Petya este numele dat cel mai recent atac cibernetic la nivel mondial, care a lovit multe țări din Europa, în special în Ucraina și unele părți ale Statelor Unite ale Americii. Acest atac malware infirm multe companii și le-a adus la un impas într-o perioadă scurtă de timp. Atacul a început la 27 iunie 2017 și calculatoare infectate în cadrul Ucrainei la început, înainte de raspandire rapid la calculatoare în alte părți ale lumii. companii majore care au fost lovite incluse Maersk, DLA Piper, Mondelez și WPP, împreună cu mai multe organizații guvernamentale din Ucraina. Petya blocat computerele care rulează sistemul de operare Windows și a cerut o răscumpărare de aproximativ 300 $ ca plată Bitcoin pentru deblocarea acestora.
- Partea 1: Ce este Ransomware?
- Partea 2: Cum funcționează Petya ransomware?
- Partea 3: Cum poate fi oprit?
- Part 4: What should you do if you are affected by the Ransomware?
- Part 5: Can you recover back your files?
Part 1: What is Ransomware?
Ransomware is a malware that is designed to encrypt files on a computer system and then asks for the payment of money usually in the form of digital payments such as Bitcoin for decrypting the files. If the ransom amount isn’t paid, all of the files on the computer that haven’t been backed up will be lost forever.
Part 2: How does the Petya Ransomware Work?
Petya ransomware spreads using the EternalBlue exploit which is a vulnerability that is present in the Windows operating system. Moreover, it also makes use of two different Windows administrative tools as well for its propagation. Petya tries to infect the system utilizing the vulnerability first and if it fails in that attempt then falls back to the administrative tools instead. This dual method of propagation makes Petya a more formidable ransomware than other ransomware to have surfaced around the world recently. After having infected one computer, the malware tries to spread through to other computers that are on the same network.
Upon infecting a system, Petya immediately reboots it and begins encrypting the files that are present on it. If the malware isn’t stopped, it completely locks down the system and makes all of the files inaccessible. Once this process is complete, a ransom note appears on the screen of users asking them to deposit an amount of $300 in the form of Bitcoin payments. There is a Bitcoin payment address provided to the victims in which they need to deposit the ransom amount. An email address is also provided to communicate with the perpetrators of the attack which is to be used for the delivery of the digital key for unlocking the encrypted files on the infected system after the ransom amount has been paid.
Part 3: How can it be stopped?
Petya can be stopped by downloading a patch released by Microsoft which protects the computers from the EternalBlue vulnerability. This patch is automatically downloaded and installed on computers that are using a registered version of Windows and have the automatic updates option enabled on them. For computers using an unregistered version, however, installation of this patch requires downloading it from the Microsoft website and then installing it manually. Moreover, anti-virus programs such as Symantec and Kaspersky have been updated to spot this malware and even protect the files from getting encrypted by it. Thus, installing an updated version of these anti-virus programs can also help you in stopping Petya from infecting your computer system.
In addition to the Windows patch and antivirus updates, another defensive measure that has been identified for this particular version of Petya is the presence of a read-only file by the name of C:\Windows\perfc.dat on the computer system. If this file is present on your computer, Petya won’t be able to encrypt the files on your system. However, do keep in mind that having this file won’t stop the malware from spreading to other computers that share the same network your computer is on.
Part 4: What should you do if you are affected by the Ransomware?
If you happen to be a victim of this ransomware, your first action should be to power off your computer immediately. Petya starts the encryption process after rebooting the system under the guise of a chkdsk procedure. So, if you see a chkdsk operation running on your PC after a reboot, immediately powering it off would stop the malware from encrypting the files on your system.
If the ransomware displays the ransom note after the reboot, you should under no circumstance think about paying the ransom amount. The reason for this is that the email address that has been provided to you which is supposed to send you the digital key for unlocking your files has been suspended. So, you won’t be able to get it for decrypting your files. The only thing left for you to do in such a scenario is to stop the spread of the ransomware to other computers on the network. You can do this by disconnecting your PC from the internet and reinstalling all your files from backup after reformatting your hard drive.
Some preventive measures that can be taken to ward off ransomware attacks like Petya include regular backing up of your files as well as updating your anti-virus programs. Moreover, using a VPN when connected to a public Wi-Fi and refraining from opening suspicious email attachments are also some of the methods that can ensure protection from malicious malware like Petya.
According to security experts, the Petya ransomware is targeting the following Microsoft operating systems due to them having the EternalBlue vulnerability.
- Windows 10
- Windows RT 8.1
- Windows 8.1
- Windows 7
- Windows XP
- Windows Vista
- Windows Server 2016
- Windows Server 2012 and Window Server 2012 R2
- Window Server 2008 and Windows Server 2008 R2
Part 5: Can you recover back your files?
After attack by Petya, rebooting the machine can get your files back. However, it is not a foregone conclusion. There is a chance that rebooting the computer won’t recover your files and they will become encrypted by the malware. If you are faced with such a situation then the only way for you to recover back your files is to make use of a data recovery tool. The recovery software can scan your computer for any deleted or encrypted files and can help you in recovering them. However, do keep in mind that not all data recovery software programs are capable of recovering lost files. You should only make use of a genuine and authentic recovery tool for this purpose like Wondershare Data Recovery.
Petya cyber attack is a ransomware that infects computer systems running the Windows operating system via the EternalBlue vulnerability. It encrypts the files present on the infected systems and then spreads to other computers sharing the same network. This cyber attack managed to infect many large companies in countries like Ukraine, Germany, Russia and the United States. Downloading patches released by Microsoft and using updated versions of anti-virus programs like Kaspersky and Symantec. Switching off the computer upon infection can also help in stopping the malware from encrypting the files on the system.
