Petya Ransomware

Petya Ransomware Description

The Petya Ransomware is used to take over the victims' computers, encrypting their files and then demanding the payment of a ransom to restore the affected files. The Petya Ransomware is just one of countless ransomware attacks that have appeared in 2016 so far. There are diverse reasons for the rise in ransomware infections like the Petya Ransomware. Some of these include the release of TeslaCrypt 3.0, which fixed a bug that allowed malware researchers to create a decryption utility, and the rise of the RaaS (Ransomware as a Service) industry, which allows fraudsters to create and deliver ransomware threats easily. The Petya Ransomware presents a real threat to a computer user, making the encrypted files inaccessible until the victim pays the ransom. In the best of cases, the victims of the Petya Ransomware can restore their files from a backup after wiping the affected hard drive completely. Because of this, the best protection against the Petya Ransomware and similar threats is always to maintain reliable backups of all files.

How can You be Attacked by the Petya Ransomware and Similar Encryption Ransomware Trojans

It is not hard to predict how the Petya Ransomware attack works; most ransomware Trojans follow the same basic strategy (and in many cases, share a majority of their codes). The Petya Ransomware may be delivered using corrupted email messages containing embedded links or compromised email attachments. When computer users open these attached files, the Petya Ransomware runs in the background, scanning the victim's hard drive in search for any files with extensions matching a list of file extensions contained in its configuration files. By only targeting a specific set of file extensions, threats like the Petya Ransomware can encrypt the victim's files but still allow the affected computer to continue functioning and display the Petya Ransomware's ransom note. The following are some examples of file formats that the Petya Ransomware and similar ransomware threats target (new file extensions may be added to this list in each new update):

.7z; .rar; .m4a; .wma; .avi; .wmv; .csv; .d3dbsp; .sc2save; .sie; .sum; .ibank; .t13; .t12; .qdf; .gdb; .tax; .pkpass; .bc6; .bc7; .bkp; .qic; .bkf; .sidn; .sidd; .mddata; .itl; .itdb; .icxs; .hvpl; .hplg; .hkdb; .mdbackup; .syncdb; .gho; .cas; .svg; .map; .wmo; .itm; .sb; .fos; .mcgame; .vdf; .ztmp; .sis; .sid; .ncf; .menu; .layout; .dmp; .blob; .esm; .001; .vtf; .dazip; .fpk; .mlx; .kf; .iwd; .vpk; .tor; .psk; .rim; .w3x; .fsh; .ntl; .arch00; .lvl; .snx; .cfr; .ff; .vpp_pc; .lrf; .m2; .mcmeta; .vfs0; .mpqge; .kdb; .db0; .DayZProfile; .rofl; .hkx; .bar; .upk; .das; .iwi; .litemod; .asset; .forge; .ltx; .bsa; .apk; .re4; .sav; .lbf; .slm; .bik; .epk; .rgss3a; .pak; .big; .unity3d; .wotreplay; .xxx; .desc; .py; .m3u; .flv; .js; .css; .rb; .png; .jpeg; .txt; .p7c; .p7b; .p12; .pfx; .pem; .crt; .cer; .der; .x3f; .srw; .pef; .ptx; .r3d; .rw2; .rwl; .raw; .raf; .orf; .nrw; .mrwref; .mef; .erf; .kdc; .dcr; .cr2; .crw; .bay; .sr2; .srf; .arw; .3fr; .dng; .jpeg; .jpg; .cdr; .indd; .ai; .eps; .pdf; .pdd; .psd; .dbfv; .mdf; .wb2; .rtf; .wpd; .dxg; .xf; .dwg; .pst; .accdb; .mdb; .pptm; .pptx; .ppt; .xlk; .xlsb; .xlsm; .xlsx; .xls; .wps; .docm; .docx; .doc; .odb; .odc; .odm; .odp; .ods; .odt.

The Petya Ransomware searches for the above files and then encrypts them using an AES encryption algorithm (in its ransom message, the Petya Ransomware claims that it has used 'military grade' encryption to make it sound scarier). The Petya Ransomware delivers a variety of ransom notes in the form of dropped image, text and HTML files. The Petya Ransomware also displays pop-up messages, redirects the affected Web browser to a ransom note Web page, and changes the victim's Desktop image into the ransom note. The ransom note alerts the victims about the attack and instructs them to visit a certain Darknet website to carry out the payment through anonymous methods such as BitCoin or PaySafeCard. PC security analysts advise computer users to avoid paying the Petya Ransomware's ransom since this allows the people responsible for the Petya Ransomware to finance their illicit activities and continue producing these threats.

Technical Information

File System Details

Petya Ransomware creates the following file(s):
# File Name Size MD5 Detection Count
1 file.exe 230,912 af2379cc4d607a45ac44d62135fb7015 17
2 dirpetwrap.exe 362,360 71b6a493388e7d0b40c83ce903bc6b04 14
3 c:\users\user\desktop\0ab24839ec775809db2c997fb4adc2792b3312ad029488a9ff4b36ca90e21e23(1).exe 399,360 16a2fd266cbf9d88fb359c82e9ff5bb3 1
4 dirmyguy.exe 275,968 a1d5895f85751dfe67d19cccb51b051a 0
5 dirOrder-20062017.doc 6,215 415fe69bf32634ca98fa07633f4118e1 0
6 8baa0535ff2f2f3b0f2c0b45b537b4f8 68,096 8baa0535ff2f2f3b0f2c0b45b537b4f8 0

Related Posts

Site Disclaimer is not associated, affiliated, sponsored or owned by the malware creators or distributors mentioned on this article. This article should NOT be mistaken or confused in being associated in any way with the promotion or endorsement of malware. Our intent is to provide information that will educate computer users on how to detect, and ultimately remove, malware from their computer with the help of SpyHunter and/or manual removal instructions provided on this article.

This article is provided "as is" and to be used for educational information purposes only. By following any instructions on this article, you agree to be bound by the disclaimer. We make no guarantees that this article will help you completely remove the malware threats on your computer. Spyware changes regularly; therefore, it is difficult to fully clean an infected machine through manual means.

Leave a Reply

Please DO NOT use this comment system for support or billing questions. For SpyHunter technical support requests, please contact our technical support team directly by opening a customer support ticket via your SpyHunter. For billing issues, please refer to our "Billing Questions or Problems?" page. For general inquiries (complaints, legal, press, marketing, copyright), visit our "Inquiries and Feedback" page.