2017 Peyta Ransomware Attack

Overview

The 2017 Peyta Ransomware Attack refers to a global cyber attack using the Peyta family of encrypting malware, which infects the master boot record on Microsoft Windows systems to force a reboot and demand a payment in bitcoin to remove encryption of system files.

Background

In March 2016, early variations of Peyta were initially discovered, followed by an additional variant with a secondary payload the following month.^[1] On June 27th, 2017, a new variant of Petya was launched in a global cyber attack, primarly targeting companies in Russia and the Ukraine, most notably infecting the National Bank of Ukraine. The malware subsequently infected machines across France, Germany, Italy, Poland, United Kingdom and the United States.

Developments

Investigation

The Cisco security division Talos speculated that the malware circulated through a vulnerability in the Ukrainian tax accounting package MeDoc, which downloaded Peyta as an update.

Ukrainian Response on Twitter

On June 27th, the official Twitter account for the Ukraianian government posted an animated "This Is Fine": GIF along with a message announcing that many of the country's government agencies and private firms were hit by the virus (shown below). Within 48 hours, the tweet gathered more than 10,300 likes and 7,700 retweets.

Online Reaction

Also on June 27th, a post about the ransomware reached the front page of /r/technology,^[2] gathering upwards of 3,300 points (94% upvoted) and 600 comments within 48 hours. Meanwhile, the United Kingdom-based information assurance firm NCC Group^[4] published a live-updated blog regarding the ransomware attack, which subsequently reached the front page of /r/netsec.^[3]

Search Interest

External References