The One of Largest Cyber Attack in Ukraine Ransomware Petya

The One of Largest Cyber Attack in Ukraine Ransomware Petya

The Ukrainian cyber segment underwent another attack, this time Ransomware encryptors Petya and Misha began to encrypt the computer of large Ukrainian enterprises including critical infrastructure facilities such as:

  • Kyivstargo;
  • Ukrenergo;

I think, in fact, they are thousands of times larger. As usual, they will keep silent about this until you turn off the light.

At the moment, the spread of the virus was so rapid that the State Fiscal Service disconnected all communications with the Internet, and in some important government agencies only closed government communications.

According to our personal information, the SBU and Cyberpolitical units have already been transferred to the emergency regime and are dealing with this problem. I do not deny that some sites and services can be disabled as a preventive measure against infection. The situation is developing dynamically and we will be covering.

Ransomware Petya

Not only large companies are encrypted, but ATMs together with whole bank branches, television companies and so on

Now about technical details

  • The first versions of Petya were discovered much earlier. However, today a new version of Petya is rampant in the network.
  • So far, it is known that the “New Petya” encrypts the MBR boot sector of the disk and replaces it with its own, which is “novelty” in the world of Ransomware.

  • A friend of Misha (the name from the Internet) that arrives later, encrypts all files on the disk (not always as Petya).
  • Petya and Misha are not new, but such a global spread has not happened before. Suffered and fairly well-protected companies. All is encrypted, including boot sectors (original) and you only have to read the text of the extortionist, after turning on the computer. This virus is spread using the latest, supposedly 0day vulnerabilities.

On the Internet, there have already been attempts to write decrypters that only fit the old versions of Petya.

However, their performance is not confirmed.

  • The problem is that for rewriting MBR sector by Petya ransomware, the computer has to be rebooted, which the users on panic and successfully do, “panic pushing the button off”, I would call it so.

Personal assumptions:

  • The virus was named “Petya” in honor of the President of Ukraine Petro Poroshenko and the most massive surge of infection is observed, precisely in Ukraine and precisely at large and important enterprises of Ukraine.
  • Decryptors are not yet, those that are posted on the Internet, only fit to the old versions.
  • The site of the Ministry of Internal Affairs of Ukraine has been disconnected. The security forces go into emergency mode.
  • One of the largest supermarkets in Kharkov also underwent encryption, a photo of the “ROST” supermarket queue at the cashier because of the encryptor. (Photos from social networks):
Ransomware effected a supermarket

List of sites and structures exposed to cyber attack:

  • State structures: the Cabinet of Ministers of Ukraine, the Ministry of Internal Affairs, the Ministry of Culture, the Ministry of Finance, the National Council (and regional sites), Cyber policy, KCSA, Lviv City Council, Ministry of Energy,
  • National Bank
  • Banks: Oschadbank, Sberbank, TASKomertzbank, Ukrgasbank, Pivdenny, OTP Bank, Kredobank.
  • Transport: Borispol Airport, Kiev Metro, Ukrzaliznytsya
  • Media: Radio Era-FM,, STB, Inter, First National, TV Channel 24,
  • Radio Lux, Radio Maximum, CP in Ukraine, ATP Channel,
  • Large companies: Novaya Pochta, Kyivenergo, Naftogaz of Ukraine, DTEK, Dniproenergo, Kievvodokanal, Novus, Epicenter, Arcelor Mittal, Ukrtelecom, Ukrposhta
  • Mobile operators: Lifecell, Kyivstar, Vodafone Ukraine,
  • Medicine: “Farma“, clinic Boris, hospital Feofaniya, corporation Arterium,
  • Petrol stations: Shell, WOG, Klo, TNK

To identify the file encryptor, you must complete all local tasks and check for the presence of the following file:

C: \ Windows \ perfc.dat

  • Depending on the version of Windows OS, install a patch from the Microsoft resource (attention, this does not guarantee 100% security because the virus has many vectors of infection), namely:

– for Windows XP
– for Windows Vista 32 bit
– for Windows Vista 64 bit
– for Windows 7 32 bit
– for Windows 7 64 bit
– for Windows 8 32 bit
– for Windows 8 64 bit
– for Windows 10 32 bit
– for Windows 10 64 bit

  • It seems that the new Petya.A subspecies that attacked Ukraine today is a combination of the vulnerabilities CVE-2017-0199 and MS17-010 (ETERNALBLUE, used in WannaCry for leakage results via ShadowBrokers)
  • Specialists Positive technologies have found a local “kill switch” for Petya, to stop the cryptographer, you can create a file “C: \ Windows \ perfc (perfc – file without extension)