Petya Ransomware Attack

A malicious software worm known as “Petya” is the second major ransomware attack in the last two months.

The Petya ransomware attack hit the headlines on June 27th 2017, quickly affecting as many as 65 countries in the US and Europe. Britain, Ukraine, the USA, Spain, France and Germany are among those affected.

What is it?

The Petya ransomware attack is a malicious computer virus. The software is a form of encrypting ransomware that locks an affected device’s hard drive rendering files and data inaccessible. Petya is a variant of the WannaCry virus that affected the NHS last month.

The Petya ransomware attack shows up as a warning message prompting victims to pay $300 in Bitcoin to unlock their files. The ransom may double if not paid within 24 hours.

Where it Came From

MEDoc, a tax and accounting software package, was the intial source of insertion into corporate networks. Petya quickly spreads through the affected network using a variety of methods.

Once inside, Petya builds a list of IP addresses to spread to by collating network information. This information can include DHCP servers, DHCP server ports, open network connections, Active Directory resources and Remote Desktop Terminal services computers.

The ransomware primarily spreads through network shares and variations of “EternalBlue” and “EternalRomance” vulnerabilities. More information can be found here.

Countries Affected

Sources claim that no less than 65 countries were affected. Ukraine has been hit the worst. The latest list of countries affected are:

  • UK
  • Ukraine
  • Russia
  • France
  • Spain
  • Denmark
  • Germany
  • Poland
  • Belarus
  • Lithuania
  • Norway
  • Netherlands
  • Holland
  • Romania
  • India
  • China
  • South Korea
  • US
  • Brazil
  • Chile
  • Argentina
  • Turkey
  • Israel
  • Australia
  • New Zealand

Notable victims include the worlds largest advertising company WPP (Britian), Danish shipping firm A.P. Moller-Maersk, Russian oil firm Rosneft, pharmaceutical firm Merck & Co., Deutsche Post, and multiple banks and companies in Ukraine. The radiation monitoring systems at Chernobyl were even taken offline by the attack, prompting workers to monitor radiation manually.

What it Looks Like

Petya displays itself a warning message stating that files are no longer accessible because they have been encrypted. The message will prompt you to pay $300 in Bitcoin to an alphanumerical address. A guarantee is given that recovery of files will be completed once payment is sent. See an example.

Should I Pay?

At this stage we advise you never pay the ransom. The address associated with the payment destination has allegedly been shut down, meaning there are no guarantees the attack will stop or your data will be returned.

Restore your files from a backup if you have one and roll your system back to a previous state if possible. If you require assistance, contact our help desk to discuss potential next steps with a security advisor.

How Serious is it?

If the Petya ransomware attack hits your network, your anti-virus product should block the worm from installing. The key to preventing attacks is not clicking on any suspicious links, attachments or downloads you weren’t expecting.

If a device is infected, there is a possibility your data can be recovered. However at this stage there are no guarantees. Your ability to recover will depend on the scale of the infection and the speed at which it is detected.

The Petya ransomware attack has hit less victims than the WannaCry attack when 300,000 computers were affected. As of the 29th June 2017, around 16,500 victims have reportedly been affected by Petya.


In all cases we highly recommend you seek professional assistance. Our clients are advised to please contact us immediately if you suspect you are under attack.

Steps to Take

As with any security threat vigilance and prevention is key. If you suspect you have been affected by Petya we recommend you immediately disconnect your device from your network and seek professional assistance.

Be extremely vigilant of any email links, attachments, downloads or shared files. If you receive an unexpected attachment from an address you can’t verify, check it’s legitimacy with the sender.

Install an antivirus product if you don’t have one and run scans regularly. It’s best to use a product from a reputable provider and we recommend using a paid version.

We recommend investing in a filtering solution such as OpenDNS. OpenDNS incorporates global threat intelligence and filters all incoming and outgoing traffic. For more information please contact us to speak to an information security advisor.

If your software is not up to date, we highly recommend you install the latest versions. This includes any Microsoft, Mac and antivirus updates. Ransomware can exploit security vulnerabilities so staying up to date is key.

Carry out a thorough backup if you don’t have a recent one. If you are affected you can easily restore your files and data. If you have never backed up your files it is recommend you make this a priority.

Enable a pop up blocker to prevent unwanted downloads from the Internet. Be extremely vigilant when downloading from the Internet. Remain cautious with all websites you visit.

We would like to reassure our clients we are doing everything we can to keep you secure. If you require further information, please contact your account manager directly.