Petya Ransomware

What is Petya Ransomware?

Petya is a group of encrypting malware designed to infect Microsoft Windows-based systems. Petya infects the master boot record to execute a payload that encrypts data on infected hard drives. Only after the victim has provided the encryption key, which is usually done after paying a ransom to the attacker, can the data be unlocked.


Although it was first discovered in 2016, Petya became a major news story in 2017 after a new variant was employed in a large cyberattack on Ukrainian targets. It quickly spread worldwide, crippling businesses and causing more than $10 billion in damages.[1]

Because of key differences with the original, this new variant was also called “NotPetya”. It spread via an exploit called EternalBlue. The U.S. National Security Agency, (NSA) developed the exploit and later stole it. EternalBlue silently spreads across networks by exploiting a vulnerability in Windows networking protocols once it has been installed on compromised systems. NotPetya, unlike most malware, infected new systems automatically. This behavior made NotPetya look more like a “ransom worm”, rather than a virus.

NotPetya was initially targeted narrowly but quickly became a larger threat. And despite displaying the usual signs of a ransomware attack–such as the ransomware demand–wasn’t designed to actually collect any money. Researchers concluded that the virus was not a cybercrime act, but a state-sponsored destructive attack.


According to the Ukrainian police, the NotPetya attacks began by subverting an update function in the government’s accounting software. The second wave of attacks spread through malware-laden phishing emails.[2]

Although it was able to exploit the same vulnerability as WannaCry ransomware, it had more options to spread itself. This made NotPetya more resistant to cyber defenses. It wasn’t intended to spread beyond its initial infected environment. This prevented the spread of NotPetya and supports the theory that it was more of a targeted attack than a cyber criminal’s money grab.

Petya will wait approximately an hour after infecting a system before restarting it. The message “Repairing File System on C:” appears, warning users to not turn off their computers. While users wait, Petya encrypts their files. Finally, the system reboots and displays the ransom demand.

However, the NotPetya ransom is almost impossible to pay. The attackers’ email address was encrypted to a webmail address, which was immediately shut down. Victims can’t send money to the attackers or obtain the decryption keys.

How to Get Rid of Petya

Petya, like most ransomware, is hard to remove once it infects a system. The victim must decide whether to pay the ransom to get the encryption key or erase everything and restore it from backup. It is best to avoid ransomware entirely. This is how to prevent ransomware from being spread.

  • Before the Attack

Ransomware is best avoided. This requires planning and hard work before the crisis strikes.

  • Backup and restore regular data backups are the most crucial part of any ransomware security plan. Surprisingly, very few companies have backup and restore drills. Both are vital; you can only know if your backup plan works ahead of time if you do not have restore drills.
  • Update and patch
    Make sure that operating systems, security software, and patches are up-to-date for all devices.
  • Empower and train users
    Awareness and training are essential for employees. Employees need to be aware of what to do and what not to do. They also need to know how to report ransomware. Employees who receive ransomware demands from the government should immediately notify security and never attempt to pay it on their own.
  • Invest in people-centric security solutions
    Ransomware can be stopped by even the most thorough user training. Advanced email security solutions can protect against ransomware-related attachments, documents, or URLs in emails.

During an Attack: Stop the Damage and Go Back to Business

Although it is best to avoid ransomware in the first instance, this advice doesn’t apply if you are newly infected.

There are short-term issues to solve, such as getting your phones and computers back online and dealing with ransom requests.

  • Reboot the computer and disconnect from the internet
    Petya will wait about an hour after infecting the system before restarting the computer and showing a message saying that the file system was being “repaired.” Experts say some files could be saved if the machine is switched off immediately.[2]
    Employees should immediately disconnect from the network if they see ransomware demands or notice anything unusual. Then, take infected machines to the IT department.
    Only IT security personnel should attempt to reboot. Even then, it will not work if the malware is malicious or fake scareware.
  • For law enforcement assistance, call the police
    Ransomware is a crime. Theft and extortion are involved. Notifying the appropriate authorities is an essential first step.

Based on threat intelligence, determine the scope of the problem
Your decision about whether or not to pay the ransom depends on many factors.

    • Type of attack
    • Who is in your network at risk?
    • What network permissions are required for compromised accounts?
  • Organize a response
    Your response will include deciding whether or not to pay the ransom. This is a complicated question that may require you and your legal counsel to find the right answer. Sometimes, it may be necessary to pay.
  • Do not count on ransomware encryption tools being free
    Most tools are limited to a single ransomware strain or attack campaign. The ransomware is updated regularly and the tools that were given away are no longer valid.
  • Restore from Backup
    You can only recover from ransomware infections if you restore everything from backup. Even if you have recent backups, it might be more economical and practical to pay the ransom.

After the Attack: Review and Reinforce

To find potential threats still lurking in your environment, we recommend that you conduct a complete security assessment from top to bottom. Examine your security procedures and tools to see where they are lacking.

  • Cleanup
    Ransomware can contain backdoor Trojans or other threats that could lead to further attacks. Other ransomware may have been installed in cases where the victim’s environment had already been compromised. This opens the door to ransomware.
    You may be missing hidden dangers that are not obvious in the chaos.
  • Post-mortem review
    Examine your threat preparedness and the chain of events that lead to the infection. Also, consider your response. You cannot stop the next ransomware attack if you don’t know how the ransomware was distributed.
  • Assess user awareness
    An informed employee is your last defense line. You must ensure that staff, faculty, and employees are capable of handling the job.
  • Training and education
    Create a training program to help employees deal with cyber attacks. In the event of a future cyber attack, create a plan for crisis communications. Follow-up with drills or penetration testing.
  • Reinforce your defenses
    Security solutions must be able to identify, block and analyze the malicious URLs and attachments used as primary ransomware attack vehicles in today’s rapidly changing threat environment.
    Look for security solutions that can adapt to emerging threats and allow you to respond faster.