View All R&D Articles

Petya Ransomware Infection And Decryption Services

June 27, 2017

A Petya ransomware variant has swept through Europe in a fashion reminiscent of the WannaCry attacks of May 12, 2017. Like WannaCry, the Petya variant spreads using Eternal Blue and has affected the following businesses and organizations:

  • Utility companies, banks, airports and supermarkets in Ukraine
  • Logistics company Maersk in the Netherlands
  • Food conglomerate Mondelez in Spain
  • Marketing firm WPP in the U.K.
  • Pharmaceutical giant Merck in the U.S.

Tweets from around the world showed locked screens on ATMs, supermarket registers, and office computers with the same ransom note demanding $300 in Bitcoin.

If a Petya ransomware variant has infected your computer, turn it off, disconnect any media from it, and call at 1-800-237-4200. Our security experts will assess your situation and begin planning how to recover your files.

What is Petya Ransomware (And How Does It Work)?

Experts first detected Petya ransomware in 2016. The malware differed from other types of ransomware in that it overwrote and encrypted a computer’s Master Boot Record preventing it from booting.

The recent attacks, which started on June 27, 2017, appear to be from a variant of Petya (which some experts are calling NotPetya). This new strain of ransomware is far more dangerous because it spreads laterally through networks using the Eternal Blue exploit.

To protect yourself from this Petya variant, experts recommend using this security update from Microsoft, blocking inbound connections on TCP Port 445, and regularly maintaining back-ups of important files.

Notable Features of Petya Ransomware Include:

  • Ransom note demands $300 bitcoin payment.
  • Email provider has shut down developer’s account making it impossible to notify attackers of paid ransom.
  • Victims include major companies and organizations in Ukraine, Russia, Netherlands, U.K., France, and United States.
  • Variant uses NSA’s Eternal Blue exploit to spread laterally through networks.

The Petya variant targets the following file extensions:

.3ds, .7z., accdb, .ai, .asp, .aspx, .avhd, .back, .bak, .c, .cfg, .conf, .cpp, .cs, .ctl, .dbf, .disk, .djvu, .doc, .docx, .dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .mail, .mdb, .msg, .nrg, .ora, .ost, .ova, .ovf, .pdf, .php, .pmf, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, .rtf, .sln, .sql, .tar .vbox, .vbs, .vcb, .vdi, .vfd, .vmc, .vmdk, .vmsd, .vmx, .vsdx, .vsv, .work, .xls, .xlsx, .xvd, .zip

The above is not necessarily a comprehensive list but contains the known targeted extensions. In addition to encrypting the above files, Petya encrypts the Master File Tree and overwrites the Master Boot Record preventing computers from booting up altogether.

How Does Petya Ransomware Infect My System?

Researchers still have not pinpointed the initial vector of infection. One theory holds that an Office document attached to a spam email began the infection. Once the ransomware infects one computer on a network, the infection can spread laterally to out-of-date Windows machines.

Can I Disable or Remove Petya Ransomware Encryption?

There is no known decrypter for Petya ransomware or its variants. To make matters worse for victims, the email address of the attackers has been shut down. German email provider Posteo followed protocol and made the attacker’s account completely inaccessible once they learned of the incident.

With no working email address, there is no way to let the attackers know that a victim has paid the ransom. That leaves victims with no choice but to try to recover their files through other means. can assist you in locating back-up copies or in restoring partially encrypted files.

Contacting ransomware recovery experts as soon as possible gives victims the best chance at restoring their encrypted files. The specialists at have experience at removing malware and recovering seemingly lost documents. Call 1-800-237-4200 to start the process of restoring your files.