The PETYA attack that began infecting computers in several countries around the globe starting Tuesday, 27th June was not designed with the intention of restoring the computers at all is the latest finding. The malware was designed to look like ransomware but in reality wipes computers outright, destroying all records from the targeted systems.

A large section of Security experts believe the real attack has been disguised to divert world’s attention from a state-sponsored attack on Ukraine to a malware outbreak.

How Did PETYA malware got into the systems?

According to research conducted by Talos Intelligence, little-known Ukrainian firm MeDoc is likely the primary source of the yesterday’s global ransomware outbreak. Researchers said the malware has possibly been spread through a malicious software update to a Ukrainian tax accounting system called MeDoc, though MeDoc has denied the allegations in a lengthy Facebook post.

However, several security researchers and even Microsoft agreed with Talo’s finding, saying MeDoc was breached and the virus was spread via updates.

What is PETYA?

A nasty piece of malware that, unlike other traditional ransomware, does not encrypt files on a targeted system one by one. Instead, Petya reboots victim’s computers and encrypts the hard drive’s master file table (MFT) and renders the master boot record (MBR) inoperable, restricting access to the full system by seizing information about file names, sizes, and location on the physical disk.

Then Petya ransomware takes an encrypted copy of MBR and replaces it with its own malicious code that displays a ransom note, leaving computers unable to boot. However, this new variant of Petya does not keep a copy of replaced MBR, mistakenly or purposely, leaving infected computers unbootable even if victims get the decryption keys. This imply means, even if victims do pay the ransom, they will never recover their files.

Also, after infecting one machine, the Petya ransomware scans the local network and quickly infects all other machines (even fully-patched) on the same network, using EternalBlue SMB exploit, WMIC and PSEXEC tools.

This variant of Petya is a destructive malware designed to shut down and disrupt services around the world, the malware has successfully done its job.

The known countries infected by the Petya malware include Ukraine, Russia, France, Spain, India, China, the United States, Brazil, Chile, Argentina, Turkey and South Korea.

WannaCry Vs Petya


Be proactive and be SAFE from Malware attacks

  • Patch….Patch….Patch TIMELY
  • Backup your critical data regularly; Move last full-backup to offsite, which is accessible in crisis
  • Encrypt your backup and you won’t have to worry about the backup device falling into the wrong hands
  • Implement Privilege access management and grant access based on the business role
  • Segment your Enterprise Network effectively; Controlling access and segregation of networks

By:- Sapan Talwar