What is Petya?
Petya is a type of ransomware that has been active since at least March 2016. At its core, Petya acts like the rest of its fellow hijack-for-money malware strands — pay up the ransom these criminals demand, or lose access to your personal files.
No matter who you are, everyone with a Windows PC can be a potential victim.
Rather than encrypting your files one by one like most other kinds of malware, this one stops you having access to your entire hard drive by encrypting the master file table (MFT), so that the file system becomes unreadable and Windows won't boot at all. Some of its versions — yes, it has versions — do encrypt both files and MFT, but the bottom line is, once you are infected by Petya, you can’t access your files.
In March 2017, a new ransomware strain called PetrWarp emerged. This one contained a patched version of the original Petya, with several modifications, including stronger encryption.
Who is Petya targeting?
Petya is believed to be behind the massive ransomware attack that affected companies and organizations across the world in late June 2017. The most affected country in that attack was Ukraine, with the Kiev metro, the Ukrainian National Bank and several airports as some of its highest profile targets.
But the scale of the attack is truly global. Many multinational companies also reported being affected, such as Nivea, Maersk, WPP or Mondelez, and the crippling effects of Petya have been felt from India to the Port of Barcelona, Spain.
What does a typical Petya attack look like?
An HR department in a public agency or private company receives a fake email job application with a Dropbox download link claiming to lead to someone’s resume. This link downloads an .exe file that proceeds to encrypt access to the victim’s computer unless — or so these criminals claim — the victim agrees to pay a predetermined amount in bitcoins.
Please note that this doesn’t mean you’re safe as long as you don’t work in an HR department. Not at all. This is just the main way Petya has been spreading — so far. No matter who you are, everyone with a Windows PC can be a potential victim.
Where does it come from? Who made it?
At this point in time, nobody really knows for sure. Companies and institutions all over the world — Russia, the United Kingdom, India, etc— have been affected, and right now it’s not possible to pinpoint Petya’s exact geographical origin.
How do I know if I'm infected with Petya?
If you’ve opened the malicious .exe file, the first clue that something is not right will come in the form of a Windows ‘blue screen of death’. This means Petya has started encrypting the master table file and will now proceed to show you a warning screen — often a skull projected onto a colored background — and a message telling you to send payment in bitcoins in exchange for access to your computer files.
How do I get rid of Petya?
First and foremost, get a good, up-to-date antivirus. Our very own AVG AntiVirus FREE detects and removes Petya ransomware and other kinds of malware. If your PC is infected with Petya, our antivirus will detect it, quarantine it and destroy it. If it detects Petya is trying to enter your computer, it will block it from getting in.
Unfortunately, there is no reliable decryptor that works to recover files that have already been encrypted by the latest versions of Petya. Prevention, therefore, is absolutely essential.
Having said that… there’s a trick, which seems to work, at least for now — it won’t remove Petya, but it can stop it from encrypting your files if you act fast. It boils down to this: Petya works by making your computer boot, so if you manage to power your PC down quickly before Windows has managed to reboot, you may be able to save your files from forced encryption.
(Your mileage may vary, malware “mutates”, don’t rely on this for protection, etcetera, etcetera. You. Still. Need. An. Antivirus. Period.)
How do I prevent Petya from getting in?
Are you already an AVG antivirus user? You can breathe easy — we’re keeping you safe from Petya and all other sorts of active cyber threats currently out there.
One of the reasons Petya managed to spread so far and wide in June 2017 is because it exploited Windows’ EternalBlue vulnerability, the same one that made the earlier Wannacry ransomware attack so devastatingly fast and widespread. That’s right — even after the global Wannacry scare, still millions of PCs haven’t been updated with the available security patches that would have prevented much of the damage.
It is essential that you keep your Windows system updated with the latest security patches to avoid malware like Petya from sneaking into your system.
Remember that once your files are encrypted, there is really nothing you can do to get them back. Even if you wanted to pay the ransom, you would most likely just lose your money without ever seeing our files back — first, because the people behind the attack can just as easily take your money and run; and second, because their email privileges have been suspended by their email client and therefore you can’t email the proof of payment they demand in order to allegedly send you your decryption key.
You essentially need to stop Petya from getting into your PC in the first place. Once again, make sure you have a good, up-to-date antivirus installed and running. Also, practice good online “hygiene”— don’t open suspicious email attachments, even if you know and trust the sender. If it looks or feels off, don’t risk it.
There are many, many strands of ransomware out there, and ransomware itself is only one of many kinds of malware that can wreck your PC, your data and your security online. If you are looking for a thorough and comprehensive malware removal and prevention tool, AVG has got you covered — from the essential protection of our AntiVirus FREE to the advanced security and performance features of AVG Internet Security.