Petya virus: what it is and how to delete it? Let’s secure ourselves!

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)

About Petya ransomware

At the moment, the spread of the virus was so rapid that even some State Service disconnected all communications with the Internet. The first versions of Petya were discovered much earlier. However, today a new version of Petya is rampant in the network. So far, it is known that the “New Petya” encrypts the MBR boot sector of the disk and replaces it with its own, which is “brand new” thing in the world of Ransomware, its friend #Misha arrives later and encrypts all files on the disk . Petya and Misha are not new, but there has never been such a global spread before. Suffered and really well-protected companies. All is encrypted, including boot sectors (original) and you only have to read the text of the cyber criminals, after turning on the computer. This virus is spread using the latest, supposedly 0day vulnerabilities.

Petya encryption
Petya virus

The problem is that to overwrite the MBR, Petya needs to reboot the computer, which the users in a panic successfully do. Wrong panic decision.
Of the current recommendations, we would advise NOT to turn off the computer if the encryptor is found, but to put it into sleep mode ACPI S3 Sleep (suspend to RAM), and necessarily disconnecting from the Internet.

Tools to decrypt your files:

UPD 6:
To identify the file encryptor, you must complete all local tasks and check for the presence of the following file:

C: \ Windows \perfc.dat

The specialists of Positive Technologies have found a local “kill switch” for Petya, you can stop the encryptor by creating the file “C: \ Windows \perfc (perfc – file without extension)

Depending on the version of Windows OS, install a patch from the Microsoft resource (attention, this does not guarantee 100% security because the virus has many vectors of infection):

Find links to download the appropriate patches for other (less common and server versions) of Windows OCs right here on the Microsoft website.

UPD7: It seems that the new Petya.A subspecies that attacked Ukraine today is a combination of the vulnerabilities CVE-2017-0199 and MS17-010 (ETERNALBLUE, used in Wannacry for leakage results via ShadowBrokers)

You can download the current patch from MicroSoft and one more.
UPD8: The bot has already appeared on the network, which monitors ransoms for decrypting files infected with Petya

UPD9: According to information from the Facebook cyber police of Ukraine (not verified), one of the vectors of the attack on the business structure of Ukraine was the spread of the virus through the program M.E.doc (software for electronic reporting and workflow)

Most likely the developers of M.E.doc were also hacked and this update was downloaded by the attackers, but this information has not yet been verified.

There is also good news: if you see a restart of the computer and the beginning of the “disk check” process, you need to immediately shut down the computer and the files will unencrypted. Downloading from a LiveCD or USB drive will give access to files


STEP 1. Recover files from Petya ransomware encryption

There are a lot of different ransomware viruses on the internet. Some of them are more dangerous than the others because they not only leaving malicious processes to protect themselves, but also removing backups of your system to make the recovery process impossible.

Please Note: Not all ransomware infections are able to remove backups of your system, so it is always worth to try a windows recovery method below. In order to protect your backups from this danger, try our Anti-Ransomware product:

Read more about Petya Ransomware.

STEP 2. Removing Petya ransomware malicious files

Once the recovery process is complete, you should consider scanning your computer with a GridinSoft Anti-Malware in order to find any traces of Petya infection. Though some ransomware viruses are removing themselves right after the encryption of your files, some may leave malicious processes on your computer for special purposes of cyber criminals. We recommend to turn On-Run Protection. It helps to prevent viruses on your PC.

  1. Run GridinSoft Anti-Malware and choose the scan type, which is suitable for your needs. Of course, for the accuratest scan results we recommend you to choose the “Full Scan”.
  2. Choose "Full Scan"
    GridinSoft Anti-Malware Scan Types

  3. Give Anti-Malware a little time to check your system:
  4. Please wait until the scan completed
    Anti-Malware Scan Process

  5. Move to quarantine all the viruses and unwanted files, that you see in the results list:
  6. Move detected items to quarantine
    GridinSoft Anti-Malware Scan Results

  7. Enjoy the malware removal process:
  8. GridinSoft Anti-Malware Removal Process
    Removal process completed. Your system is clean!

Use of On-run protection may additionaly prevent different types of cyber attacks, our protect may flag the downloader of the ransomware as a malicious application preventing the download of Petya.

GridinSoft Anti-Malware Petya protection

STEP 3. Prevent the Petya ransomware infection with GridinSoft Anti-Ransomware

Despite that some ransomware can remove backups of your OS, our product GridinSoft Anti-Ransomware is able to protect them from the removing in the first place. When some kind of a malicious program or ransomware virus tries to delete your backups, out program intercepts this request and blocks the sending process.
Note: that the product is still in Beta testing phase, some bugs and glitches are possible.
Besides the protection tool, you should read and learn few simple rules. Follow them every time you work on your computer and your will decrease chances of your infection to a minimum:

  • Don’t open suspicious spam letters. No way! Be very careful with your downloads. Download and install software preferably from its official website.
  • Do backups of your important files regularly. Storing your really important files in few different places is a good decision.
  • Keep your system free from adware, hijackers and PUPs The infected computer will be more likely compromised with other malicious software, and ransomware is not an exception in this case.
  • Don’t panic and be reasonable. Don’t pay the ransom fee right after you got infected, it is always best to search on the internet for some answers. It is possible that someone have developed a decryption tool that might help you.
(Visited 687 times, 1 visits today)

Related posts:

One thought on “Petya virus: what it is and how to delete it? Let’s secure ourselves!

Leave a Comment