'Petya' ransomware: Everything you need to know
Little more than a month has passed since the notorious WannaCry ransomware attack hit headlines across the world. Now, sadly, we're in a period of another such attack, and this time it's dubbed "Petya" or "GoldenEye."
The basic problem is the same as the WannaCry outbreak: PCs are infected, locked up and files encrypted with a ransom demanded for access to the blocked files. It's not exactly the same as WannaCry, nor is it currently as widespread, but it's still important to know what you're dealing with.
It isn't affecting Mac directly, but if you're dual-booting Windows on your machine you may have some questions or concerns. Hopefully we can help answer some of those.
What you need to know about the Petya Ransomware
What is Petya?
Petya is a piece of ransomware that infects computers with the intent of monetary extortion in return for access to the contents of the PCs. It encrypts files, claiming only to let you back in upon receipt of a ransom.
Which platforms does it affect?
It's a Windows-only affair, and Microsoft already released a patch in March that should protect users, assuming it's installed.
Microsoft's March 2017 MS17-010 security update (opens in new tab) is where the necessary patches have been compiled.
If you're dual-booting Windows on your Mac, you should make sure you've installed the patch update, just to be on the safe side.
How does Petya spread?
Petya tries to infect PCs using two methods, moving on to the second if the first fails. Once again, as with WannaCry, Petya utilizes the leaked EternalBlue exploit first developed by American security services.
If that fails because the system has been properly patched, for example, it moves on to the second method, which is to use two Windows administrative tools. Unlike WannaCry, Petya looks to spread within local networks without seeding itself externally, perhaps limiting its early global impact somewhat.
As reported by The Guardian, there is a secondary "vaccine" that may prevent infection on a specific PC, but it leaves Petya free to try and spread to others:
What regions are affected by Petya?
The outbreak is reported to have surfaced in Eastern Europe, with the Ukraine in particular being hit hard. Organizations in France, the UK, Russia, Denmark and the U.S. are also confirmed as being affected.
How much is Petya's ransom?
Right now, $300 in Bitcoin.
If I get hit, should I pay the ransom?
No way! Remember that these are criminals, and chances are you'll be both out of pocket and without your files if you pay. These people don't want to be found, so they're unlikely to do anything that would give authorities any kind of edge in tracking them down.
In this case, there's also the issue of how the ransom is being collected. Instead of a unique wallet per user as with WannaCry, Petya is stuffing it all into one. And that has presented its own problems. Users have to send an email to get their decryption codes, and as reported by The Verge, that email address has been shut down:
Chances are you won't get the key you need even if the miscreants behind the attack ever planned on sending it out.
Am I at risk of Petya infection?
Sadly, we're always at some kind of risk on the internet. As detailed above, Microsoft already released a patch to mitigate at least the EternalBlue exploit, so the first port of call is to make sure that patch is installed.
If you don't have your updates turned on, that's a good place to start. Some people may not like "forced updates" but in most cases you shouldn't ignore them.
How do you get the files back?
Right now there's not a lot suggesting compromised files will ever be accessible again. If you don't have a backup, you might have lost your stuff. It's good practice to always back up your important files.
Is there anything I can do if I am affected?
It appears that there is. This tweet by Hacker Fantastic details what is actually the encryption process and how you can throw a spanner in the works.
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6— hackerfantastic.crypto (@hackerfantastic) June 27, 2017June 27, 2017
You still can't use your PC but the data you have stored on it will apparently be OK.
That's a quick overview of where things stand right now, but it's an ever-changing situation. We'll do our best to keep on top of the latest details. And if you have anything helpful to share, be sure to leave it in the comments below.
Get the best of iMore in your inbox, every day!
— Hacker Fantastic (@hackerfantastic) June 27, 2017" So yes, what you said it kind of accurate, but the tweet in the "article" says otherwise for this specific ransomware. Booting in to OSX after rebooting per above would work *in this case*. Beyond that, most of these ransomware things don't do the encryption correctly. Some encrypt all the files with the same keys. That makes it easy to decrypt, as you can compare a known file to it's encrypted version and get the data. If it encrypted the entire partition, then you'd be SOL, but these ransomwares can't encrypt the entire partition or they wouldn't function.