Italy, Germany, France, and other countries, to the already known family Petya ransomware. However, it turned out that we are talking about a new family of malware. "Kaspersky Lab" christened new ransomware ExPetr.

How to fight

The fight against cyber threats requires the combined efforts of banks, IT businesses and the state

Data recovery method from Positive Technologies

On July 7, 2017, Positive Technologies expert Dmitry Sklyarov presented a method for recovering data encrypted by the NotPetya virus. According to the expert, the method is applicable if the NotPetya virus had administrative privileges and encrypted the entire disk.

The ability to recover data is due to errors in the implementation of the Salsa20 encryption algorithm, made by the attackers themselves. The efficiency of the method was tested both on a test medium and on one of the encrypted hard drives a large company that was among the victims of the epidemic.

Companies and independent developers specializing in data recovery are free to use and automate the presented decryption script.

The results of the investigation have already been confirmed by the Ukrainian cyber police. The conclusions of the investigation "Juscutum" is going to use as key evidence in the future process against Intellect-Service.

The process will be civil in nature. An independent investigation is being carried out by law enforcement agencies of Ukraine. Their representatives have previously announced the possibility of initiating proceedings against employees of Intellect-Service.

The M.E.Doc company itself stated that what was happening was an attempt to take over the company by raiders. The manufacturer of the only popular Ukrainian accounting software believes that the company’s search by the Ukrainian cyber police was part of the implementation of this plan.

Initial infection vector with Petya encoder

On May 17, an update to M.E.Doc was released that does not contain a malicious backdoor module. Probably, this can explain the relatively small number of XData infections, the company believes. The attackers did not expect the release of the update on May 17 and launched the encryptor on May 18, when most users had already installed the secure update.

The backdoor allows other malware to be loaded and executed on the infected system - this is how the initial infection with the Petya and XData encoders was carried out. In addition, the program collects proxy and e-mail settings, including logins and passwords from the M.E.Doc application, as well as company codes according to EDRPOU (Unified State Register of Enterprises and Organizations of Ukraine), which makes it possible to identify victims.

“We have a number of questions to answer,” said Anton Cherepanov, Senior Virus Analyst at Eset. - How long has the backdoor been in use? What commands and malware other than Petya and XData were sent through this channel? What other infrastructures have been compromised but not yet used by the cyber group behind this attack?”

Based on a combination of signs, including infrastructure, malicious tools, schemes and attack targets, Eset experts have established a link between the Diskcoder.C (Petya) epidemic and the Telebots cybergroup. It has not yet been possible to reliably determine who is behind the activities of this group.

A number of Russian and Ukrainian companies were attacked by the Petya encryption virus. The online edition of the site talked with experts from Kaspersky Lab, the AGIMA interactive agency and found out how to protect corporate computers from a virus and how Petya is similar to the equally famous WannaCry ransomware virus.

Virus "Petya"

In Russia, the companies Rosneft, Bashneft, Mars, Nivea and chocolate manufacturer Alpen Gold Mondelez International. A ransomware virus in the radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected the computers of the Ukrainian government, Privatbank and telecom operators. The virus blocks computers and demands a ransom of $300 in bitcoins.

In a microblog on Twitter, the press service of Rosneft spoke about a hacker attack on the company's servers. "A powerful hacker attack was carried out on the company's servers. We hope that this has nothing to do with the current judicial procedures. The company turned to law enforcement agencies in connection with the cyber attack," the message says.

According to the company's press secretary Mikhail Leontiev, Rosneft and its subsidiaries are operating as usual. After the attack, the company switched to backup system management of production processes, so that the extraction and preparation of oil is not stopped. The Home Credit bank system was also attacked.

"Petya" does not infect without "Misha"

According to Executive Director of AGIMA Evgeny Lobanov, in fact, the attack was carried out by two ransomware viruses: Petya and Misha.

"They work in conjunction. "Petya" does not infect without "Misha". It can infect, but yesterday's attack was two viruses: first Petya, then Misha. "Petya" overwrites the boot device (where the computer boots from), and Misha - encrypts files according to a certain algorithm, - the specialist explained. - Petya encrypts boot sector disk (MBR) and replaces it with his own, Misha already encrypts all files on the disk (not always)".

He noted that the WannaCry encryption virus, which attacked major global companies in May this year, is not similar to Petya, this is a new version.

"Petya.A is from the WannaCry (or rather WannaCrypt) family, but the main difference is why this is not the same virus, it is that the MBR is replaced by its own boot sector - this is a novelty for Ransomware. Petya virus appeared a long time ago, on GitHab (online service for IT projects and joint programming - site) https://github.com/leo-stone/hack-petya" target="_blank"> there was a decryptor for this ransomware, but to the new no decryptor is suitable for modification.

Yevgeny Lobanov stressed that the attack hit Ukraine harder than Russia.

"We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but not from its modifications. Our Internet is unsafe, in Ukraine it is even less so. Basically, we were attacked transport companies, banks, mobile operators(Vodafone, Kyivstar) and medical companies, the same Pharmmag, Shell gas stations - all very large transcontinental companies," he said in an interview with the site.

The executive director of AGIMA noted that so far there are no facts that would indicate the geographical location of the spreader of the virus. In his opinion, the virus allegedly appeared in Russia. Unfortunately, there is no direct evidence for this.

“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was the development of Russian hackers, but it’s hard to say who changed it further. that being even in Russia, it is easy to get hold of a computer with geolocation in the United States, for example," the expert explained.

"If suddenly there was an "infection" of the computer - you can not turn off the computer. If you reboot, you will never log in again"

"If a computer is suddenly "infected", you cannot turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never enter the system again. This cuts off the waste paths, even if it appears " tablet" it will no longer be possible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides a 98 percent security guarantee. Unfortunately, not 100 percent yet. A certain modification of the virus (their three pieces) he is bypassing for now," Lobanov recommended. - However, if you did reboot and saw the beginning of the "check disk" process, at this moment you need to immediately turn off the computer, and the files will remain unencrypted ..

In addition, the expert also explained why Microsoft users are most often attacked, and not MacOSX (Apple's operating system - site) and Unix systems.

"Here it is more correct to speak not only about MacOSX, but also about all unix systems (the principle is the same). The virus spreads only to computers, without mobile devices. Operating room under attack Windows system and threatens only those users who have disabled the function automatic update systems. Updates as an exception are available even for owners of old Windows versions that are no longer updated: XP, Windows 8 and Windows Server 2003," the expert said.

"MacOSX and Unix are not globally exposed to such viruses, because many large corporations use the Microsoft infrastructure. MacOSX is not affected, because it is not so common in government agencies. There are fewer viruses under it, it is not profitable to make them, because the attack segment will be smaller than if attack Microsoft," the expert concluded.

"The number of attacked users has reached two thousand"

Press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that "this ransomware does not belong to the already well-known Petya ransomware family, although it shares several lines of code with it."

The Laboratory is sure that in this case we are talking about a new family of malicious software with functionality that is significantly different from Petya. Kaspersky Lab named a new encryptor ExPetr.

"According to Kaspersky Lab, the number of attacked users has reached two thousand. Most of the incidents were recorded in Russia and Ukraine, and cases of infection were also observed in Poland, Italy, Great Britain, Germany, France, the United States and a number of other countries. At the moment, our experts suggest that this malware used multiple attack vectors. corporate networks a modified EternalBlue exploit and an EternalRomance exploit were used," the press service said.

Experts are also exploring the possibility of creating a decryptor tool with which to decrypt the data. The Lab also made recommendations for all organizations to avoid a virus attack in the future.

"We recommend that organizations install updates for the Windows operating system. For Windows XP and Windows 7, install the MS17-010 security update and ensure that they have an effective system Reserve copy data. Timely and secure data backup makes it possible to restore original files, even if they were encrypted by malware," Kaspersky Lab experts advised.

His to corporative clients The laboratory also recommends that you make sure that all protection mechanisms are activated, in particular, make sure that the connection to the cloud infrastructure kaspersky security Network, as an additional measure, it is recommended to use the "Application Privilege Control" component to prohibit all application groups from accessing (and, accordingly, executing) a file called "perfc.dat", etc.

"If you do not use Kaspersky Lab products, we recommend disabling the execution of a file called perfc.dat, as well as blocking the launch of the PSExec utility from the Sysinternals package using the AppLocker function, which is part of the OS ( operating system- site) Windows", - recommended in the Laboratory.

On May 12, 2017, many are a data encryptor on computer hard drives. He blocks the device and demands a ransom.
The virus affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, servers were attacked mobile operators and several large banks.

The spread of the virus was stopped accidentally and temporarily: if hackers change just a few lines of code, the malware will start working again. The damage from the program is estimated at one billion dollars. After a linguistic forensic analysis, experts found that WannaCry was created by people from China or Singapore.