'Petya' ransomware: Everything you need to know

Bitcoin
Bitcoin (Image credit: Shutterstock)

Little more than a month has passed since the notorious WannaCry ransomware attack hit headlines across the world. Now, sadly, we're in a period of another such attack, and this time it's dubbed "Petya" or "GoldenEye."

The basic problem is the same as the WannaCry outbreak: PCs are infected, locked up and files encrypted with a ransom demanded for access to the blocked files. It's not exactly the same as WannaCry, nor is it currently as widespread, but it's still important to know what you're dealing with.

7 tips to keep your Windows PC protected against malware

What you need to know about the Petya Ransomware

Petya

What is Petya?

Petya is a piece of ransomware that infects computers with the intent of monetary extortion in return for access to the contents of the PCs. It encrypts files, claiming only to let you back in upon receipt of a ransom.

Which platforms does it affect?

It's a Windows-only affair, and Microsoft already released a patch in March that should protect users, assuming it's installed.

Microsoft's March 2017 MS17-010 security update (opens in new tab) is where the necessary patches have been compiled.

How does Petya spread?

Petya tries to infect PCs using two methods, moving on to the second if the first fails. Once again, as with WannaCry, Petya utilizes the leaked EternalBlue exploit first developed by American security services.

If that fails because the system has been properly patched, for example, it moves on to the second method, which is to use two Windows administrative tools. Unlike WannaCry, Petya looks to spread within local networks without seeding itself externally, perhaps limiting its early global impact somewhat.

As reported by The Guardian, there is a secondary "vaccine" that may prevent infection on a specific PC, but it leaves Petya free to try and spread to others:

For this particular malware outbreak, another line of defence has been discovered: 'Petya' checks for a read-only file, C:\Windows\perfc.dat, and if it finds it, it won't run the encryption side of the software. But this "vaccine" doesn't actually prevent infection, and the malware will still use its foothold on your PC to try to spread to others on the same network.

What regions are affected by Petya?

The outbreak is reported to have surfaced in Eastern Europe, with the Ukraine in particular being hit hard. Organizations in France, the UK, Russia, Denmark and the U.S. are also confirmed as being affected.

How much is Petya's ransom?

Right now, $300 in Bitcoin.

If I get hit, should I pay the ransom?

No way! Remember that these are criminals, and chances are you'll be both out of pocket and without your files if you pay. These people don't want to be found, so they're unlikely to do anything that would give authorities any kind of edge in tracking them down.

In this case, there's also the issue of how the ransom is being collected. Instead of a unique wallet per user as with WannaCry, Petya is stuffing it all into one. And that has presented its own problems. Users have to send an email to get their decryption codes, and as reported by The Verge, that email address has been shut down:

But in the wake of today's globe-spanning infections, Posteo announced today that all account access to the "wowsmith" address have been blocked, making it impossible for the group to read or respond to any messages sent to the address.

Chances are you won't get the key you need even if the miscreants behind the attack ever planned on sending it out.

Am I at risk of Petya infection?

Sadly, we're always at some kind of risk on the internet. As detailed above, Microsoft already released a patch to mitigate at least the EternalBlue exploit, so the first port of call is to make sure that patch is installed.

If you don't have your updates turned on, that's a good place to start. Some people may not like "forced updates" but in most cases you shouldn't ignore them.

How do you get the files back?

Right now there's not a lot suggesting compromised files will ever be accessible again. If you don't have a backup, you might have lost your stuff. It's good practice to always back up your important files.

Is there anything I can do if I am affected?

It appears that there is. This tweet by Hacker Fantastic details what is actually the encryption process and how you can throw a spanner in the works.

See more

You still can't use your PC but the data you have stored on it will apparently be OK.

Your thoughts

That's a quick overview of where things stand right now, but it's an ever-changing situation. We'll do our best to keep on top of the latest details. And if you have anything helpful to share, be sure to leave it in the comments below.

Richard Devine is an Editor at Windows Central. A former Project Manager and long-term tech addict, he joined Mobile Nations in 2011 and has been found on Android Central and iMore as well as Windows Central. Currently you'll find him covering all manner of PC hardware and gaming, and you can follow him on Twitter and Instagram.

37 Comments
  • I guess that it won't make a difference if I have my PC's OS installed on the C drive and all data files being written to an entirely seperate drive...
  • Yes it does. I happened to get ransomware on PC several years ago when I was in the process up upgrading my AV. In that little moment when the old was removed, the PC rebooted to install the new version, it got infected. But, I had a dual boot with another Windows version, which was unaffected. I could then boot up there, run Norton's Power Eraser which removed the ransomware from the infected Windows installation. After that, the ransomware was removed and I could boot into that Windows again. However, it didn't work 100% okay anymore so a fresh install was needed. But, point is, with that event, I could access all files from the other boot option. That said, I don't know how "smart" these new ransomwares are, luckily I have not experienced it, so it could be that a dual- or more boot option might not be sufficient.
  • It could... It depends on where the encryption process starts. I would guess it starts with C:. So if you turn your computer off before it gets to your D: drive. You can remove it and save your files using another computer.
  • Another reason I'm glad I keep all our devices (tablets, laptops, PCs) updated with the latest Windows 10 and keep the updates coming. Fully updated Windows 10 PCs were immune to the WannaCry, and also are to this one.
  • me too rhapdog
  • Nope.....sorry...Our image lab at work, that we were developing the latest WIN10 images with 1703, were hit and got infected and were rebooted with that stupid screen.....So no, if your system gets hit, unless its patched SPECIFICALLY for this....it will be infected. And yes, we were running the latest security patches that had the WANNACRY fixes in it from May.
  • Hi.
    Do your users have administrative privileges (local admin / domain admin) ?
    that could explain...
  • nope..no domain users are admins on their machines.....well I'm sure there's a few, but its designed that they are not.
  • AFAIK, Windows 10 doesn't let you pick wich updates you get. You get them all, it was one of the big changes from previous Windows Update.
  • Your imaging lab should be on an isolated network so that images that are being created cannot be infected before they are fully patched.
  • It is isolated, its on its own switch, and own subnet, and on its own OU in AD, but it still needs to be part of the network, and for it to reach Windows update and such for certain applications to be installed and connected for config such as SAP.
  • I heard only 35% of PCs have the Win 10 Creators Update. It's a bad, bad idea not to update your computer. If you're reading this and you haven't, do it now!
  • No matter how much a company does to provide AV-protection and a firewall, it can't change the behavior of the PC-user...
  • Security updates go out to all win10 versions, not just CU, and MS has only rolled out CU to 35%, 65% of people have not deactivated updates!
  • Sorry, that doesn't matter. My image lab at work that we were developing images with 1703 for systems, all got infected. If your network has got it, then it will be infected.....
  • From nytimes.com: "Because the ransomware (Petya) used at least two other ways to spread on Tuesday — including stealing victims’ credentials — even those who used the Microsoft patch (for WannaCry) could be vulnerable and potential targets for later attacks, according to researchers at F-Secure, a Finnish cybersecurity firm, and others." Security software alone has proven to be a weak way to protect computers. It depends on users being constantly vigilant and software security companies anticipating all threats, neither of which happen often enough in the real world. Secure hardware has to be part of the solution. I have been volunteering with Purism, SPC, to support the company's efforts to manufacture truly secure computers, all of which have proven to be immune to threats like WannaCry and Petya because of their secure hardware and operating system. It's a wonderful thing to have a computer that does not need to be updated on a regular basis to be protected.
  • This really dissapoints me about the design in space constraints in Windows 10, as my tablet cannot be upgraded to Windows Creator's update so I'm vulnerable as my tablet only has 16GB of storage. I'm wondering if my Windows 10 tablet got infected last weekend since now I'm not able to restart it, the weird thing is that the virus didn't got installed correctly, it had a bug since instead of ransom welcome screen I just see the Windows registry got corrupted and my PC won't start, I'll have to reinstall Windows 10 image from OEM.
  • You are not vulnerable, the security patches are available for older versions as well.
  • What if all the important files are stored online (like OneDrive or so)? In that case, a fresh install should be enough? Granted, you will lose your installed programs and apps, but the files should be decrypted, right?
  • OneDrive is a multi-billion investment, so it probably has all your data stored in Linux Red Hat servers so no need to worry that Petya infects Microsoft's OneDrive data centers.
  • I meant if a consumer gets affected. The encrypted files would stay on their PC, right? They can still access the online files from another computer.
  • Yes, online files can still be access from another device, online.
  • So the virus can be spread through OneDrive to your other computers, but it can't encrypt your OneDrive files?
  • From my understanding, the Ransomware needs executable rights to do it's thing. If the OneDrive storage doesn't grant them ( why should it? ) it would lie dormant until downloaded, get removed from the system after it's been detected or not be allowed to be uploaded to begin with. But that's just a laymen's understanding of the issue.
  • They are not using RedHat for their mission critical datacenters and problem's such as this would be significantly reduced if all operating systems (especially Linux) and the infrastructure in between, were able to provide proper mitigatation processes.
  • Regardless of OS or data storage, everything that's powered on and accessible, can be hit. Now, the one benefit to cloud storage over your local HDD is that, with cloud storage, read/writes take longer so if you catch the problem if your anti-virus doesn't, you have a chance to reduce the impact. Don;t forget, you should never rely on any one form of backup.
  • What about ELSA malware?
  • "the virus looks for a read only file c:\Windows\perfc.dat and if it finds it, it won't encrypt."
    None of my computers nor server have this file?
  • What people really need to know is the home addresses of these people..
  • We added the kill switch based on that read only file and AV identified it as ransomware.
  • Re: aka R0bR,
    You created a file to be the "kill switch" read only file "perfc.dat" at c:\Windows and then your antivirus software detected the file as the ransomware virus? Did the antivirus software isolate and remove the file? How does this help you?
    .
    I thought about doing this too but now I don't understand if it will help to protect me.
    Best Wishes
  • Is this malware still transferred by email attachments?
  • Is there a better place to have this conversation? Where do knowledgeable people discuss this? Many questions have been asked in this string of comments and it seems no one knowledgeable responds.
    Thank you.
  • I'm getting a bit tired of that 'update your windows 10' crap. First of all, windows (specially 10) updates are a mess. Second. Saying people should do something they actively don't doesn't really address any problem. I don't update windows 10 regularly on my machine. Reason simple, there have been plenty that broke the os, and I just can't afford to have my laptop unuseable all of sudden, specially anoying if the only thing it does is try out some 'beta' idea some 'genious' in microsoft had and broke something I use in the process, sorry I don't work well enough to support that. Third. No you should NOT keep the latest updates. Not if you want a stable system. You SHOULD, though, install critical security updates, which is one of those features microsoft moved and humanity hasn't figured to where yet. Fourth. Where the hell are you clicking. That is source of the issue here. You can argue my computer is vulnerable, and you're right. Fact of the matter is, I can't remember the last time my computer got infected. I had some stolen, and the burglar wasn't asking 300$ for the data back, he probably just blindly formatted it. And guess what I've lost zero work to this day. Learn to store stuff and you will never lose anything. I can't imagine having data on server lost due to this. That IT manager should be fired. This ransomware isn't any worse than complete local drive failure, and he wasn't ready for that either. You trusted the chicken would lay the egg, then complaint it didn't. Honestly, think about it, is it not worse to loose or have your computer stolen? So stop blaming microsoft because you didn't backup your data, and stop saying I should update my computer that is just cheap talk (noise to me).
  • Typo: * especially
  • Dunno which is worse. The ransomwhere itself or spread of FUD that goes with it. Ensure your OS is set to always install the latest patches. Don't listen to the New York times: It "could" still spread article. "could" tells you straight away they have no idea. FUD peddlers. Don't listen to corporate IT guys who have locked down their Win 10 images the same as they did Win XP, applied selective updates and then wonder why the latest patch update didnt stop the virus. OneDrive is not a mapped drive so is immune. OneDrive lives on Azure / Windows not Linux. Any Mapped network drive will also be encrypted regardless of OS even if it's Lunix SAMBA. If you have update permissions. PS: It's the sad lonely Linux guys that do this, you know, so have pity on them.
  • Re: Gerty,
    Thank you for good information.
    .
    What about the fact that OneDrive and DropBox are sync'ed to multiple computers? Wouldn't that spread the virus?
    .
    May I ask, is the virus an .exe file? If so, most of us lay people can understand to not click on it, but it seems it must not be an exe or someone surely would have mentioned it.
    .
    Just trying to know what to do. Is there a better website or forum to read regarding this topic?
    Best Wishes