On June 27, a large-scale virus attack was comitted (the virus-encryptor PETYA.A), telecommunications companies, as well as Public authorities in several countries were attacked. The attack began with Ukraine, which suffered the most. The top ten affected countries included: Italy, Israel, Serbia, Hungary, Romania, Poland, Argentina, the Czech Republic and Germany. In Ukraine, government computers, banking systems, and the Chernobyl nuclear power plant are attacked.

The virus blocks computers and сlaim 300 dollars in bitcoins. The virus spreads itself, like WannaCry.

The initial infection occurs through phishing messages (file Petya.apx, myguy.exe, myguy.xls, Order- [any date] .doc) or update from the accounting program M.E.doc. Then the virus spreads through the local network via DoblePulsar and EternalBlue, similar to the WannaCry methods.

Recommendations for preventing this incident.

KZ-CERT recommends that TCP ports 1024-1035, 135 and 445 must be closed to prevent the spread of the virus. Also, disable the SMB1 Protocol. If an infection is detected, do not turn off the computer, but put the device into hibernation mode with disconnection from the Internet. In addition, it is necessary to prohibit:

1) Http access to servers:

    french-cooking.com:80

    84.200.16.242:80

    111.90.139.247:80

    COFFEINOFFICE.XYZ:80

2) Mail attachments and downloading files with names:

    Петя.apx;

    myguy.exe;

    myguy.xls;

    Order-[любая дата].doc.

To identify the file encryptor, you must complete all local tasks and check for the presence of the following file

C: \ Windows \ perfc.dat

Depending on the version of the Windows operating system, install the patch (https://technet.microsoft.com/en-us/library/security/ms17-010.aspx) from the Microsoft Internet resource (attention, this does not guarantee 100% security since The virus has many vectors of infection): 

— For Windows XP (http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe)

— For Windows Vista 32 bit (http://download.windowsupdate.com/d/csa/csa/secu/2017/02/windowsxp-kb4012598-x86-custom-rus_84397f9eeea668b975c0c2cf9aaf0e2312f50077.exe)

— For Windows Vista 64 bit (http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x86_13e9b3d77ba5599764c296075a796c16a85c745c.msu)

— For Windows 7 32 bit (http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.0-kb4012598-x64_6a186ba2b2b98b2144b50f88baf33a5fa53b5d76.msu)

— For Windows 7 64 bit (http://download.windowsupdate.com/d/msdownload/update/software/secu/2017/02/windows6.1-kb4012212-x86_6bb04d3971bb58ae4bac44219e7169812914df3f.msu)

— For Windows 8 32 bit  (http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/windows8-rt-kb4012598-x86_a0f1c953a24dd042acc540c59b339f55fb18f594.msu)

— For Windows 8 64 bit (http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/05/%20Windows8-rt-kb4012598-x64_f05841d2e94197c2dca4457f1b895e8f632b7f8e.msu)

— For Windows 10 32 bit (http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x86_8c19e23de2ff92919d3fac069619e4a8e8d3492e.msu)

— For Windows 10 64 bit (http://download.windowsupdate.com/c/msdownload/update/software/secu/2017/03/windows10.0-kb4012606-x64_e805b81ee08c3bb0a8ab2c5ce6be5b35127f8773.msu)

Positive Technologies Specialists have found a local "kill switch" for Petya, you can stop the cryptographer by creating a file "C: \ Windows \ perfc (perfc - file without extension). In case you saw a restart of the computer and the beginning of the "disk check" process, at this point you should immediately shut down the computer, files will remain unencrypted. Downloading from a LiveCD or a USB drive will give access to the files.

KZ-CERT - 1400 - free hot line