What is Petya? Well, Petya, also known as GoldenEye, NotPetya, Petwrap, and Petya, is a nasty string of ransomware code that encrypts your files before holding them ransom for $300 in bitcoin. The user is required to install the Tor browser, before using it to visit one of two .onion addresses. Payment is accepted in BitCoin, and once purchased, you are given the decryption key. I cannot stress this enough, DO NOT PAY THE RANSOM. The last thing these asshats need is more money. Petya comes with an extra surprise, however. Instead of simply encrypting your files, it encrypts your computer’s hard disk and boot sector, making it so that you can’t reboot your computer after infection. This being said, if you are infected, DO NOT, UNDER ANY CIRCUMSTANCE, RESTART YOUR COMPUTER. How does it work, you ask? Just like WannaCry, it abuses a hole in the Server Message Block (SMB) to infect your machine. It utilizes two bugs, the first of which has been patched: CVE 2017 0199, and MS17-010. CVE 2017 0199 is a bug that allows an outside user to download and execute a Visual Basic Script (.vbs) containing PowerShell commands when a user opens a document embedded with it. MS17-010, the same hole that WannaCry used in last month’s attack, allows for the ability for an outside user to remotely execute code if specially crafted messages are sent to the SMB. So, what can you do if you’ve been infected? Well, there are currently multiple software built to decrypt Petya, one of which can do it in under 7 seconds. While I don’t have the link, know that they’re out there. Otherwise, not very much. If you have not been infected, download the patches listed below as soon as possible, or backup your hard drive and/or storage in anticipation. (I highly recommend the first option over the second one.) There’s also a way to sort of “vaccinate” your computer against it. Petya is set up so that if it detects files of its own in your computer, it won’t execute. Simply create a file named “perfc” in the Windows C:\ folder, and set it to Read Only. For those of you who want an easy and quick way to do this, Lawrence Abrams has created a .batch file that does this step for you. One last thing: Never open any suspicious emails, and NEVER EVER open an attachment that you weren’t expecting.
Batch file: https://download.bleepingcomputer.com/bats/nopetyavac.bat
Note: Batch files can be highly dangerous if they want to be. Fortunately, this one is safe, and does exactly what it says it does! That being said, you should never run a batch file if you don’t know what it does. They can be INCREDIBLY DANGEROUS if used for malicious intentions, and a decent amount of malware use these to run/operate.
Windows 10/8.1/8/7/Vista Software Patches:
Windows 10: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4022725
Windows 8.1: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4022717
Windows 7: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4022722
Windows Vista: http://catalog.update.microsoft.com/v7/site/Search.aspx?q=KB4012598
Stay safe, and keep your eyes peeled!