Once I was told a story about an oncologist, who showed her students a picture of a cancer and said with admiration: "Just look at what a perfect cancer! ".

It is these feelings that arise when I look at the code of the virus "Petya A", the other day a mass attacker.

Information systems in Ukraine, and then all over the world. Reverse engineering of this code was carried out by specialists of ISSP (Information Systems Security Partners). Experts in the field of information security can familiarize themselves with this code by reference. And for everyone else, I will briefly outline the essence of what Petya A can do with your computer.

Probably, first of all many will be impressed by such its ability, consisting of two points: 1) to determine whether there is a Kaspersky Antivirus, Norton or Semantec on your computer; 2) disable this antivirus.

But professionals in the field of cybersecurity are certainly not particularly impressed: it's not a secret for them that all serious malicious software is tested for vulnerability to antivirus - until it becomes invulnerable to it. Therefore, today's antiviruses can only protect against old and primitive malware.

Specialists are much more impressed with the other abilities of "Petit A".

But before I go to them, I will specify: as I predicted on the first day of cyber attack, it will not be possible to decipher infected computers: the virus uses asymmetric cryptography, that is, for each infected computer there is a personal private key. Those who are familiar with cryptography understand perfectly what this means, for all the rest I will simply say that it is impossible to decipher encrypted "Petya" disks. Maybe someday in the future - when quantum computers become reality. In the meantime, with lost data, you will have to say goodbye.

So, what will Petya do with your computer if it hits him?.

After he identifies and disables the antivirus, Petya will encrypt the data on your disk (files with extensions (. 3ds. 7z. Accdb. Ai. Asp. Aspx avhd. Back. Bak. Cfg. Conf. Cpp. Cs. Ctl. Dbf.

Disk. Djvu. Doc. Docx. Dwg. Eml. Fdb. Gz. Hdd. Kdbx. Mail address. Mdb. Msg. Nrg. Ora. Ost. Ova. Ovf. Pdf. Php. Pmf. Ppt. Pptx. Pst. Pvi. Py. Pyc. Rar. Rtf. Sln. Sql. Tar. Vbox. Vbs. Vcb. Vdi. Vfd. Vmc), erases the MBR (boot area) and clears the logs to make it as difficult as possible to understand how it got to you. And then, after a reboot, displays a banner with the requirement to transfer money for decryption.

But this is not all. Once on the computer, the virus launches the Mimikatz program, which extracts the credentials of other hosts on the local network - and infects them. In addition, the authors of the report suggest that the virus leaves backdoors on infected computers (paths for subsequent incursions).

Details of the virus code can be found in the report. But the most interesting is in the conclusions.

Most importantly: the authors of the report are convinced that the current modification of Petit is nothing more than a cyber weapon.

And this cyber weapon has several main goals.

1) Hide the effects of previous attacks on the type of APT (Advanced Persistatnt Threat) - the most powerful, complex and dangerous malicious software, which I somehow devote a separate post. This may mean that the attacked computers were infected with some kind of malware before the current cyber attack, but what exactly it did and what harm it caused, now no one will know. However, those organizations that did not suffer from the attack, it would not hurt to thoroughly check their hard drives.

2) demonstration of cyber power and training in the performance of massive coordinated cyberautomations.

3) testing of new cyber weapons and the capabilities of security systems to withstand it, especially the speed of reaction and recovery of attacked systems.

4) Preparing for the next attack or a massive coordinated cybertransmission.

5) Exercise of performing a mass coordinated cybertransaction in combination with elements of a hybrid war.

So, now we know that "Petya A" is not just a criminal tool. This is cyber weapon. So, inevitably there will be another cyber attack - much more serious than this one. And we must use all available time in order to prepare to repel it with minimal losses.