About Petya ransomware
At the moment, the spread of the virus was so rapid that even some State Service disconnected all communications with the Internet. The first versions of Petya were discovered much earlier. However, today a new version of Petya is rampant in the network. So far, it is known that the “New Petya” encrypts the MBR boot sector of the disk and replaces it with its own, which is “brand new” thing in the world of Ransomware, its friend #Misha arrives later and encrypts all files on the disk . Petya and Misha are not new, but there has never been such a global spread before. Suffered and really well-protected companies. All is encrypted, including boot sectors (original) and you only have to read the text of the cyber criminals, after turning on the computer. This virus is spread using the latest, supposedly 0day vulnerabilities.
The problem is that to overwrite the MBR, Petya needs to reboot the computer, which the users in a panic successfully do. Wrong panic decision.
Of the current recommendations, we would advise NOT to turn off the computer if the encryptor is found, but to put it into sleep mode ACPI S3 Sleep (suspend to RAM), and necessarily disconnecting from the Internet.
Tools to decrypt your files:
To identify the file encryptor, you must complete all local tasks and check for the presence of the following file:
C: \ Windows \perfc.dat
The specialists of Positive Technologies have found a local “kill switch” for Petya, you can stop the encryptor by creating the file “C: \ Windows \perfc (perfc – file without extension)
Depending on the version of Windows OS, install a patch from the Microsoft resource (attention, this does not guarantee 100% security because the virus has many vectors of infection):
- for Windows XP
- for Windows Vista 32 bit
- for Windows Vista 64 bit
- for Windows 7 32 bit
- for Windows 7 64 bit
- for Windows 8 32 bit
- for Windows 8 64 bit
- for Windows 10 32 bit
- for Windows 10 64 bit
Find links to download the appropriate patches for other (less common and server versions) of Windows OCs right here on the Microsoft website.
UPD7: It seems that the new Petya.A subspecies that attacked Ukraine today is a combination of the vulnerabilities CVE-2017-0199 and MS17-010 (ETERNALBLUE, used in Wannacry for leakage results via ShadowBrokers)
UPD9: According to information from the Facebook cyber police of Ukraine (not verified), one of the vectors of the attack on the business structure of Ukraine was the spread of the virus through the program M.E.doc (software for electronic reporting and workflow)
Most likely the developers of M.E.doc were also hacked and this update was downloaded by the attackers, but this information has not yet been verified.
There is also good news: if you see a restart of the computer and the beginning of the “disk check” process, you need to immediately shut down the computer and the files will unencrypted. Downloading from a LiveCD or USB drive will give access to files
STEP 1. Recover files from Petya ransomware encryption
There are a lot of different ransomware viruses on the internet. Some of them are more dangerous than the others because they not only leaving malicious processes to protect themselves, but also removing backups of your system to make the recovery process impossible.
Please Note: Not all ransomware infections are able to remove backups of your system, so it is always worth to try a windows recovery method below. In order to protect your backups from this danger, try our Anti-Ransomware product:
STEP 2. Removing Petya ransomware malicious files
Once the recovery process is complete, you should consider scanning your computer with a GridinSoft Anti-Malware in order to find any traces of Petya infection. Though some ransomware viruses are removing themselves right after the encryption of your files, some may leave malicious processes on your computer for special purposes of cyber criminals. We recommend to turn On-Run Protection. It helps to prevent viruses on your PC.
- Run GridinSoft Anti-Malware and choose the scan type, which is suitable for your needs. Of course, for the accuratest scan results we recommend you to choose the “Full Scan”.
- Give Anti-Malware a little time to check your system:
- Move to quarantine all the viruses and unwanted files, that you see in the results list:
- Enjoy the malware removal process:
Use of On-run protection may additionaly prevent different types of cyber attacks, our protect may flag the downloader of the ransomware as a malicious application preventing the download of Petya.
STEP 3. Prevent the Petya ransomware infection with GridinSoft Anti-Ransomware
Despite that some ransomware can remove backups of your OS, our product GridinSoft Anti-Ransomware is able to protect them from the removing in the first place. When some kind of a malicious program or ransomware virus tries to delete your backups, out program intercepts this request and blocks the sending process.
Note: that the product is still in Beta testing phase, some bugs and glitches are possible.
Besides the protection tool, you should read and learn few simple rules. Follow them every time you work on your computer and your will decrease chances of your infection to a minimum:
- Don’t open suspicious spam letters. No way! Be very careful with your downloads. Download and install software preferably from its official website.
- Do backups of your important files regularly. Storing your really important files in few different places is a good decision.
- Keep your system free from adware, hijackers and PUPs The infected computer will be more likely compromised with other malicious software, and ransomware is not an exception in this case.
- Don’t panic and be reasonable. Don’t pay the ransom fee right after you got infected, it is always best to search on the internet for some answers. It is possible that someone have developed a decryption tool that might help you.