Who suffered from the extortioner virus Petya.A and how to protect against it

More than 80 companies from Russia and Ukraine were attacked.

Disabled computer in the Cabinet of Ministers of Ukraine. 
Photo by Deputy Prime Minister Pavel Rozenko

On June 27, networks of many Russian and Ukrainian companies were struck by avirus-cryptographer, similar to Petya.A. The program completely blocked information on computers and demanded a ransom in bitcoins, equivalent to $ 300 (about 17,700 rubles at the current exchange rate).

Sites of many departments, enterprises and divisions were not available. According to cybersecurity experts, we are talking about at least 80 affected companies.

Continued (18:47): Companies around the world, including from Spain, France and Denmark, reported on the attack of Petya.A.


The virus attacked the Kiev Boryspil airport, in the management of which they warned of possible flight delays. Updated (June 28, 9:40): Kharkiv International Airport temporarily switched to manual registration.

The cipherman got to the Kiev subway, where he infected the tickets replenishment terminals. Payment by bank card is temporarily suspended.

Attack were computer networks of the Government of Ukraine. The ransomware virus has spread to the cabinet. Government site was unavailable.

Energy companies also encountered an extortioner virus: they reported attacks on Kyivenergo, Zaporozhieoblenergo, Dneproenergo, and Dnipro Electric Power System. The company-operator of the power system “Ukrenergo” said that the power system is operating normally, but the real threats to the production of the virus did not carry.

The virus affected the National Bank of Ukraine, which warned customers about difficulties with the service and banking operations. It also spread to some Ukrainian banks, including Oschadbank, Privatbank, Pivdenny Bank, Tascombank and Ukrgasbank. Prominvestbank (a Ukrainian subsidiary of VEB) said that there was no damage to the systems, and the employees “had time to turn off all computers from the network.”

The cipher player got on computers in the offices of Ukrainian mobile operators Kyivstar, lifecell and Ukrtelecom.

The media reported that the attack on the Chernobyl nuclear power plant led to the shutdown of the site. Later this information was confirmed by the Exclusion Zone Management Agency. All computers were temporarily shut off, and the monitoring system was switched to manual mode. No excess of background radiation was reported.


One of the first about the “powerful hacker attack” on their servers announced“Rosneft”. The company avoided serious consequences by switching to a backup management system. Reports of failures in the extraction and preparation of oil at Rosneft have denied and at the same time suspected those who spread rumors were involved in the cyber attack.

According to media reports, Bashneft was attacked, including the management and structure responsible for oil production. All computers of the company ” reboot all at once, ” downloaded uninstalled software and displayed a virus splash screen. “

The Central Bank of Russia has identified isolated cases of infection by the virus of the information infrastructure of Russian credit organizations. The Central Bank stated that “the operation of banking systems and the provision of services to customers” were not violated. At the same time, the attack struck Home Credit Bank. All branches of the credit institution suspended their work and began a security check.

The cipher also infected the information system of the metallurgical and mining company Evraz, the co-owner of which is Roman Abramovich. The company notedthat there is no security threat, but the work was not stopped.

Cybersecurity experts from Group-IB reported that the virus had affected Mars. The company explained that “difficulties with IT-systems” arose only in the Royal Canin pet food brand.

Among the victims of the virus, according to Group-IB, were Nivea, TESA and chocolate maker Alpen Gold – Mondelez International. Attack underwent “New Mail”, as well as divisions of the logistics company Damco in Russia and Europe.

The attack did not affect the work of the Kremlin systems and the presidential administration of Russia .

How to protect the network from the virus

In order to stop the spread of the virus, it is necessary to close TCP ports 1024-1035, 135 and 445, explained Valery Baulin , the head of the criminalistics laboratory of Group-IB. Detailed instructions on how to do this are available on specialized sites.

Updated (18:50): Kaspersky Labs told that the users of the service need to make sure that the protection is turned on and that they use the current virus database.

You need to make sure that it is connected to the KSN cloud system and that System Watcher is activated. As an additional measure, using the AppLocker function, you can prevent the execution of a file called perfc.dat, as well as block the launch of the PSExec utility from the Sysinternals package.

Kaspersky Lab’s software products detect this malware as UDS: DangeroundObject.Multi.Generic.Vyacheslav Zakorzhevsky, Head of Kaspersky Lab’s antivirus research department

Updated (June 28, 9:40): Symantec anti-virus software maker has issued recommendations on how to deal with the encryptor. Users were advised to imitate the situation with the infection of the computer.

The virus searches for a file in the C: \ Windows \ perfc directory . In order to simulate an infection situation, for example, create a perfc file in Notepad, and place it in the specified folder on this disk.

The file must be without extension. If present, the virus will not infect the computer.

Group-IB said that the attack on Petya.A is not related to the ransomware virus WannaCry , which hit computers all over the world in May 2017. According to experts, the Cobalt group, which wanted to hide the traces of a targeted attack on financial institutions, has recently used a cryptographer.

The new version of Petya on June 18 of this year has a fake Microsoft digital signature, said the head of the international research unit of Kaspersky Lab Kostin Raju. In his words , the virus began to spread around the world.

InfoWatch CEO Natalya Kasperskaya confirmed that Petya.A was discovered a year ago (more precisely, in April 2016). The first option, according to her, was powerless if he was not given administrative rights.

Therefore, he teamed up with some other extortionist virus Misha, who had administrative rights. It was an improved version, backup encryption.
Natalya Kasperskaya, general director of GK InfoWatch

In “Kaspersky Lab” reported the beginning of the investigation. While it is known that the virus ransomware does not belong to the previously known families of malicious software, and therefore is a new modification. The company confirmed that the most infections occurred in Russia and Ukraine. At the same time, information appeared about the appearance of the virus in other countries.

Despite the lack of a direct connection between Petya.A and WannaCry, it seems that it also infects computers through phishing emails and malicious email attachments. WannaCry used the vulnerability, to protect against which it was enough to upgrade and download the patch .

Back to top button