How did this begin?

源頭在哪？

The Petya ransomware worm began spreading Tuesday morning with a fake software update that was pushed out to businesses and other enterprises in Ukraine. The software concerned, called MEDoc, is a financial-monitoring application that all businesses in Ukraine must have installed.

Petya勒索軟件蠕蟲于本周二早上開始傳播，它假借軟件更新，強制推送給烏克蘭企業。涉事軟件叫做MEDoc，是所有烏克蘭企業都必須安裝的一個財務監控應用程序。

How did Petya spread?

Petya如何傳播？

From its initial infection point in Ukraine, the Petya worm quickly spread to companies in other European countries through enterprise networks.

通過企業網絡，Petya蠕蟲迅速從最初位于烏克蘭的感染點傳播到其他歐洲公司。

There's some evidence that Petya also spread via infected email attachments, but that theory is not quite as well established.

有證據表明，Petya還會以被感染的電子郵件附件的形式傳播，不過這一理論并不完善。

What does Petya do?

Petya能做什么？

Petya is really four things. It's a worm that uses Windows networking tools, and exploits used by the NSA, to spread through local networks.

實際上，關于Petya需要說明四點。蠕蟲利用Windows網絡工具和美國國家安全局使用過的漏洞并通過局域網傳播。

It's a piece of ransomware that encrypts the Master Boot Record — the guts of a Windows hard drive — to prevent a computer from starting up properly.

勒索軟件通過加密主引導記錄即Windows硬盤驅動器的重要部分來阻止計算機正常啟動。

There's also a second piece of ransomware that encrypts various files on the machine if the Master Boot Record attack fails.

如果攻擊主引導記錄失敗，則有第二個勒索軟件加密電腦上的各類文件。

And there's a fourth component that steals usernames and passwords from infected machines, possibly only so it can infect more machines.

此外，第四個組件可以從已感染的電腦中竊取用戶名和密碼，這可能是為了感染更多電腦。

Who is at risk?

哪些電腦有感染風險？

The silver lining is that properly patched Windows systems that are not connected to enterprise networks, such as home computers, are at little risk of being infected by the Petya worm — at least for now. If you use a home computer to connect to a corporate VPN, however, you greatly increase the chances of your home network becoming infected.

還算幸運的是，未連接到企業網絡并打過正確補丁的Windows系統，比如家用電腦幾乎不會受到Petya蠕蟲感染，至少目前不會。但是，假如你用家用電腦連接到企業VPN，則會大大增加家庭網絡受感染的幾率。

Does the Petya worm infect Macs, iPhone, Android devices or Linux boxes?

Petya蠕蟲是否會感染Mac、iPhone、安卓設備或Linux電視盒？

Only Windows machines appear to be at risk.

只有運行Windows系統的電腦存在感染風險。

Does fully patching a Windows computer stop Petya?

打過完全補丁的Windows電腦能阻止Petya嗎？

Even fully updated Windows computers on an enterprise network can be infected by the Petya worm. That's because once it establishes itself on even one machine inside an enterprise network, Petya will spread by stealing Windows administrative passwords and using standard Windows network-administration tools to install itself on every Windows machine it can.

即便是企業網絡上徹底更新過的Windows電腦也可能被Petya蠕蟲感染。這是因為一旦Petya感染了企業網絡中的一臺電腦，它將通過竊取Windows管理密碼并使用標準的Windows網絡管理工具來讓每臺Windows電腦都安裝Petya，以此傳播病毒。

Will antivirus software stop the Petya worm?

殺毒軟件能阻止Petya蠕蟲嗎？

It should. All good antivirus software products should block the Petya worm from installing. That may change if the worm's code or behavior drastically changes.

應該能。所有好的殺毒軟件都應該阻止電腦安裝Petya蠕蟲。不過隨著蠕蟲代碼或行為產生巨變，這一情形可能會改變。

Is Petya related to WannaCry?

Petya和此前的WannaCry有關聯嗎？

Petya also uses the ETERNALBLUE exploit, also used by the otherwise unrelated WannaCry ransomware worm in mid-May, to spread among Windows machines in an enterprise network.

Petya也利用“永恒之藍”漏洞在企業網絡內的Windows電腦間傳播，這一點和5月中旬爆發的WannaCry勒索軟件蠕蟲相似，除此以外并無關聯。

Who's behind Petya?

誰是幕后黑手？

It's not clear who created and released Petya, but a lot of circumstantial evidence points to "patriotic" Russian hackers.

不清楚是誰制作和發布了Petya，不過很多間接證據指向了“愛國”的俄羅斯黑客。

Why is it called Petya?

為什么叫做Petya？

The ransomware component of this new worm bears at least superficial resemblance to the latest iterations of Petya, a ransomware strain first spotted in 2024. (Petya is Russian for "Pete.")

這種新蠕蟲的勒索軟件組件至少表面上看來與最新的Petya迭代相似，Petya是2024年首次發現的勒索病毒（Petya對應俄語中的“Pete”）。

Should I pay the Petya ransom?

中招后應該支付贖金嗎？

If your computer is encrypted by Petya, there's no point in paying the ransom. The email address that you have to contact to collect the decryption key, has been shut down by the email host. Unless new strains of the ransomware provide a different contact email address, there's no way to recover your files.

如果你的電腦不幸被Petya加密，那么即便支付贖金也無濟于事。你必須聯系來獲取解密密鑰，而該電子郵件地址已被郵箱服務商關閉。除非新的勒索軟件提供另一個電子郵件地址，否則不可能恢復你的文件。

Is there a Petya "kill switch"?

有沒有Petya“自殺開關”？

No. However, there are a couple of ways that you might be able to prevent or stop the encryption process.

沒有。不過倒有幾種方法可以防止或中斷加密過程。

First, if your computer randomly begins to shut down, abort the shutdown process and keep it running. The Petya worm has to reboot the machine in order encrypt the hard drive's Master Boot Record, which is essential to the Windows startup process.

首先，如果你的電腦突然開始關機，應立即中止關機，保持電腦開機狀態。Petya蠕蟲必須重啟電腦才能加密硬盤驅動器的主引導記錄，主引導記錄對Windows啟動過程至關重要。

Second, you can try to "immunize" your machine by creating a read-only file called "perfc" and putting it in the Windows directory. In some instances, if the Petya worm sees that file, it won't encrypt the machine — but it will continue to spread to other machines on the same network. However, we've seen reports that this method doesn't work on Windows 7, and that new versions of the Petya code may not have this function.

其次，你可以嘗試通過創建一個名為“perfc”的只讀文件并將其放入Windows目錄中來“免疫”你的電腦。在某些情況下，如果Petya蠕蟲看到該文件，它便不會加密這臺電腦，但它會繼續擴散到同一網絡上的其他電腦。不過，我們已經見到報告說這種方法不適用于Windows 7系統，而且新版Petya代碼可能沒有這一功能。

How did this begin?

源頭在哪？

The Petya ransomware worm began spreading Tuesday morning with a fake software update that was pushed out to businesses and other enterprises in Ukraine. The software concerned, called MEDoc, is a financial-monitoring application that all businesses in Ukraine must have installed.

Petya勒索軟件蠕蟲于本周二早上開始傳播，它假借軟件更新，強制推送給烏克蘭企業。涉事軟件叫做MEDoc，是所有烏克蘭企業都必須安裝的一個財務監控應用程序。

How did Petya spread?

Petya如何傳播？

From its initial infection point in Ukraine, the Petya worm quickly spread to companies in other European countries through enterprise networks.

通過企業網絡，Petya蠕蟲迅速從最初位于烏克蘭的感染點傳播到其他歐洲公司。

There's some evidence that Petya also spread via infected email attachments, but that theory is not quite as well established.

有證據表明，Petya還會以被感染的電子郵件附件的形式傳播，不過這一理論并不完善。

What does Petya do?

Petya能做什么？

Petya is really four things. It's a worm that uses Windows networking tools, and exploits used by the NSA, to spread through local networks.

實際上，關于Petya需要說明四點。蠕蟲利用Windows網絡工具和美國國家安全局使用過的漏洞并通過局域網傳播。

It's a piece of ransomware that encrypts the Master Boot Record — the guts of a Windows hard drive — to prevent a computer from starting up properly.

勒索軟件通過加密主引導記錄即Windows硬盤驅動器的重要部分來阻止計算機正常啟動。

There's also a second piece of ransomware that encrypts various files on the machine if the Master Boot Record attack fails.

如果攻擊主引導記錄失敗，則有第二個勒索軟件加密電腦上的各類文件。

And there's a fourth component that steals usernames and passwords from infected machines, possibly only so it can infect more machines.

此外，第四個組件可以從已感染的電腦中竊取用戶名和密碼，這可能是為了感染更多電腦。

Who is at risk?

哪些電腦有感染風險？

The silver lining is that properly patched Windows systems that are not connected to enterprise networks, such as home computers, are at little risk of being infected by the Petya worm — at least for now. If you use a home computer to connect to a corporate VPN, however, you greatly increase the chances of your home network becoming infected.

還算幸運的是，未連接到企業網絡并打過正確補丁的Windows系統，比如家用電腦幾乎不會受到Petya蠕蟲感染，至少目前不會。但是，假如你用家用電腦連接到企業VPN，則會大大增加家庭網絡受感染的幾率。

Does the Petya worm infect Macs, iPhone, Android devices or Linux boxes?

Petya蠕蟲是否會感染Mac、iPhone、安卓設備或Linux電視盒？

Only Windows machines appear to be at risk.

只有運行Windows系統的電腦存在感染風險。

Does fully patching a Windows computer stop Petya?

打過完全補丁的Windows電腦能阻止Petya嗎？

Even fully updated Windows computers on an enterprise network can be infected by the Petya worm. That's because once it establishes itself on even one machine inside an enterprise network, Petya will spread by stealing Windows administrative passwords and using standard Windows network-administration tools to install itself on every Windows machine it can.

即便是企業網絡上徹底更新過的Windows電腦也可能被Petya蠕蟲感染。這是因為一旦Petya感染了企業網絡中的一臺電腦，它將通過竊取Windows管理密碼并使用標準的Windows網絡管理工具來讓每臺Windows電腦都安裝Petya，以此傳播病毒。

Will antivirus software stop the Petya worm?

殺毒軟件能阻止Petya蠕蟲嗎？

It should. All good antivirus software products should block the Petya worm from installing. That may change if the worm's code or behavior drastically changes.

應該能。所有好的殺毒軟件都應該阻止電腦安裝Petya蠕蟲。不過隨著蠕蟲代碼或行為產生巨變，這一情形可能會改變。

Is Petya related to WannaCry?

Petya和此前的WannaCry有關聯嗎？

Petya also uses the ETERNALBLUE exploit, also used by the otherwise unrelated WannaCry ransomware worm in mid-May, to spread among Windows machines in an enterprise network.

Petya也利用“永恒之藍”漏洞在企業網絡內的Windows電腦間傳播，這一點和5月中旬爆發的WannaCry勒索軟件蠕蟲相似，除此以外并無關聯。

Who's behind Petya?

誰是幕后黑手？

It's not clear who created and released Petya, but a lot of circumstantial evidence points to "patriotic" Russian hackers.

不清楚是誰制作和發布了Petya，不過很多間接證據指向了“愛國”的俄羅斯黑客。

Why is it called Petya?

為什么叫做Petya？

The ransomware component of this new worm bears at least superficial resemblance to the latest iterations of Petya, a ransomware strain first spotted in 2024. (Petya is Russian for "Pete.")

這種新蠕蟲的勒索軟件組件至少表面上看來與最新的Petya迭代相似，Petya是2024年首次發現的勒索病毒（Petya對應俄語中的“Pete”）。

Should I pay the Petya ransom?

中招后應該支付贖金嗎？

If your computer is encrypted by Petya, there's no point in paying the ransom. The email address that you have to contact to collect the decryption key, has been shut down by the email host. Unless new strains of the ransomware provide a different contact email address, there's no way to recover your files.

如果你的電腦不幸被Petya加密，那么即便支付贖金也無濟于事。你必須聯系來獲取解密密鑰，而該電子郵件地址已被郵箱服務商關閉。除非新的勒索軟件提供另一個電子郵件地址，否則不可能恢復你的文件。

Is there a Petya "kill switch"?

有沒有Petya“自殺開關”？

No. However, there are a couple of ways that you might be able to prevent or stop the encryption process.

沒有。不過倒有幾種方法可以防止或中斷加密過程。

First, if your computer randomly begins to shut down, abort the shutdown process and keep it running. The Petya worm has to reboot the machine in order encrypt the hard drive's Master Boot Record, which is essential to the Windows startup process.

首先，如果你的電腦突然開始關機，應立即中止關機，保持電腦開機狀態。Petya蠕蟲必須重啟電腦才能加密硬盤驅動器的主引導記錄，主引導記錄對Windows啟動過程至關重要。

Second, you can try to "immunize" your machine by creating a read-only file called "perfc" and putting it in the Windows directory. In some instances, if the Petya worm sees that file, it won't encrypt the machine — but it will continue to spread to other machines on the same network. However, we've seen reports that this method doesn't work on Windows 7, and that new versions of the Petya code may not have this function.

其次，你可以嘗試通過創建一個名為“perfc”的只讀文件并將其放入Windows目錄中來“免疫”你的電腦。在某些情況下，如果Petya蠕蟲看到該文件，它便不會加密這臺電腦，但它會繼續擴散到同一網絡上的其他電腦。不過，我們已經見到報告說這種方法不適用于Windows 7系統，而且新版Petya代碼可能沒有這一功能。