Petya

Category: ransomware · Aliases: None known · Sample count (EMBER 2018): 121 · Enrichment: expert-seo · Updated: 2026-06-09

Overview

Ransomware:Win32/Petya (and its destructive variant NotPetya) represents a paradigm shift in cyber warfare, blending ransomware extortion tactics with master boot record (MBR) corruption and lateral movement capabilities.

Understanding Petya
To the average user, a Petya infection is immediately devastating: the system suddenly reboots, displaying a fake CHKDSK screen before dropping a red skull-and-crossbones ASCII art with a ransom demand. For cybersecurity experts, Petya is a highly sophisticated payload that fundamentally breaks the operating system. Unlike traditional file-encrypting ransomware (crypto-ransomware), original Petya overwrites the MBR and encrypts the Master File Table (MFT) of the NTFS file system, preventing the OS from booting entirely.

Execution and NotPetya Variations
The 2017 variant, widely known as NotPetya, was distributed via a compromised update mechanism in the Ukrainian accounting software M.E.Doc. NotPetya combined the MBR encryption payload with the leaked EternalBlue (CVE-2017-0144) and EternalRomance SMB exploits to rapidly propagate across flat networks. Most critically, NotPetya was a wiper disguised as ransomware; the generated installation key was random, meaning even if the victim paid the ransom, the data was mathematically unrecoverable.

Indicators of Compromise & Impact
Incident responders should look for unexpected system reboots, the presence of the perfc.dat file in the C:\Windows directory, and unauthorized use of tools like PsExec or WMI for lateral movement. The impact is catastrophic, often resulting in total organizational paralysis, supply chain disruption, and millions of dollars in irrecoverable data loss.

MITRE ATT&CK Techniques

Observed techniques used by this family, mapped to the MITRE ATT&CK framework:

TechniqueNameTactic
T1561.002Disk Wipe: Disk Structure WipeImpact
T1490Inhibit System RecoveryImpact
T1210Exploitation of Remote ServicesLateral Movement
T1047Windows Management InstrumentationExecution
T1569.002System Services: Service ExecutionExecution

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_PETYA {
    meta:
        description = "Detects Petya (ransomware)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "petya" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Petya Activity
id: a173e8ab419cb6d9b3f3400b9552766f
status: experimental
description: Detects generic indicators of the petya malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*petya*"
    condition: selection
level: medium

Containment & Response Steps

Ordered checklist for responders. Adapt to your environment and engage professional support for active incidents.

  1. Instantly sever network connections to infected endpoints to halt the lateral spread via SMB (EternalBlue).
  2. If a machine suddenly reboots and displays a fake CHKDSK screen, immediately power it off. This interrupts the MFT encryption process, potentially saving the data.
  3. Deploy global firewall rules to block lateral SMB traffic (TCP port 445) across internal subnets.
  4. Do not pay the ransom; in NotPetya variants, the decryption key mechanism is intentionally broken and recovery is impossible.

What to Avoid

Common mistakes during response to this family that can destroy evidence, spread the infection, or worsen recovery.

  1. Do not allow the fake CHKDSK process to complete; powering off the machine during this phase is the only way to stop the encryption.
  2. Avoid relying solely on patching to stop the spread; NotPetya also leverages stolen credentials (via Mimikatz) to propagate to fully patched systems.

References & External Analysis

Related Families (Category: ransomware)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/petya.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.