Go to Top

New Petya Ransomware Strikes Around the Globe


New Petya Ransomware Makes Disruptive Debut

Spanning back to the early 1990s and making a brief reappearance in early 2016, a variant of Petya Ransomware (also called Petrwrap) has resurfaced once again, this time referred to as Petya A or NonPetya.  As far as what is already known, Petya has hit companies, public health care and government organizations and airports in the U.S., Russia, Ukraine, Germany, France, Italy, Poland and the U.K.  Inspiration for the newer and more robust malware was taken from the recent WannaCry Ransomware attack in May. With this particular Ransomware, criminals do not encrypt all files on your computer, but rather attack a part of the operating system called the Master File Table (MFT), which then overwrites the MBR (Master Boot Record).  Much like the WannaCry Ransomware attack, Petya requires the victim to pay a digital ransom through Bitcoin in order to regain control.

What is Petya?

The MFT is critical for the system to know where to find files on the computer.  It holds the same effect as if each file had been locked separately.  Why is this significant?  It is a lot faster to attack the MFT than to encrypt each file separately – making this a seamless and fast-moving attack.

According to researchers at the computer security company, Symantec, the new attack is using the same hacking tool (Eternal Blue) that was initially created by the National Security Agency (NSA) to combat the WannaCry Ransomware.  The group known as the Shadow Brokers was responsible for leaking the tool last April.

According to a researcher at Armor, the Petya attacks will be much more damaging than WannaCry.  There is no obvious killswitch with this virus, which has proven to be difficult in mitigating the effects.  Because this version of Petya carries significantly upgraded features, it is expected to infect the latest and even patched Windows PCs, including version 10, whereas WannaCry focused primarily on older systems.

If infected by Ransomware…

Even with the best precautions and policies in place, it is possible to fall victim to an attack. In the event that you are a victim of Ransomware, here is some advice to keep in mind:

  1. Remain calm. Rash decisions could cause further data loss. For example, if you discover a Ransomware infection and suddenly cut power to a server, versus powering it down properly, you could lose data in addition to the infected data.
  2. Check your most-recent set of backups. If they are in-tact and up-to-date, the data recovery becomes easier to restore to a different system.
  3. Never pay the ransom because attackers may not unlock your data. We mentioned this earlier on. There are many cases of Ransomware victims paying the ransom demanded and not receiving their data in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to the data by reverse engineering the malware.
  4. Contact a specialist for advice and to explore recovery options. We can examine your scenario to see if we have a solution already in place or if we are able to develop one in time.

To date, engineers at Kroll Ontrack have identified over 225 variations of Ransomware that infect user devices and there are more variations created every day, plus others that may not have been reported already.  The team of engineers at Kroll Ontrack work around the clock to identify and find a solution for each type of Ransomware.  There is hope for those who are infected with Ransomware.


2 Responses to "New Petya Ransomware Strikes Around the Globe"

  • Paul McConville
    7th March 2018 - 7:45 am Reply

    Infected with a Ransomware of data files with the file extension .rapid. Any possible decryption keys available to decrypt the encrypted data files?

    • Ben Blomberg
      8th March 2018 - 11:23 am Reply

      Hi Paul,

      No specific tools or keys for decryption. There’s a possibility we’d be able to recovery from an older point in time and can find files from before they were encrypted, but it would depend on your system. If you’d like to speak to one of our data recovery specialists, you can give us a call us at 800.872.2599

Leave a Reply

Your email address will not be published. Required fields are marked *