All you need to know about Petna - Virus-extortion of the Petya family. Petya virus: how not to catch how to decipher where the latest news about Petya encrypter (EXPETR) message about Petya virus
This conclusion was the result of the study at once two companies - Comae Technologies and Kaspersky Lab.
The original Hollower Petya, discovered in 2016, was a car for making money. This sample is definitely not intended for earnings. The threat is created for rapid propagation and damage and disguised as an encrypter.
NotPety is not a means of cleaning the disc. The threat does not delete the data, but simply makes them unsuitable for use, blocking files and "throwing out" keys to decryption.
Senior Researcher from the "Kaspersky Lab" Juan Andre Gerrero-Saade commented on the situation:
In my book, infection with the extortion program without a possible decryption mechanism is equivalent to cleaning the disk. Not paying attention to the viable decryption mechanism, the attackers showed a complete disregard for long-term monetary benefits.
The author of the original Encipher Petya wrote on Twitter that he was not associated with the development of NotPetya. It has already become a second cybercrime, which denies involvement in creating a new similar threat. Earlier, the author of the AES-NI cipher stated that he had no relation to XDATA, which was also used in targeted attacks to Ukraine. In addition, XDATA, as well as notpetya, used the identical distribution vector - servers of updates of the Ukrainian manufacturer of software for accounting.
Many indirect signs confirm the theory that someone hacks famous encrypters and uses modified versions for attack on Ukrainian users.
Destructive modules under the type of encrypter - already ordinary practice?
Such cases have already met before. The use of malicious modules for irreversible damage to files under the guise of ordinary encrypters is far from a new tactic. In the modern world, this is already becoming a tendency.
Last year, Shamoon and Killdisk malware families included "Components of Encrybers" and used similar techniques for the destruction of data. Now even industrial malware receives disk cleaning functions.
NOTPETYA Classification As a means of data destruction can be easily transferred to a malicious program in the category of cyberradiation. In this case, the analysis of the consequences of the threat should be considered from another perspective.
Considering the initial point of infection and the number of victims, it becomes obvious that the purpose of the hacker attack was Ukraine. At the moment there are no obvious evidence pointing to the attacking finger, but Ukrainian officials have already accused Russia, which they also accused of past cyber incidents, starting in 2014.
NotPety may be on the same level with well-known families of Stuxnet and BlackEnergy families, which were used for political purposes and for devastating effects. Certificates clearly show that notpetya is cyberoreuzzi, and not just a very aggressive type of encrypter.
Petya's Virus-extortion attacked computers of Ukraine, Russia, Sweden, Holland, Denmark and other countries. The very appearance of the virus is recorded in Asia: a system of cargo traffic management of the largest container port has failed in India. However, Ukraine suffered most of all - Kharkov Airport is completely paralyzed, at the airport Borispol work is restored, but the main server still does not work. About 300 thousand computers are blocked, the user must pay 300 dollars for unlocking data. At the moment, the hackers paid about $ 5,000 from 20 users, reports NEXT Web.
Who is guilty?
At night, the Department of Cyberpolyting National Police of Ukraine reported on a Facebook page that the attack on Ukraine was carried out through the program for reporting and document management "M.E.DOC":
Policemen report that the attack began at 10:30 Moscow time, after the software developers rolled out the next update. At the same time, the authors of programs for automation of document management themselves are categorically denying and leading detailed arguments:
Later, a message appeared on the cyberprovation page that they are not accused M.E.Doc, but only state: identified the facts that should be checked in detail. However, the update is still not recommended:
Who is Petya?
As experts Positive Technologies told the site, it is a malware, the principle of operation of which is based on encryption of the main boot record (MBR) of the disk boot sector and replacing it with its own.
Even after the computer is infected, the user remains 1-2 hours, for which you can have time to run the bootrec / fixmbr command to restore the MBR and restore the operability of the OS, but the files will not be able to decrypt.
In addition, Petya is able to bypass the security updates of the system that were installed after the Wannacry attack, so it is so effective and applies to other computers avalanche-like. He fights for control over all the nodes of the domain, which is equivalent to the full compromise infrastructure.
The attack of the virus on the computers of Ukrainian public and private companies began at 11:30. Large banks, trading networks, cellular operators, state-owned companies, infrastructure facilities and services of the service sector have been under the blow.
The virus covered the entire territory of Ukraine, by 17:00 there was information that the attack was recorded and in the west of the country, in Transcarpathia: here in connection with the virus were closed branches of the bank "OTR" and Ukrsotsbank.
"The KorRespondent.net website and TV channel" 24 "does not work in Ukraine. The number of companies that suffered from attack increases every hour. Currently, a majority of banking offices are not working in Ukraine. For example, in Ukrsotsbank offices, computers are simply not loaded. It is impossible to get or send money, pay for receipts and so on. At the same time, there are no problems in PrivatBank, "the Kyiv correspondent RT reports.
The virus affects only computers that work on the Windows operating system. It encrypts the main table of the hard disk files and extorts users of money for decoding. In this, it is similar to Wannacry's virus-extortionist, whose attacks have undergone many companies around the world. At the same time, the results of checking infectious computers appeared, which showed that the virus destroys all or most of the information on infected disks.
At the moment, the virus is identified as MBR Locker 256, but in the media it turned out the other name - Petya.
From Kiev to Chernobyl
The virus struck the Kiev metro, where it is currently difficulty with paying bank cards.
Many large infrastructure facilities are affected, such as the Ukrzalisnica State Railway Operator, Borispol Airport. However, while they work in normal mode, the air navigation systems did not affect the virus, although Borispol has already published a warning about possible changes in the schedule, and at the airport, the panel of arrival does not work.
In connection with the attack, there are difficulties in the work of the two largest postal operators of the country: the state "Ukrpochta" and private "New Mail". The latter stated that today there will be no charge for posting parcels, and Ukrpochta is trying to minimize the consequences of attacks with the help of the SBU.
In connection with the risk of infection, the sites of those organizations that the virus did not affect. For this reason, for example, the site servers of the Kiev City State Administration, as well as the site of the Ministry of Internal Affairs of Ukraine.
Ukrainian officials are quite predictable claim that attacks are committed from Russia. This was said to the secretary of the Council of National Security and Defense of Ukraine Alexander Turchinov. "Already, by conducting a primary analysis of the virus, you can talk about the Russian footprint," the official website quotes his official website.
By 17:30, the virus even got to the Chernobyl nuclear power plant. About this edition of the Ukrainian Pravda reported by the head of the change of CHAES Vladimir Ilchuk.
"There is preliminary information that some computers have been infected with a virus. Therefore, as soon as this hacker attack began, a personal team of computer workers in the field of staff computers were turned off, "said Ilchuk.
Attack on sweets and oil and gas
Some Russian companies, including oil and gas giants Rosneft and Bashneft, Metallurgical Company EVRAZ, Bank Home Credit, whose branches were suspended, and MARS, MARS, Nivea, and MONDELEZ International, MARS, Nivea, Mondelez International, also underwent , TESA and a number of other foreign companies.
- Reuters.
- Maxim Shemetov.
Around 14:30 Moscow time in Rosneft announced the holding of a powerful hacker attack on the company servers. At the same time, the company's microblog in Twitter notes that the attack could lead to serious consequences, but thanks to the transition to the backup system of production processes, neither mining nor the preparation of oil was stopped.
After kiberataki, Rosneft and Bashneft companies have become unavailable for some time. Rosneft also declared the inadmissibility of distributing false information about the attack that occurred.
Distributors of false panic messages will be considered as accomplices of organizers of attack and together with them are responsible.
- PJSC "NK" Rosneft "(@rosneftru) June 27, 2017
"Distributors of false panic reports will be considered as accomplices of organizers of attack and with them to bear responsibility," the company reported.
At the same time, "Rosneft" noted that on the fact of Kiberataki, the company appealed to law enforcement agencies, and expressed the hope that the incident was not related to "with current judicial procedures." On Tuesday, June 27, the Arbitration Court of Bashkiria began its consideration on the merits of Rosneft, "Bashneft" and Bashkiria to AFC Sistema in the amount of 170.6 billion rubles.
Wannacry Jr.
At the same time, the hacker attack did not affect the work of computer systems of the Presidential Administration of Russia and the official website of the Kremlin, who, as the TASS press secretary of President Dmitry Sadkov, "works stable", "works stable.
Hacker Attack also did not affect the work of Russian nuclear power plants, noted in the Rosenergoatom concern.
DR. Web on its website stated that, despite the external similarity, the current attack was performed using a virus, different from the already known malware-extortionable PETYA, in particular, the mechanism of the proliferation of the threat.
"Among the victims of Kiberataki, the network of" Bashneft ", Rosneft, Mondelez International, Mars, Nivea, Tesa and others," the company's message quotes the agency. At the same time, the press service of MARS in Russia said that Kiberatak caused problems with IT systems only at the Royal Canin brand, animal feed producer, and not the entire company.
The last major hacker attack on Russian companies and government agencies occurred on May 12 as part of a large-scale operation of unknown hackers attacked by Windows OS 74 through the Wannacry encryptionist virus.
On Tuesday, the head of the International Committee of the Federation Council Konstantin Kosachev, speaking at a meeting of the Commission of the Council for the Protection of State Sovereignty, said that about 30% of all Kiberatak to Russia was performed from the United States.
"From the Russian territory, American computers are performed by no more than 2% of the total number of cyber, while from the territory of the United States to the Russian electronic infrastructure - 28-29%," the words of Kosachev RIA Novosti leads.
According to the head of the international research team "Kaspersky Lab" Kostina Rayy, Petya's virus has spread to many countries of the world.
Petrwrap / Petya Ransomware Variant With Contact [Email Protected] Spreading Worldwide, Large Number of Countries Affectedd.
Perhaps you are already aware of the hacker threat recorded on June 27, 2017 in the countries of Russia and Ukraine, which have been exposed to a large-scale attack of Wannacry. The virus blocks computers and requires a redemption in bitcoins for decrypting files. In total, more than 80 companies in both countries are injured, including the Russian Rosneft and Bashneft.
The virus-encrypter, as well as the infamous Wannacry, has blocked all the computer data and requires to translate criminals redemption in Bitcoins equivalent to $ 300. But in contrast to Wanna Cry, Petya does not bother with encryption of individual files - it almost instantly "selects" you have the entire hard disk.
The correct name of this virus is Petya.a. ESET report discloses some diskcoder.c features (he is EXPETR, PETRWRAP, PETYA or NOTPETYA)
According to the statistics of all victims, the virus spread in phishing letters with infected investments. Usually the letter comes with a request to open a text document, and how we know the second file extension tXT.eXE hiding, and the priority is the last file expansion. By default, the Windows operating system does not display file extensions and they will argue like this:
In 8.1 in the Explorer window (View \\ folder parameters \\ Remove the check mark to hide extensions for registered file types)
In 7 in the Explorer window (Alt \\ Service \\ folder parameters \\ Remove the checkbox to hide extensions for registered file types)
And the worst thing that users do not even confuse that letters come from unknown users and are asked to open incomprehensible files.
After opening the file, the user sees the "Blue Death Screen".
After rebooting, it seems that the "scan disk" is actually started, the virus encrypts files.
Unlike other extortionate programs, after this virus is running, it immediately restarts your computer, and when it is loaded again, a message appears on the screen: "Do not turn off your PC! If you stop this process, you can destroy all your data! Please make sure your computer is connected to charging! ". Although it may look like a system error, in fact, at the moment Petya silently performs encryption in hidden mode. If the user tries to restart the system or stop the encryption files, a flashing red skeleton appears on the screen with the text "Press any key!". Finally, after pressing the key, a new window will appear with a note about redemption. In this note, the victim is asked to pay 0.9 bitcoins, which is approximately $ 400. However, this is the price only for one computer. Therefore, for companies that have many computers, the amount can be thousands. What also distinguishes this extortioner, so this is what it gives a whole week to pay a ransom, instead of ordinary 12-72 hours, which give other viruses of this category.
Moreover, problems with Petya do not end. After this virus enters the system, it will try to rewrite the Windows bootable files, or the so-called bootable Wizard of the record required to boot the operating system. You will not be able to remove PETYA virus from your computer if you do not restore the recording wizard settings (MBR). Even if you manage to correct these settings and delete the virus from your system, unfortunately, your files will remain encrypted, because the removal of the virus does not provide file decoding, and simply deletes infectious files. Of course, the removal of the virus is important if you want to continue working with the computer
After entering your computer running Windows, Petya practically instantly encrypts MFT (Master File Table - Home File Table). What does this table answer for?
Imagine your hard drive is the biggest library in the entire universe. It contains billions of books. So how to find the right book? Only using the library catalog. It is this catalog that destroys Petya. Thus, you lose all the opportunity to find any "file" on your PC. More accurately, then after the "work" of Petya, your computer's hard disk will remind the library after a tornado, with scraps of books flying everywhere.
Thus, in contrast to Wanna Cry, Petya.a does not encrypt individual files, spending on this impressive time - he just selects you with all the opportunity to find them.
Who created the Petya virus?
When creating a Petya virus, an exploit ("hole") in Windows called "EternalBlue" was involved in Windows called "EternalBlue". Microsoft has released patch kB4012598. (From previously released lessons on Wannacry, we have already talked about this update that "closes" this hole.
The Creator "Petya" was able to use the carelessness of corporate and private users with the mind and earn on it. His personality is still unknown (and it is unlikely to be known)
How to remove Petya virus?
How to remove PETYA.A virus from your hard disk? This is an extremely interesting question. The fact is that if the virus has already blocked your data, it will be, in fact, nothing. If you do not plan to pay extortioners (which is not worth doing) and you will not try to restore data on the disk in the future, it is enough to make a disk formatting and reinstall the OS. After that, there will be no trace from the virus.
If you suspect that an infected file is present on your disk - scan your disc antivirus from ESET NOD 32 and perform a complete system scanning. NOD 32 assured that in its signature database there is already information about this virus.
Decifranger Petya.A.
Petya.a encrypts your data by a very resistant encryption algorithm. At the moment there is no solution to decipher the locked information.
Undoubtedly, we would all dreamed of getting a miraculous decryptor (Decryptor) Petya.a, but there is simply no such solution. Wannacry's virus struck the world a few months ago, but a medicine for decrypting the data that he encrypted and not found.
The only option is if earlier you had shadow copies of files.
Therefore, if you have not yet become a victim of the Petya.a virus - update the system, install the antivirus from ESET NOD 32. If you still lost control over your data - then you have several ways.
Pay money. Make it meaningless!Experts have already found out that these virus creator does not restore, and cannot restore them, given the encryption technique.
Try to remove the virus from the computer, and your files try to restore with the help of a shadow copy (the virus does not affect them)
Pull out a hard drive from your device, gently put it in the closet and harvest the appearance of the decoder.
Disc formatting and installing the operating system. Minus - all the data will be lost.
Petya.a and Android, iOS, Mac, Linux
Many users are worried about - "Can Petya's virus infect their devices running Android and iOS. Sensation to calm them - no, can not. It is only designed for Windows users. The same applies to Linux and Mac fans - you can sleep well, nothing threatens you.
According to Positive Technologies, more than 80 organizations suffered in Russia and Ukraine from Petya's actions. Compared to Wannacry, this virus is recognized more destructive, as it applies to several methods - using Windows Management Instrumentation, PSEXEC and EternalBlue exploit. In addition, a free Mimikatz utility is introduced into the encrypter.
"Such a set of tools allows Petya to maintain performance even in those infrastructures where the Wannacry lesson was taken into account and the relevant security updates were established, which is why the encryption is so effective," said Positive Technologies.
As Gazeta.Ru told the head of the response department for the information security of the company Elmar Nabigaev,
if we talk about the reasons for the emergence of today's situation, then the problem is again in a negligence attitude to the problems of information security.
The head of the Viral Laboratory of Avast Yakub Crowek in a conversation with "newspaper.ru" said that it was impossible to make sure that it was worth it for this cyberatic, but it was already known that the Petya virus extends to Darknet on the RAAS business model (malicious software as a service).
"So, the proposal of the program distributors reaches 85% from the ransom, 15% is getting the authors of the extortionist virus," Crawsec said. He noted that the authors of Petya provide all the infrastructure, C & C servers and remittances, which helps to attract people to spread the virus, even if they have no experience in programming.
In addition, Avast has told exactly which operating systems suffered from the virus most.
In the first place turned out to be Windows 7 - 78% of all infected computers. Next, the following is Windows XP (18%), Windows 10 (6%) and Windows 8.1 (2%).
Kaspersky Lab considered that at least a virus and similar to the Petya family, but still belongs to another category, and has given him another name - Expetr, that is, "former Peter."
Dmitry Khomutov, Deputy Director for the Development of Aydeko, explained Gazeta.ru correspondent, which Kiberataki Wannacry and Petya viruses led to what "what was warned for a long time", that is, to the global vulnerabilities of used throughout information systems used.
"The loopholes left by American corporations of special services became available to hackers and quickly crossed with the traditional arsenal of cybercriminals - encrypters, botnet clients and network worms," \u200b\u200bsaid Khomutov.
Thus, Wannacry practically did not taught the world community - computers and remained unprotected, the systems were not updated, and efforts to produce patches even for obsolete systems just disappeared in vain.
Experts call on not to pay the required redemption in Bitcoins, since the postal address that hackers were left for communication was blocked by a local provider. Thus, even in the case of "honest and good intentions" of cybercriminals, the user will not only lose money, but also will not receive instructions for unlocking its data.
Most of all PETYA hurt Ukraine. Among the victims were "Zaporozhelenergo", "Dneproenergo", Kiev Metropolitan, Ukrainian mobile operators Kyivstar, Lifecell and Ukrtelecom, Auchan shop, Privatbank, Borispol Airport and others.
Ukrainian authorities immediately accused Russia in Kiberat.
"War in cyberspace, sowing fear and horror among millions of users of personal computers and makes direct material damage due to destabilization of the work of business and government agencies, is part of the general strategy of the hybrid war of the Russian Empire against Ukraine," said the deputy is pleased from the "Popular Front "
Ukraine could suffer stronger than others due to the initial distribution of Petya via the automatic update of M.E.DOC - programs for accounting reporting. That was the way Ukrainian departments, infrastructure facilities and commercial companies were infected - all of them enjoy this service.
The press service of ESET RUSSIA "Gazeta.Ru" explained that in order to infect the Petya virus of the corporate network, a single vulnerable computer is sufficient on which security updates are not installed. With it, the malicious program will fall into the network, will receive administrator rights and spread to other devices.
However, M.E.Doc made an official refutation of this version.
"A discussion of sources of the emergence and distribution of cyberatics is actively conducted by users in social networks, forums and other information resources, in the wording of which one of the reasons indicates the installation of updates of the M.E.DOC program. The M.E.DOC development team refutes this information and declares that such conclusions are definitely erroneous, because the developer is M.E.DOC, as a responsible program product provider, monitors the safety and cleanliness of its own code, "says