Petya / NotPetya Ransomware

Petya (NotPetya) Ransomware

Because of the ransomware's global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry. When a computer is infected, the ransomware encrypts important documents and files and then demands a ransom, typically in Bitcoin, for a digital key needed to unlock the files. The malware appears to share a significant amount of code with an older piece of ransomware that really was called Petya, but in the hours after the outbreak started, Kaspersky Lab redubbed the malware NotPetya.



How does it spread?

The malicious software spreads rapidly across an organization. Unlike WannaCry, this version of ‘Petya’ tries to spread internally within networks, but not seed itself externally. That may have limited the ultimate spread of the malware, which seems to have seen a decrease in the rate of new infections overnight.
It takes over computers and demands $300, paid in Bitcoin. Once a computer is infected using the EternalBlue vulnerability in Microsoft Windows (Microsoft has released a patch, but not everyone will have installed it) or through two Windows administrative tools.

Is there a vaccine?

While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft. This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.

While this does prevent the ransomware from running, this method is more of a vaccination then a kill switch. This is because each computer user must independently create this file, compared to a "switch" that the ransomware developer could turn on to globally prevent all ransomware infections.

How to vaccinate your computer manually?

First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below:


Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.



Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C to copy and then Ctrl+V to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.



Press the Continue button and the file will be created as notepad - Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad - Copy.exe file name and type perfc as shown below.
Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.



Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.
Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below:



The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.

Now click on the Apply button and then the OK button. The properties Window should close and your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.


How to prevent Ransomware Attacks



  • Back up your files

The greatest damage people suffer from a ransomware attack is the loss of files, including pictures and documents.

The best protection against ransomware is to back up all of the information and files on your devices in a completely separate system. A good place to do this is on an external hard drive that isn't connected to the internet. This means that if you suffer an attack you won't lost any information to the hackers.

Businesses often save copies of their data to external servers that won't be affected if their main network is attacked.

  • Be suspicious of emails, websites and apps

For ransomware to work hackers need to download malicious software onto a victims computer. This is then used to launch the attack and encrypt files.

The most common ways for the software to be installed on a victim's device is through phishing emails, malicious adverts on websites, and questionable apps and programs.

People should always exercise caution when opening unsolicited emails or visiting websites they are unfamiliar with. Never download an app that hasn't been verified by an official store, and read reviews before installing programs.

  • Use an antivirus program

An age-old computer security tip, antivirus programs can stop ransomware from being downloaded onto computers and can find it when it is.

Most antivirus programs can scan files to see if they might contain ransomware before downloading them. They can block secret installations from malicious adverts when you're browsing the web, and look for malware that may already be on a computer or device.

Always install updates!

To update our TotalAV app, please follow the steps below:

  1. Hover your mouse over the up arrow on system tray next to the clock and click on it to show all running apps.
  2. Find the TotalAV icon and right click on it.
  3. Click on “Check for updates”

Companies often release software updates to fix vulnerabilities that can be exploited to install ransomware. It is therefore advisable to always download the newest version of a software as soon as it is available.


  • Never pay the ransom

Victims of ransomware attacks are advised to never pay the fee as it encourages attackers and may not result in files being recovered. There are some programs that can help decrypt files. Or, if you have a back up, you can restore your device from that.

  • What to do if you're infected!

You'll immediately know whether you're infected — you'll be greeted by a popup screen saying "Ooops, your important files are encrypted."

And by "important," they're talking about your most commonly used files — including .mp3 audios and .mp4 and .avi videos; .png and .jpg images; and .doc and .txt documents. The worm also targets any backup files you may have made, so you can't even restore older, safe versions.

Analysts said you should not click the "check payment" or "decrypt" buttons in the popup message.

Instead — if you're able to — download and install Microsoft patch MS17-010, which should work on Windows systems going all the way back to Vista.

Microsoft Patch Download: Click Here


Cyber Attack Timeline