A sum of US$300 in Bitcoin was sought as ransom by those who spread the ransomware that, unlike WannaCry, spreads on a local network once it has infected a device. In the case of WannaCry, once an infection took place, the infected device looked for other devices on the Internet to infect.
British security researcher Marcus Hutchins, better known as Malwaretech and the man who inadvertently stopped WannaCry from spreading, advised people who were hit by the latest blitz not to pay the ransom.
"The email address the ransomware asks you to contact upon payment has been blocked by the provider, so there is currently little chance files can be recovered by paying the ransom," he said.
Hutchins added: "Unlike most ransomware, Petya encrypts after reboot so if you’re infected the files will not be encrypted until the machine is rebooted (the malware sets a schedule task to automatically reboot after 1h, but you can simply shut down before then to prevent encryption if you know you’re infected)."
He said that while the jury was still out on whether this ransomware was Petya or a similar strain, one researcher known as Hasherezade, who had done a lot of work on the original Petya ransomware, had concluded that there was a great deal of similarity with it.
…but internally, not much has changed (comparison with version 3 – Green): pic.twitter.com/c1eZqBySOr
— hasherezade (@hasherezade) June 27, 2017
According to security company F-Secure, the original Petya encrypts the Master Boot Record, the portion of a Windows computer's hard drive that runs first and starts operating system, allowing all other programs to run. It typically arrives via email.
The method of infection used by the latest outbreak is not yet clear, though some infections appear to have happened through a malicious update for the Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc.