Petya Ransomware Removal Guide

How to Remove Petya Ransomware?

Petya is the latest ransomware, roaming the web, wreaking havoc. It may be the newest one out there, but it’s old news. Let’s elaborate. When it comes to ransomware, they’re all pretty much the same. They slither into your system, take over, encrypt everything, and demand ransom. The Petya infection doesn’t differentiate from status quo. First, it sneaks in, then it locks your system and keeps your computer at DOS level until you meet its requirements and pay its ransom. In case you’re unfamiliar with the DOS abbreviation, it means denial-of-service. And, once you’re a victim of the DOS attack, your machine or network resource is made unavailable to you. In other words, you cannot access the Internet as the connection is suspended. It’s quite unpleasant, to say the least. After the nasty cyber threat takes over your system and is done with encrypting your data, it displays a message, which reveals its requirements. The latest trend is payment in Bitcoins. That’s a preferred means because Bitcoins are virtually untraceable. If you choose to go through with the transaction and complete the requested payment, you’ll have to do it via the Tor network, which only further secures the anonymity of the culprit that targeted you. That’s a long way of saying this: the people that chose to attack your system are malicious and have wicked agendas. They are after your money and use the files you have on your PC as a means to get what they want. Don’t let them win. Do NOT pay the ransom. Even if you deem your data is worth the amount, they’re asking, don’t do it. Understand that the situation, you’re currently in, is a lose-lose one. It’s rigged against you. The sooner you accept that there’s no way you come out on top, the better. If you pay, you not only lose money, but rely on unreliable strangers to meet their end of the bargain, and the chances of that happening are slim at the least. By paying, you open the door to your private life to the individuals. Are you prepared to risk your personal and financial information from falling into the hands of such people? Choose your privacy over your data. Files are replaceable.

How did I get infected with?

Petya cannot just magically appear on your computer one day. It uses guile and slyness to slither its way into your system. It seems that its favorite method of infiltration is via spear-phishing campaigns aimed at human resource departments. At least, that’s what most users are sharing online. They claim that the pesky program hitches a ride in by attaching itself to an email. But not as an attachment. The email contains a link, which if you click, takes you to a file stored on Dropbox, where an applicant’s CV can be downloaded. That file is called portfolio-packed.exe, and if you execute it, that’s it. Your system crashes, and you find yourself face to face with the dreaded Blue Screen of Death. And, it’s all downhill from there. We got to admit that’s quite an ingenious means of invasion. Dare we say, a new one even? And, that’s saying a lot when it comes to the vast ocean of infection, which almost always enter your system via freeware or as a bogus update. Innovative or not, the method does the trick, and your system is no longer infection-free. And, you managed to pick not just any cyber threat, but one of the worst ones out there. To prevent nasty ransomware tools from entering your PC, take anything with a grain of salt. Don’t open emails from unknown senders, don’t click suspicious links, and don’t just download what they’re offering with doing some research first. Try to be more cautious and always do your due diligence. More often than not, even a little extra attention can go a long, long way.

remove Petya

Why is Petya dangerous?

Seeing The Blue Screen of Death tends to invoke a ‘damage control’ reaction. It’s usually the same one every time – the user panics and restarts the computer. Well, that won’t help you. Once Petya takes over your PC, and you see the dreaded blue, restarting won’t do much for you. Do you know why? Because when you restart, the computer will enter a fake check disk process, which upon completion will load Petya’s lock screen, at the computer’s DOS level. And, do you know what? That will happen every single time you restart. Once your initial shock passes and you accept the ineffectiveness of the restarts, you’ll see that the screen, which is displayed, provides a link to the ransomware’s payment site, hosted on Tor. It goes like this: Petya demands payment in exchange for a decryption key, which will, supposedly, free your files. ‘Supposedly’ is the word you need to pay attention to. Because do you know what usually happens? There are several ways the exchange can play out, and they end badly for you. One, you pay, receive the desired key, apply it, and decrypt your files. Sounds magical, doesn’t it? Well, don’t celebrate just yet. Nothing is stopping the ransomware from kicking back in the very next day and encrypting your files once more. Nothing. And, WHEN it does, you’ll find yourself back to square one. Next possible scenario is: you pay, get a key, and it doesn’t work. Your files are still encrypted. You lost money. And, to top it all off, you allowed strangers into your private life as you provided your personal and financial details by completing the payment transaction. And, every other scenario is just as worse if not even more. So, why pay at all? You lose either way. Don’t give your money to the people! Protect your privacy, and make the right choice: forsake your files. Yes, it’s hard to do it, but it’s the wiser decision. As was already stated, data can be replaced. What about your privacy?

Petya Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Petya Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Petya encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Petya encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment