What is the virus Petya? The ransomware has infected the computers of companies around the world

What is the virus Petya? The ransomware has infected the computers of companies around the world

In the afternoon of 27 June in Ukraine and in Russia, and later in other countries began to spread the virus is ransomware that locks access to the data and demands $ 300 in bitcoins per unlock.

The virus in various modifications known in 2016. Apply it, like many other malware, through spam for example, the first version of the Petya disguised as summary. Scheme Petya had already been described by security professionals.

More detail on the mechanism of virus-ransomware was described in April 2016 in the blog of Malwarebytes Labs. Then the virus spread like a letter with a summary of the employee by clicking on it a Windows program that required admin rights. If an inattentive user agrees, then the installer copied the boot sector of the hard drive and showed “blue screen of death”: an error message prompting you to restart the computer.

At this stage, as the researchers write, the hard disk is not encrypted, and data can be saved — for example, if you turn off the computer and connect the hard drive to another, but not to boot from it. In this situation, all data can be copied.

After restarting Petya runs a program that masquerades as a CHKDSK. In fact, it does not check hard disk for errors, and encrypts it, and, as found by researchers from Malwarebytes Labs, not entirely, but only partially. In “Kaspersky Lab” at the end of March 2016 claimed that the encryption method used in Forex, enables you with the help of experts to recover all the data.

After initial encryption is complete, the computer shows a red screen with the message “You are a victim of the virus-the extortioner Petya” and offer to pay $ 300 in bitcoins. Detailed instructions on how to purchase the required amount in bitcoin and how to list, contained on the website in the “darkweb”.

The newsExperts named the highest amount of damage from the virus WannaCry

Judging by the screenshots the modern version of the Petya, now no website, and detailed instructions no: the infected users are encouraged to write e-mail in exchange for proof of transfer of funds to the code to decrypt the hard drive.

The researchers note that the part of Petya responsible for blocking access, intercepts computer management at an early stage of loading. It is written vysokokvalicifirovannye programmers.

From the beginning of 2016 Petya was repeatedly modified. There are versions with yellow design of the screen with a ransom demand, there are those where the name of the virus is not indicated.

How it works and apply the version You encountered by users on 27 June, not yet reported.

Judging by the scale of the infection, the virus is modified and has a more complex distribution system.

On Github already there is a link to one of the bitcoin wallets, which collects money from infected computers. At the time of writing of the text of “Medusa” on it was listed a little over $ 2,300.

The most simple method of protection against Petya and similar virus-ransomware — do not click on attachments in suspicious messages from people you don’t know.

Pavel Borisov