The recently released and poorly constructed variant of the Petya ransomware, was not designed to make money… so it is not by definition, ransomware. Petya is a wiper. It was designed specifically to spread quickly across the globe and completely and permanently eviscerate any machine it infects. First deployed in Russia and specifically targeting the Ukraine via MeDOC, it has since spread globally. Brutal.
Recent reviews of this Petya variant have found that it is completely incapable of decrypting any of the files it encrypts.
- The Master Boot Record is overwritten and a new boot loader is deployed, preventing the Operating System from loading.
- The current variant then overwrites the first 25 sector blocks on the drive, but without saving them anywhere first. The Master File Table is encrypted.
- The encryption key generated on the screen is randomly generated and fake.
- Additionaly, the e-mail address given for ransom payment has been disabled.
That’s right, the new Petya ransomeware variant is a worst case scenario for those infected. Even if you could pay the ransom (you can’t), you wouldn’t get your files back. This has been independently confirmed by Kaspersky Labs and Matthieu Suiche with Comae Technologies.
THERE IS CURRENTLY NO WAY TO RECOVER YOUR FILES IF YOU HAVE BEEN INFECTED WITH THIS VARIANT OF PETYA / NOTPETYA / GOLDENEYE.
So, what can you do to protect yourself?
- Ensure that your OS is fully up to date. Microsoft released critical security bulletin MS17-010 back in March. It is critical that you update Windows as soon as possible.
- Ensure that you have an appropriate security solution in place. Kaspersky, Bitdefender Anti-Ransomware, Avast, Malwarebytes (Personal, Business or Enterprise) and Windows Defender Advanced Threat Protection all provide protection.
- You can further vaccinate your machine by following this post from BleepingComputer and creating a read-only perfc, perfc.dat and perfc.dll files in your C:\Windows directory.
- MAKE. REGULAR. BACKUPS. OF. YOUR. DATA. OFFSITE.
Stay up to date, stay frosty.