How to Remove Petya.a Virus (+Recover Files)

How to Remove Petya.a Ransomware?

Readers recently started to report the following message being displayed when they boot their computer:

    Ooops, your important files are encrypted.

    If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your
    files, but don’t waste your time. Nobody can recover your files without our
    decryption service.

    We guarantee that you can recover all your files safely and easily. All you
    need to do is submit the payment and purchase the decryption key.

    Please follow the instructions:

    1. Send $300 worth of Bitcoin to following address:
    ———————

    2. Send your Bitcoin wallet ID and personal installation key to e-mail
    wowsmith1234569posteo.net. Your personal installation key:
    {Unique Key}

    If you already purchased your key, please enter it below.
    Key:_


You’re stuck with the latest variant of Petya Ransomware. It’s a new, updated version of an already destructive infection. Petya got spread online like wildfire. Apparently, the Petya.a virus is following its malicious footsteps. If you find yourself attacked by this parasite, you’re in serious trouble. Make sure you uninstall the virus as soon as possible because your privacy is at stake. Ransomware is nothing but a cheap attempt for a scam. Hackers don’t develop file-encrypting viruses just for the fun of it. These devious infections try to trick you into buying a decryption key and they are quite effective. After all, this is a very clever technique. Petya.a overall follows the classic rules. It is an updated program, though, so there are some small differences. Instead of encrypting your files one by one, this infection has a new approach. It forces a reboot of your computer. Afterwards, Petya.a encrypts the MFT (Master File Table). In addition to that, the virus messes with the MBR (Master Boot Recorder). If you notice the ransom note, that’s a sign Petya.a  has finished its sneaky modifications. The parasite displays detailed payment instructions and demands that you pay 300 USD. You’re supposed to pay the ransom in Bitcoins. You’re even provided with an email address – wowsmith123456@posteo.net. Stay away from it unless for some reason you’re willing to get scammed. Ransomware is aiming at your bank account. That means restoring your locked data is hackers’ very last intention. All your private information falls victim to the parasite. We’re talking photos, music, documents, videos. Practically anything you’ve stored on board gets locked. Do you keep some important files on your computer? If you do, note that the Internet is filled with ransomware viruses. Now that you’ve seen for yourself how dangerous they are, protect your PC in the future. Make sure you never have to deal with ransomware again and be cautious. Also, we’d recommend keeping backups of your data. This way, you’ll know for sure no file-encrypting pest will attempt to blackmail you. As mentioned, paying the ransom would be a horrible idea. Crooks promise to provide a decryptor in exchange for your Bitcoins. However, there’s absolutely no guarantee you’ll receive anything. The one thing you could be more than positive about is that hackers will steal your money. Don’t become a sponsor of their malicious business. Negotiating with criminals isn’t going to help you free your files. Instead of letting them scam you, delete their tricky infection.

How did I get infected with?

Petya.a has no original infiltration techniques to offer. The virus usually gets spread online via fake emails and email-attachments. You see, it’s up to you whether your computer will remain infection-free or not. Restrain yourself from opening unreliable emails and watch out for malware. One single seemingly safe message could cause you damage too. Unless you pay attention, your curiously could cause you trouble. Restrain yourself from opening anything you don’t trust. There could be a whole bunch of parasites hidden in there. More often than not, hackers use fake logos to make you believe their emails are legitimate. However, bear in mind this is the most commonly used virus infiltration tactic out there. Also, keep an eye out for exploit kits, unverified programs and third-party pop-up ads. Those may turn out to be malicious too. Last but not least, avoid random torrents and illegitimate websites. Do not allow cyber crooks to harass you again and always be cautious.

Remove Petya.a

Why is Petya.a dangerous?

The ransomware attempts to steal your money. By encrypting your files, Petya.a starts playing mind games with you. It modifies a huge variety of formats thus inevitably causing a mess. Many people would panic seeing these changes out of the blue. That’s what crooks rely on so don’t give into your frustration. You will not solve the problem by paying the ransom demanded. On the other hand, you will worsen your situation drastically. Paying might disclose some private information and hackers are the last people who should have access to such data. Forget about the decryptor you were promised and tackle the ransomware now. Otherwise, hackers could eventually involve you in a nasty cyber fraud. To delete this pest of a program for good, please follow our detailed manual removal guide. You will find it down below.

Petya.a Removal Instructions

STEP 1: Kill the Malicious Process

STEP 2: Reveal Hidden Files

STEP 3: Locate Startup Location

STEP 4: Recover Petya.a Encrypted Files

STEP 1: Stop the malicious process using Windows Task Manager

  • Open your task Manager by pressing CTRL+SHIFT+ESC keys simultaneously
  • Locate the process of the ransomware. Have in mind that this is usually a random generated file.
  • Before you kill the process, type the name on a text document for later reference.

end-malicious-process

  • Locate any suspicious processes associated with Petya.a encryption Virus.
  • Right click on the process
  • Open File Location
  • End Process
  • Delete the directories with the suspicious files.
  • Have in mind that the process can be hiding and very difficult to detect

STEP 2: Reveal Hidden Files

  • Open any folder
  • Click on “Organize” button
  • Choose “Folder and Search Options”
  • Select the “View” tab
  • Select “Show hidden files and folders” option
  • Uncheck “Hide protected operating system files”
  • Click “Apply” and “OK” button

STEP 3: Locate Petya.a encryption Virus startup location

  • Once the operating system loads press simultaneously the Windows Logo Button and the R key.

win-plus-r

Depending on your OS (x86 or x64) navigate to:

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] or
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run]

  • and delete the display Name: [RANDOM]

delete backgroundcontainer

  • Then open your explorer and navigate to:

Navigate to your %appdata% folder and delete the executable.

You can alternatively use your msconfig windows program to double check the execution point of the virus. Please, have in mind that the names in your machine might be different as they might be generated randomly, that’s why you should run any professional scanner to identify malicious files.

STEP 4: How to recover encrypted files?

  • Method 1: The first and best method is to restore your data from a recent backup, in case that you have one.

windows system restore

  • Method 2: File Recovery Software – Usually when the ransomware encrypts a file it first makes a copy of it, encrypts the copy, and then deletes the original. Due to this you may try to use file recovery software to recover some of your original files.
  • Method 3: Shadow Volume Copies – As a last resort, you can try to restore your files via Shadow Volume Copies. Open the Shadow Explorer part of the package and choose the Drive you want to recover. Right click on any file you want to restore and click Export on it.

Leave a Comment