First discovered in 2016, Petya ransomware is a family of encrypting malware that targets Microsoft Windows-based computer systems. Although it made its debut in 2016, Petya ransomware gained worldwide recognition in 2017 when a new variant was introduced in the Ukraine that led to $10 billion in damages through a colossal cyber-attack.
The name “Petya” stems from the 1995 James Bond film, GoldenEye. In the film, Petya is the name of one of the Soviet weapon satellites that carries an atomic bomb called a Goldeneye.
The new variant of Petya ransomware that caused irreversible damage to Ukrainian businesses was given the name “NotPetya” to differentiate it from the original.
Before diving into how to protect your web assets from Petya ransomware, let’s first answer two important questions: How does Petya ransomware work? And how does Petya ransomware spread?
This type of malware infects the master boot record, essentially taking over the whole computer and causing its data to become inaccessible. When the user tries to access the data, a ransom note appears with a red skull and crossbones on the screen, saying that the disk has been encrypted. The message is simple: pay a ransom (usually $300 to $400 in Bitcoin) for a key to reclaim file access—and this number doubles after one week.
However, it’s important to note that the key in question is randomly generated, meaning that the disk can never actually be decrypted or recovered. This means that the Petya malware is actually a wiper rather than a ransomware, and therefore victims should never pay—as they will not get their files back regardless.
To answer the question “how does Petya ransomware spread,” we must first understand what a computer worm is.
A computer worm is a type of malware that can copy itself without any human interaction, and can spread those copies from one computer to another. Petya ransomware is a computer worm that self-propagates by building a list of target computers and using two methods to spread itself to those computers, including IP address and credential gathering and lateral movement.
Once installed, the malware hijacks the master boot record during the next system reboot, and then displays the ransom note to the user.
Now that we have answered the questions “how does Petya ransomware work” and “how does Petya ransomware spread,” we can talk about how to ward off this malicious malware.
Like most ransomware, Petya is difficult to remove after it has infiltrated and ingrained itself into a system. Unlike typical malware, it doesn’t just encrypt files—it takes over the master boot record, making it even more dangerous. The best method of dealing with this type of malware is to prevent it altogether. To do this, we recommend:
If your system becomes infected or you end up getting attacked, the following steps can help contain and minimize the damage:
If an attack occurs, it’s vital that you assess the chain of events and determine how the malware got through. Take a close look at your security tools and where your procedures fell short. After determining how the attack occurred, implement proper security awareness training to properly educate and train your employees to help avoid future incidents; along with finding more effective security solutions moving forward.
Petya ransomware may be sneaky, but it’s also preventable. Knowing how Petya ransomware works will help your website and web assets remain secure. Check out “What Is Ransomware?” to learn about the other ways in which hackers attempt to hold sites hostage, and how you can prevent yours from being a target.