The Petya Ransomware, Which Locks Up Files And Has Spread To 65 Countries, Explained

Over the last few days, several thousand Windows computers across the world have been affected by a rapidly-spreading cyberattack. Called Petya, it locks up users’ files on their computers, and demands a $300 (Rs. 20,000) ransom be paid for the files to be unlocked. It’s remarkably similar to WannaCry, the ransomware that had exploded across the world last month — but has some crucial differences.

The Name

Researchers are split over what to call the new ransomware. It appeared similar to an attack that had spread last year called Petya, so it was initially called Petya. But then researchers found some crucial differences, so some dubbed it NotPetya. Some other researchers have been calling it GoldenEye.

How it works

Petya is thought to have originated in Ukraine. Hackers managed to corrupt a routine software update of an accounting firm called M.E.Doc. When its users downloaded and installed the update, the ransomware infected their computers, and in turn, began affecting other computers on their network. 

The ransomware works silently in the background, and then displays a screen which simply says “Ooops, your important files are encrypted,” a remarkably similar message to the WannaCry ransomware. Users are then told there is no way to recover the files, other than paying $300 worth of bitcoin to an address that’s provided. Once a user has made the payment, it asks them to contact an email address. The hackers say they’ll then send over the decryption keys through which users can unlock their files.

Petya-Ransom

The Impact

12,500 computers are already affected in Ukraine, the ground zero for the attack. Microsoft says Petya has infected computers in 64 other countries, including India. Large businesses in Ukraine were hit, including hospitals, ATMs, and even the radiation monitoring systems for the Chernobyl nuclear plant. In India, the ransomware hit the Jawaharlal Nehru port in Mumbai, and took down operations at one of its three terminals.

The Fix

At this point, if your computer has been hit, there’s simply no way to recover your files — the email id provided by the hackers was taken down by its hosting company. This means that even if the ransom is paid, there’s no way left to contact the hackers and receive the decryption key. Any files that have been affected are lost forever.

There are, however, ways to prevent an attack. The ransomware requires a reboot to take effect, which it initiates on its own within an hour of infecting a computer. During this period, it shows a warning message, warning users not to turn off their computers. If users turn off their computers when the following message shows, and don’t turn it on again, it’ll be possible to move their hard disk to a different machine to recover their files.

Other researchers have suggested that simply renaming a file on their computers could cause the virus to stop in its tracks. As always, security researchers have been warning people not to open emails with dubious attachments.

How Much Money Have The Hackers Made?

There is $10,000 (Rs. 6.5 lakh) in the bitcoin wallet that was owned by the hackers, suggesting only around 30 people have paid the $300 ransom to have their files unlocked. That’s half the amount that was earned by the WannaCry hackers over the same period, and it’s unlikely to rise — payments to the Petya account have petered out since the hackers’ email was disabled, since there’s no way to receive the decryption keys from them even if the payment is made.

It appears that the motives behind this attack aren’t monetary — the WannaCry attack only earned $130,000 (Rs. 85 lakh) for all the chaos it caused. And even this money might never reach the hackers — it still lies untouched in the bitcoin wallet that was originally provided. If the hackers try to move this money to a different wallet, they’ll attract the attention of law enforcement agencies who’ll try to track down their whereabouts. The Register says that these attacks are only designed to cause “merry mayhem.” “This is designed to spread fast and cause damage,” said a noted security researcher, adding that the ransomware was only a distraction.

 The hackers, in simple terms, aren’t really out to earn money — they only seem to want to watch the world burn.