Tajikistan’s Interior Ministry warns citizens of Tajikistan of Petya virus that began spreading though European computers on June 27 informing that they could unlock their machines by paying a $300 ransom.
Petya is a family of encrypting ransomware that was first discovered in 2016. The malware targets Microsoft Windows-based systems, infecting the master boot record to execute a payload that encrypts the NTFS (New Technology File System) file table, demanding a payment in Bitcoin in order to regain access to the system.
Variants of Petya were first seen in March 2016, which propagated via infected e-mail attachments. In June 2017, a new variant of Petya was used for a global cyberattack, primarily targeting Ukraine.
On June 27, 2017, a major global cyberattack began (Ukrainian companies were among the first to state they were being attacked), utilizing a new variant of Petya. On the same day, Kaspersky Lab reported infections in France, Germany, Italy, Poland, United Kingdom, and the United States, but that the majority of infections targeted Russia and Ukraine, where more than 80 companies initially were attacked, including the National Bank of Ukraine. ESET (an IT security company that offers anti-virus and firewall products) estimated on June 28, 2017 that 80% of all infections were in Ukraine, with Germany second hardest hit with about 9%. The same day Press Secretary for Russian President Vladimir Putin, Dmitry Peskov, stated that the malware attack had caused no serious damage in Russia.
Meanwhile, Matt Suiche, founder of the cybersecurity firm Comae, wrote in a blog post on June 28 that after analyzing the virus, known as Petya, his team determined that it was a “wiper,” not ransomware. “We can see the current version of Petya clearly got rewritten to be a wiper and not an actual ransomware,” Suiche writes.
The virus going around is a modified take on an earlier version of the Petya virus that was true ransomware. But Comae reportedly saw that code had been specifically modified to change it from a virus that encrypts a disk and demands a ransom into a virus that simply destroys the disk.
