What to do if NotPetya gets you

If your computer gets infected with the latest cyber attack rocking the digital world, don't pay up - you won't get your files back.

The email address belonging to the creators of the NotPetya virus which hit computers worldwide on Wednesday (NZ time) has been deactivated, so your pleas will fall on deaf ears. And, it doesn't just encrypt your file - it deletes them. They're gone.

This has led security experts to the conclusion making money wasn't the creators' aim - they're out to destroy.

What is the NotPetya virus?

Initially reported as a variant on the Petya ransomware which emerged in March 2016, the virus - since rebranded as NotPetya by security company Kaspersky Lab - isn't your usual ransomware.

Though it initially appeared to be, it's since been discovered its real goal isn't to empty your wallet. It appears to be a salvo against Ukraine's digital infrastructure, which has inadvertently gone global.

Analysts looking at NotPetya's code found its real intention is to wipe victims' computers clean.

"We can see the current version of Petya clearly got rewritten to be a wiper and not an actual ransomware," founder of cybersecurity firm Comae Matt Suiche wrote in a blog post.

He suggests the ransomware part of the code was left in to make the virus look like the work of a "mysterious hacker group rather than a national state attacker".

"The goal of a wiper is to destroy and damage. The goal of ransomware is to make money. Different intent. Different motive. Different narrative."

Because NotPetya hit Ukraine first and so far, the hardest, suspicion has fallen on enemy Russia. The attack came the day before Ukraine's Constitution Day.

It first infected Ukrainian organisations, including the Government, using accounting software made by a Ukrainian company called MeDoc - which has denied any involvement in its creation.

Since then NotPetya has spread via a hole in Windows called EternalBlue, the same flaw used by the WannaCry virus earlier this year. Microsoft patched that hole earlier this year, but NotPetya has been able to get around via local computer networks regardless.

It's not clear how it got out of Ukraine into the IT systems of global companies like Maersk, but one IT expert has discovered global shipping giant posted a job ad using MeDoc software recently.

The EternalBlue exploit was developed by US intelligence agency NSA, and leaked earlier this year.

What can I do?

The usual precautions apply: keep your computer's security up to date and don't open emails and attachments you don't trust. Have backups of any important files, whether on external drives or in a cloud storage service like OneDrive or Google Drive.

But if you are infected, not all is lost - yet. Once NotPetya is on your computer, it sits in the background and waits for you to reboot. When you do, it takes over - wiping part of your hard drive and locking it down, making the bogus request for payment.

What you need to do depends on whether you spot it before it's had its chance to kill your machine, or after.


If you suspect an infection, or just want to check, open up your Task Manager and look under the 'processes' tab for something called 'rundll32.exe'. If it's there, there's a good chance NotPetya's on your system - turn off your computer and disconnect it from the internet. You'll need to reinstall Windows, which should get rid of the virus (there are numerous ways to do this - but you'll likely need another computer to set it up). It is possible to reinstall Windows without deleting your personal files.

If you're not infected, a number of security experts have noticed Not Petya's code contains clues to a vaccine. A guide on how to vaccinate your machine can be found on the Forbes website


If you do reboot your computer, there's a very small window of opportunity to stop NotPetya in its tracks. If you see the screen below, immediately turn machine off - ie. cut the power, any way you can.

If you reinstall Windows now, there's a good chance you can nuke the virus without losing your files.

But if you get the fake ransomware demand, it's too late.

If you see this screen, your computer has been compromised. Photo credit: Twitter/unknown

If your files aren't backed up, there's a good chance they're now gone. You can still reinstall Windows, but it'll be a blank slate.

Whatever you do, don't pay the ransom.