FANDOM


Petya (also known as NotPetya) is a ransomware on Microsoft Windows that spreads via LAN. It mostly infects computers in Europe, but has began to spread into Asia. Some companies are still currently struggling replacing computers infected with Petya. There are two variants of Petya, the original 2016 variant, and the new 2017 variant.

It is now considered to be a destructive malware, similar to MEMZ, because the decryption keys do not seem to work on most systems.

Payload

Similarly to WannaCry, this malware uses the EternalBlue exploit kit. As it is a .DLL file, it can be run by system processes. When run, all files will be encrypted into unreadable scripts. It will also setup a task to restart the computer in one hour. It will also slowly start spreading to local networks, but on the 2016 variant, it will instead display a different Blue Screen of Death with a c0000350 error, and creates a fake CHKDSK screen. In reality, the files are being encrypted. On the 2016 variant, encryption takes slightly longer. After the encryption, the next screen displayed depends on variant, so in the 2016 variant, it displays a flashing skull, with text that reads:

PRESS ANY KEY!

The variants are Mischa (green-on-black) and Goldeneye.

On the 2017 variant, it displays only text. On the 2016 variant, it tells the user to go on a darknet page using Tor, and tells the user to enter a personal encryption code on that page. However, the email was taken down shortly after the ransomware was released, it is impossible decrypt files.

On the 2017 variant, it tells the user to send 300 bitcoins to an address, and the bitcoin wallet ID and a personal installation key to send to an email to get a decryption key. Like the 2016 variant, the email was since, shut down, and it is now impossible to recover files. But due to a bug, it actually corrupts the files instead of encrypting them. Sooner but also very unfortunately, it was revealed to be a wiper in disguise, purposely created to not revert any changes.

PetyaSkull

The Petya skull.

Preventing Encryption

Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not began encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files.

Sources

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.