Photo via CSO Online.
Petya and NotPetya are two related pieces of malware that affected thousands of computers worldwide in 2016 and 2017. Both Petya and NotPetya aim to encrypt the hard drive of infected computers, and there are enough common features between the two that NotPetya was originally seen as just a variation on a theme. But NotPetya has many more potential tools to help it spread and infect computers, and while Petya is a standard piece of ransomware that aims to make few quick Bitcoin from victims, NotPetya is widely viewed as a state-sponsored Russian cyberattack masquerading as ransomware.
What is Petya?
Petya is ransomware — a form of malware that infects a target computer, encrypts some of the data on it, and gives the victim a message explaining how they can pay in Bitcoin to get the keys to get their data back. The name derives from a satellite that was part of the sinister plot in the 1995 James Bond film GoldenEye; a Twitter account suspected of belonging to the malware's author used a picture of actor Alan Cumming, who played the villain, as its avatar.
The initial version of the Petya malware, which began to spread in March of 2016, arrives on the victim's computer attached to an email purporting to be a job applicant's resume. It's a package with two files: an image of young man (supposedly of the job applicant, but actually a stock image) and an executable file, often with "PDF" somewhere in the file name. The plan is to get you to click on that file, and to subsequently agree to the Windows User Access Control warning that tells you that the executable is going to make changes to your computer. (Petya only affects Windows computers.)
How Petya works
If you make the extremely bad decision to agree to this request, Petya will reboot your computer. You'll see what looks like the standard Windows CHKDSK screen you expect to see after a system crash. In fact, the malware is already working behind the scenes to make your files unreachable. What earned Petya the description "the next step in ransomware evolution" despite its initially unimpressive infection rate is the way it encrypts your files. Rather than searching out specific files and encrypting them, like most ransomware does, it installs its own boot loader, overwriting the affected system's master boot record, then encrypts the master file table, which is the part of the filesystem that serves as sort of a roadmap for the hard drive. In essence, your files are still there and still unencrypted, but the computer can't access the part of the filesystem that tells it where they are, so they might as well be lost. At this point, the ransomware demands a Bitcoin payment in order to decrypt the hard drive.
Sign up for Computerworld eNewsletters.