Petya Ransomware - TCS Prevention and Recovery Advisory

On 27th June, 2017, a new worm like ransomware called Petya / NotPetya has affected organizations around the world. After the infection the malware, using the password harvesting utility, ETERNALBLUE exploit and ETERNALROMANCE exploit, infects all computers on the local network. Despite the fact that Petya / NotPetya virus actively uses these two exploits to infect as many computers as possible, it does not spread through the Internet, it hits computers only on the local network (where the virus first penetrated).

Petya / NotPetya encrypts entire hard drive, by encrypting the system volume, Master File Table and Master Boot Record, Petya / NotPetya prevents the system from booting normally and hooks it into Petya's own bootloader with the ransom note displayed on the screen. This prevents attempts at file recovery using standard forensic techniques such as booting to a LiveCD or other OS.

After infection Petya demands approximately 300$USD in bitcoins in order to decrypt the files. After transferring the bitcoins an email has to be sent to the hacker providing wallet's address so that the hacker can verify the transaction and respond with the decryption keys. However, since the hackers email address has apparently been taken down, paying the ransom in order to decrypt the files is currently not possible.

The attached document provides a quick overview of the Petya / Non Petya ransomware and provides preventive measures as well as recovery guidance.

Rate this article: 
Average: 3.3 (3 votes)
Article category: