Petya Ransomware

There is a new beast on the horizon that takes its victims rapidly, and its name is Petya Ransomware. This Trojan ransomware is a dangerous malware infection that mostly targets German companies. However, it does not mean that it cannot show up on your computer as well. This infection claims to encrypt your hard disks with a “military grade encryption algorithm” that is unbreakable without the private key. Obviously, this private key can only be obtained if you pay the ransom fee. This Trojan encrypts all your files, but, if it is possible, it causes even more problems by overwriting the boot files required to load Windows, i.e., the master boot record (MBR). In order to remove Petya Ransomware, you must first fix the MBR. Nevertheless, we must mention that this will not bring your files back. If this infection manages to finish the encryption, you can only recover your files if you have a backup copy on an external drive or you pay the ransom. Please remember that you are dealing with criminals who may not keep their word. If you want to learn more about this infection, please continue reading our article.

This Trojan targets its victims via spam e-mails. These e-mails contain a download link to Dropbox. When you click on this link, you download a file is named "application folder-gepackt.exe". If you run this file, it will start its vicious operation on your computer. Therefore, it is quite clear how you can actually nip this attack in the bud. First, you should not open e-mails from unknown senders. Second, even if you open e-mails that may look authentic and legitimate, do not click on links and attachments unless you are certain that these were meant for you. Do not fully trust your spam filter and believe that all the e-mails in your inbox are totally reliable. Most Trojans use spam e-mails as one of the main distribution methods. If you are careful enough, you may prevent such a nightmare from becoming reality.

We have found that this Trojan ransomware behaves somewhat different from other similar infections, such as Rokku Ransomware and Redshitline Ransomware. When you launch the executable file, your computer restarts instantly. At this point your MBR is already modified and a disk check starts up very similar to that of chkdsk; however, this tool is custom-made by Petya Ransomware authors to frighten users from shutting down the computer. This is the actual warning message that is displayed on your screen: “DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!”

While on the surface it looks like there is some system error that triggered this disk check, this ransomware is indeed encrypting your files in the background. Petya Ransomware claims to use RSA-4096 and AES-256 encryption algorithms. When this fake disk repair finishes or if the user tries to reboot the system, a red flashing skeleton appears that is made up of ASCII characters as well as a text saying “PRESS ANY KEY!” After you press a key, another red window is displayed but this time with the ransom note. This informs you about the fact that your disks have been encrypted and you have to purchase the private key through the provided darknet addresses, which can be accessed with the Tor browser. Reports claim that the ransom fee starts from around 0.9 BTC, which is approximately 400 USD. Obviously, when companies are targeted, this could go up to a few thousand dollars. We know about a hospital in the US that was hit by a ransomware infection and in that case 17,000 USD was extorted for the release of the encrypted files.

Victims usually get 12-72 hours; however, in this case, a “generous” seven days are given for you to comply with the demands. If you fail to do so, the ransom fee is said to be doubled. As a matter of fact, there is a slight chance that you can save your files from this ugly Trojan, if you realize in time that you have been hit by it. Since it is quite obvious from the immediate restart and the fake disk checking process that your computer is under attack by this ransomware, you can unplug your PC quickly and follow our instructions below to recover your system. This way you may lose a few files but you might be able to save the majority. However, the best way to make sure that your files are always protected is to regularly make backup copies on an external drive; unless, of course, you are willing to install an up-to-date anti-malware application that would automatically protect your PC from such malicious attacks.

Unfortunately, this dangerous Trojan does not have an uninstaller that you could use via Control Panel to eliminate this threat. However, even if you cannot recover your files, you must remove Petya Ransomware immediately because it will always start up with your system and ruin your new files. It is, of course, your decision whether you pay the ransom or not. But please consider that reports show that crooks rarely deliver the private keys even if you pay. What we can help you with is a manual method to delete Petya Ransomware from your PC. Please follow the instructions carefully for the best result. First, you have to fix the master boot record and then, get rid of the malicious file. Keep in mind that repairing the MBR may be a risky process. Only choose to do it, if you are sure that this Trojan has infected your computer and you refuse to pay the ransom fee. If you have any questions, please leave us a comment below.
Remove Petya Ransomware from Windows

Fix the MBR

Windows XP

1. Reboot your PC from the Windows XP CD.
2. At the Welcome to Setup screen, press "R" to launch the Recovery Console.
3. At the “Which Windows installation would you like to log onto” question, type "1" and hit Enter, if this is the only operating system on your hard drive.
4. At the “Type the Administrator password” question, enter the password and hit Enter.
5. In the Command Prompt window type fixmbr.
6. Press "Y" when the “Are you sure you want to write a new MBR?” message shows up and press Enter.
7. Remove your Windows XP CD and type exit.
8. Hit Enter and reboot your computer.

Windows Vista

1. Reboot your PC from your Windows Vista installation CD/DVD.
2. When the Welcome screen comes up, click on Repair your computer.
3. Select your operating system and click Next.
4. When the System Recovery Options window appears, click on Command Prompt.
5. In the Command Prompt window type in the following commands pressing Enter after each:
   bootrec /FixMbr
   bootrec /FixBoot
   bootrec /RebuildBcd
6. Once the operation is done and it is a success, remove the CD/DVD.
7. Type exit, hit Enter, and reboot your computer.

Windows 7

1. Reboot your PC from your Windows 7 installation CD/DVD.
2. Select the operating system and click Next but make sure that the “Use recovery tools that can help fix problems starting Windows” is checked.
3. At the System Recovery Options screen, choose Command Prompt.
4. Type in the following commands and hit Enter after each:
   bootrec /rebuildbcd
   bootrec /fixmbr
   bootrec /fixboot
5. Once the operation is done and it is a success, remove the CD/DVD.
6. Reboot your computer.

Windows 8, Windows 8.1, and Windows 10

1. Reboot your PC from your original installation DVD.
2. At the Welcome screen, click Repair your computer.
3. Select Troubleshoot and pick Command Prompt.
4. Type in the following commands and hit Enter after each:
   bootrec /FixMbr
   bootrec /FixBoot
   bootrec /ScanOs
   bootrec /RebuildBcd
5. Remove the DVD and type exit.
6. Hit Enter and restart your PC.

Remove the malicious file

1. Press Win+E to launch File Explorer.
2. Locate and delete the malicious file “application folder-gepackt.exe” (it has to be where you downloaded it).
3. Check the %Temp% directory for any copies of the malicious file and delete them.
4. Empty your Recycle Bin.
5. Restart your computer.