Petya Ransomware

What is Petya Ransomware?

It is unlikely that you will encounter Petya Ransomware if you are a regular computer user; however, you might find it on your work PC. Anti-Spyware-101.com researchers have found that this malicious infection targets operating systems that belong to big companies in Germany. The distribution of this ransomware is quite unpredictable; however, in most cases, it is spread via Dropbox. Spam emails with a link to a malicious download are sent, and, if you open the malicious file (e.g., “application folder-gepackt.exe”), malicious processes are initiated. It is possible that other methods of distribution will be employed, but, right now, you need to be most cautious about the emails with suspicious attachments and links. It was found that every user has an opportunity to stop this infection. Our researchers found that users can unplug their computers to stop all activity. If you do this in time, you might be able to back up your personal files from the hard drive. If you do not act timely, you might have to delete Petya Ransomware from your PC without being able to restore sensitive, important files.testtesttest

How does Petya Ransomware work?

Now that we have discussed the distribution of this ransomware, we need to discuss its activity and removal. If executed successfully, this infection encrypts personal files. What is different about this ransomware is that it can overwrite the hard drive MBR (master boot record). This way, Petya Ransomware blocks users from accessing their computers. In fact, it does not do that instantly. In order to buy time, this infection fakes a disk check. The chkdsk utility is meant to repair existing disks errors; however, it is bound to fail. According to the information provided, the process could take several hours, and you are warned not to turn off your computer, as this, allegedly, could destroy data. The reality is that this distracts you from unplugging your computer and having a chance to back up your files. According to our research, AES 256-bit and RSA 4096-bit encryption algorithms are used for the encryption process. Of course, the decryption key is hidden so that you could not access it without paying the ransom. Well, we cannot guarantee that you would get the key even if you did pay the ransom. Speaking of the ransom, the sum might change. Some users report paying 0.9 or 0.99 Bitcoins, which is around 370-410 USD, and others report having to pay twice as much. Whatever the price, you have to think carefully before you make the payment.

The ransom associated with Petya Ransomware is represented with the help of a screen-size notification that you cannot remove and that shows up as soon as the fake system repair fails or after you restart your computer. In fact, at first, a flashing ASCII skeleton will appear with the "PRESS ANY KEY!" message. If you follow the demand, the ransom message appears, and it lists three steps that you supposedly need to do in order to unlock your system. In reality, there are more steps than you think. First, you are asked to download the Tor Browser because all activity via it is hidden, which means that cyber criminals can easily collect your payments without being tracked. Once you download this browser, you are asked to visit one of the few pages linked (e.g., petya37h5tbhyvki.onion/[xxxxx]). This page is meant to initiate the decryption process, and that means that it initiates the payment. It is said that a decryption key would be provided to you if you finalized the payment; however, we cannot guarantee that, and this is why you need to be extremely cautious and mindful when following any of the demands provided to you.

How to eliminate Petya Ransomware

The removal of Petya Ransomware is very complicated. You cannot uninstall this program or stop it by eliminating one malicious file. Sure, you HAVE to eliminate the malicious executable and all of its copies; however, you need to do one more thing. You have to repair the MBR, and we suggest doing that using your Windows installation CD/DVD. Of course, this task is complicated, and inexperienced users might face many problems; unfortunately, this is the only way to get rid of this ransomware. Keep in mind that once you eliminate this infection, you will have no chance of recovering your files, so perform the steps below only after you make your final decision regarding the future of your files. Also, keep in mind that you will need to repair the MBR and delete the malicious files even if you pay the ransom.

How to fix the MBR

Windows 10, Windows 8.1, and Windows 8:

  1. Insert the installation disk, restart the PC, and choose to Boot Windows with CD-ROM Drive.
  2. Choose the desired parameters, click Next, and click Repair your computer.
  3. In the Troubleshoot menu select Command Prompt.
  4. Type the following strings and tap Enterafter each one of them:
    • bootrec /fixmbr
    • bootrec /fixboot
    • bootrec /scanos
    • bootrec /rebuildbcd
  5. Wait for the process to finish.
  6. Eject the CD, type exit into the Command Prompt, and tap Enter to restart the PC.

Windows 7 and Windows Vista:

  1. Insert the installation disk, restart the PC, and choose to Boot Windows with CD-ROM Drive.
  2. Choose the desired parameters, click Next, and click Repair your computer.
  3. In the System Recovery Options menu, select your OS, and click Next.
  4. Select Command Prompt and type the following stings (tap Enterafter each one of them):
    • bootrec /fixmbr
    • bootrec /fixboot
    • bootrec /rebuildbcd
  5. Wait for the process to finish.
  6. Eject the CD, type exit into the Command Prompt, and tap Enter to restart the PC.

Windows XP:

  1. Insert the installation disk, restart the PC, and choose to Boot Windows with CD-ROM Drive.
  2. In the Welcome to Setup menu tap R to launch Recovery Console.
  3. Type 1 after the question asking which Windows you would like to log onto and tap Enter.
  4. Next type your administrator password and tap Enter.
  5. Now type fixmbr and tap Enter (click Y and tap Enter if you asked to confirm your selection).
  6. Tap Enter one more time and wait for the process to finish.
  7. Eject the CD, type exit into the Command Prompt, and tap Enter to restart the PC.

How to remove malicious files

  1. Once the PC is restarted immediately delete the malicious executable (e.g. “application folder-gepackt.exe”).
  2. Launch Explorer (simultaneously tap Win+E).
  3. Enter %TEMP% into the address bar at the top.
  4. Look for the copies of the malicious file. If they exist, right-click and Delete them.
  5. Empty the recycle bin and run a reliable malware scanner to see if your operating system is clean.
100% FREE spyware scan and
tested removal of Petya Ransomware*
Disclaimer
Disclaimer

Leave a Comment

Enter the numbers in the box to the right *