Petya-Based Ransomware – What you need to Know

Avast Software

Petya-based ransomware using EternalBlue to infect computers around the world


Petya-based ransomware is spreading and infecting computers around the world.

Further to reports of a massive cyber attack hitting a number of companies in Ukraine, including banks, energy companies and transport services as well as the government. Avast believes this is another example of the Petya-based ransomware, which was first identified in 2016. A few months ago, Petya ransomware was spotted patched and bundled as a different malware strain called PetrWrap. The attack appears to be spreading with incidents being reported in Russia, India, France, Spain and also the Netherlands. Malware writers behind the attack, are demanding a $300 ransom to be paid in the Bitcoin cryptocurrency.

Screen Shot 2017-06-27 at 9.47.04 AM-1.jpg

This modification of Petya seems to be spreading using the EternalBlue vulnerability, which was the same vulnerability used to spread WannaCry. We have seen over 12,000 malware attempts today exploiting the EternalBlue vulnerability, which is detected and blocked by Avast. Data from Avast’s Wi-Fi Inspector, which scans networks and can detect if an Avast PC or another PC connected to the same network is running with the EternalBlue vulnerability, shows that 38 million PCs that were scanned last week have not patched their systems and are thus vulnerable. The actual number of vulnerable PCs is probably much higher. The top 4 targeted operating systems, according to our data, are (in order): Windows 7 (78%), Windows XP (14%), Windows 10 (6%) and Windows 8.1 (2%).


While we don’t know who is behind this specific cyber attack, we know that one of the perfidious characteristics of Petya ransomware is that its creators offer it on the darknet with an affiliate model. This provides its distributors a share of up to 85% of the paid ransom, with 15% retained by the malware authors. The authors also provide the entire infrastructure, C&C servers, and the money transfer method. This type of model is called “ransomware-as-a-service” (RaaS), which allows malware authors to win over non-tech savvy customers to distribute their ransomware.

Avast Protection

Customers using the latest versions of Avast, are protected against the Petya-based ransomware.  If your PC is infected with Petya, our antivirus will detect it, quarantine it and destroy it. If it detects Petya is trying to enter your computer, it will block it from getting in. We will provide regular updates to protect against possible future variants. If you are concerned, please ensure your antivirus software is up-to-date. Finally, we strongly recommend that all Windows users, update their systems with any available patches as soon as possible. 

Author: Jakub Křoustek, 27 June 2017

Posted in Uncategorised.