Petya (NotPetya) ransomware is taking over WannaCry.

Ransomware exists for decades now, but even global security experts were startled when the massive WannaCry cyberattack took effect just a few months ago. But it’s no time to sleep for security firms and organizations, as the Petya or GoldenEye (also referred to as NotPetya) ransomware is running wildfire all across continental Europe and farther.

Eerily similar to how the WannaCry ransomware was designed to lock down computer systems and networks, Petya also follows the same ransom-collection pattern. However, the ransomware has been dubbed as “the worst worm ever seen” by top security experts due to its highly sophisticated structure, which emerged from Ukraine and Russia, but has already spread like wildfire across, Demark, Germany, France, the United Kingdom, and even the United States.

What is Petya / NotPetya?

First discovered back in 2016, Petya is a ransomware that was the foundation for WannaCry and the current NotPetya ransomware that is running rampant across the globe — designed with the malicious intent of money extortion in exchange of returning access to users of their data stored on PCs. The only way for the affected user to retrieve their data was to send a ransom to the hackers, but the first iteration was short-lived.

However, the current malicious and evolved strain of the original Petya virus is considered to be far more infectious than its predecessors, with all the loopholes closed down that was previously used by experts to track and take down the ransomware. There are similarities between Petya, WannaCry, and NotPetya, as all three of them employ the EternalBlue exploit.

How does Petya spread across devices?

The EternalBlue exploit developed by the NSA (and leaked several months ago) is the heart and soul of the Petya ransomware. However, researchers have concluded that the latest strain of the Petya virus is far more complex and “skilfully made” than the previous versions such as Mischa/Petrwrap/GoldenEye ransomware.

While the WannaCry virus could be halted by patching the EternalBlue exploit with Windows updates, Petya has a secondary method to infect PCs. Petya takes hold of the host computer and its data by exploiting two Windows administrative tools – PSEXEC and WMC and tries to spread across local networks without external seeding needed.

Ukraine being ground zero of the cyberattack, has been under substantial investigation, and experts suggest that the original affected computers were running a financial tracking software created by MEDoc. Since this particular piece of software is mandatory to be installed on computers at all workplaces in Ukraine, reports from Kaspersky Lab point out that the virus could have spread as a fake MEDoc software update.

How do I protect my PC against Petya?

Global antivirus and security net protection firms have concluded that all the major firms that were hit by the NotPetya ransomware were running out of date software on their computers. Microsoft released a significant security update back in March, which was targeted towards the threat of the WannaCry ransomware.

Even if you have that particular update installed, experts suggest you install all of the latest security updates available anyway. Employing a robust antivirus on your computer is never a bad idea, and be cautious of the software you download from the internet and exercise caution when opening shady emails and attachments.

Since the current strain of the ransomware has multiple infection delivery systems, merely installing the latest updates might not be enough. One useful suggestion for system administrators to avoid the spreading of the virus within the network is using the Windows Management Instrumentation and blocking C:\Windows\perfc.dat from running.

What to do if Petya infects my computer?

Just as every ransomware is designed to be, Petya or NotPetya aims to extort $300 from the infected user in the form of an anonymous Bitcoin payment. However, not everything is going the way that the hackers behind Petya would want, as the email address that needs to be contacted by victims to receive decryption codes has been shut down.
While this is terrible news for those who are already affected, do keep in mind that there is no guarantee that the criminals behind the ransomware would hold their end of the bargain in the first place. All the research points towards the fact that your encrypted files may never be accessible again, so if you aren’t affected just yet, don’t shy away from backing up all of your essential data.