Skip to content
MalwareWiki

Ransomware

Petya

aka Goldeneye · Mischa (bundle)

A 2016 ransomware that encrypted the master file table and overwrote the MBR instead of individual files, later impersonated by the NotPetya wiper.

Petya (2016) took a different approach from file-by-file ransomware: it overwrote the master boot record, installed a tiny malicious bootloader, and encrypted the master file table (MFT) — rendering the whole disk unusable and showing a ransom note before Windows could even load.

Design

Distributed by the "Janus Cybercrime Solutions" group as a RaaS (often bundled with the Mischa file-encryptor as a fallback), Petya was technically novel. Researchers later cracked some versions, releasing decryptors.

Petya vs NotPetya

In 2017, Russia's Sandworm built the NotPetya wiper using Petya's look and feel as cover — but with no real recovery. The two are frequently confused; only the original Petya was genuine ransomware. Background is on Cyber Breaches, and a bootloader teardown on the Reverse Engineering Hub.

Defense

Offline backups, malspam filtering, and boot-integrity protections.