Petya Ransomware Update: Cyberattack Spreads to 12,000 Machines In 65 Countries

Petya ransomware began spreading to computer systems across the globe Tuesday in a widespread cyberattack that has infected at least 12,500 machines and has been identified in 65 countries, Microsoft reported.

While the original attack appeared to target Ukraine where more than 12,500 encounters of the malicious software were recorded, the ransomware quickly spread to computer networks in Belgium, Brazil, Britain, Germany, Russia and the United States, among others.

Read: What Is Petya? Ransomware Attack Hits Computer Systems Across The Globe

The attack has been labeled as Petya because it was originally believed the ransomware being spread was a variant of the malware first discovered in 2016. However, some security experts have started referring to the attack as NotPetya to reflect that, while apparently inspired by the Petya malware, this attack used an entirely new type of ransomware.

While there has been no attribution as to who originated the attack, security researchers have pinpointed what they believe to be the first target of Petya: M.E.Doc, a Ukrainian company that develops tax accounting software.

The initial attack hit the software supply chain of the tax software MEDoc, which then spread through a system updater process that carried malicious code to thousands of machines. Given the initial target, it’s unsurprising machines in Ukraine took the brunt of the attack.

Petya also has proved to be a rather destructive attack. While the ransomware encrypts a user’s files and demands a $300 fee before the victim can regain access, it has been reported the ransomware doesn’t actually restore access to the computer. Instead, it simply pockets the cash. Thus far, at least 45 people have paid the ransom, netting the attackers about $11,000.

Read: How To Protect Yourself Against Petya Ransomware

Given the attack has yielded relatively few payments compared to the number of infections, some have speculated Petya is not a financially motivated attack despite the ransom request. “It’s ransomware in name, but it’s disruptive in nature,” Raj Samani, the chief scientist at cybersecurity firm McAfee, told International Business Times.

Similar to the WannaCry ransomware attack that hit hundreds of thousands of machines in more than 150 countries last month, Petya makes use of EternalBlue, a Windows-based exploit first discovered by the U.S. National Security Agency, to spread.

While Microsoft patched the initial security vulnerability after it was reported to the company in March and issued an emergency fix for outdated operating systems when WannaCry began spreading, it is believed the computer systems infected by Petya still were not equipped with the security update that would have patched that hole.

Data provided to IBT by cybersecurity firm Avast shows there are at least 38 million PCs worldwide that have not yet patched their systems with the security update that would prevent infection from attacks like WannaCry and Petya. That figure comes from the company’s Wi-Fi Inspector service, and the number of computers that are at risk is likely higher — potentially significantly so.

Unlike WannaCry, no universal killswitch has been discovered for Petya that would stop its spread. However, there is a measure individual users can take to stop the spread of the malware on their machine.

Cybereason security researcher Amit Serper discovered Petya looks for a specific local file on an infected machine and will not encrypt a system if that file is found. That file is C:Windowsperfc.

The file can be created by users by enabling Windows extensions, creating a Notepad file named perfc, marking it a read-only file by opening the Properties menu on the file and moving the file to the Windows folder.