Petya is a ransomware on Microsoft Windows that spreads via LAN. It mostly infects computers in Europe, but has began to spread into Asia. Some companies are still currently struggling replacing computers infected with Petya. There are two variants of Petya, the original 2016 variant, and the new 2017 variant, which many security researchers have called as NotPetya. NotPetya is actually a wiper and it completely destroys the computer.

NotPetya is now considered to be a destructive malware, similar to MEMZ (note however that while the user can recover from MEMZ, the damage that NotPetya caused is irreversible. The user's data is gone unless they had a backup) because the encryption keys are randomly generated and then destroyed. Petya (the 2016 variant), however, can be recovered and the master key used for encryption was released.


Similarly to WannaCry, this malware uses the EternalBlue exploit kit. As it is an a .DLL file, it can be run by system processes. When run, all files will be encrypted into unreadable scripts. It will also set up a task to restart the computer in one hour. It will also slowly start spreading to local networks, but on the 2016 variant, it will instead display a different Blue Screen of Death with a c0000350 error, and creates a fake CHKDSK screen. In reality, the files are being encrypted. On the 2016 variant, encryption takes slightly longer. After the encryption, the next screen displayed depends on the variant, so in the 2016 variant, it displays a flashing skull, with text that reads:


The variants are Mischa (green-on-black) and Goldeneye.

On the 2017 variant, it displays only text. On the 2016 variant, it tells the user to go on a darknet page using Tor and tells the user to enter a personal encryption code on that page. However, the email was taken down shortly after the ransomware was released, making it impossible to decrypt files.

On the 2017 variant, it tells the user to send 300 bitcoins to an address, and the bitcoin wallet ID and a personal installation key to send to an email to get a decryption key. Like the 2016 variant, the email was since, shut down, and it is now impossible to recover files. But due to a bug, it actually corrupts the files instead of encrypting them. Sooner but also very, unfortunately, it was revealed to be a wiper in disguise, purposely created to not revert any changes.


The Petya skull.

Preventing Encryption

Booting from a live CD during the Blue Screen will allow the user to recover their files and not lose anything, as the ransomware has not begun encryption. Another way to prevent encryption is to force shut down the computer during the fake CHKDSK screen before the ransomware begins to encrypt files. Also, update the computer to ensure that the EternalBlue exploit is patched.