An increasing number of Windows users have been reporting issues with data accessibility, where files on their computers suddenly become encrypted by what’s calling itself the “Petya Ransomware”. This predicament is non-standard as for crypto trojans, because the infection interferes with MBR (Master Boot Record) so that victims are unable to even launch the operating system in the regular way. What they see right after the computer starts is a screen telling them that an attack has been deployed and listing three steps to recover files. According to the warning message, the victim needs to download Tor Browser, visit a specified .onion page, enter their personal decryption code there and pay the ransom in Bitcoins. The bulk of the infected users are in Germany at this point, but the threat doesn’t appear to have hard-coded geo-restrictions, so it has the potential to propagate further.
“You became victim of the PETYA RANSOMWARE!”
In most cases, the virus takes effect after a person opens a ZIP archive or a file resembling a Microsoft Office document which is attached to an email that looks catchy, such as a package delivery report or a payroll notification. Once executed, Petya Ransomware stealthily finds non-system files on the hard drive as well as external media and encodes them with a mix of RSA-4096 and AES-256 algorithms. This is an analog of military-grade cipher that makes data completely inaccessible via regular applications or methods. Furthermore, by messing with the boot sector it prevents the user from accessing their desktop, which makes the compromise yet more complex to handle. It’s noteworthy that ransomware operators hardly ever employ this type of an intimidation tactic. So Petya isn’t a run-of-the-mill scam for sure.
There is no accurate information regarding the ransom size so far, but it may fluctuate depending on how critical the frozen data is and how many machines got hit. Administrators of compromised corporate networks may be asked to submit as much as 3 or 5 Bitcoins for recovery, which is thousands of US dollars. The extortionists’ appetites are growing as their capabilities advance.
Obviously, the troubleshooting under these circumstances should start with logging into Windows. To this end, the infected person needs to power down their machine, turn it back on and repeatedly hit the F2, ESC or DEL key to enter BIOS configuration. Then, the victim should proceed to the Boot tab, select the correct boot device, save the changes and exit the interface. The OS should now launch like it usually does. After that, follow the anti-ransomware steps below and try to retrieve what’s recoverable.
This is an exclusively efficient method for taking care of malware overall and ransomware threats in particular. The use of a reputable security suite ensures scrupulous detection of all virus components and a complete removal thereof in a single click. Be advised, though, that uninstalling this infection and recovering your files are two different things, but the need to remove the pest is indisputable as it has been reported to promote other Trojans while operating.
It has been mentioned that Petya Ransomware applies strong crypto to render files inaccessible, so there’s no magic wand that restores all of the encrypted data in the blink of an eye, except of course submitting the unthinkable ransom. There do exist techniques, though, which can lend you a helping hand in recovering the important stuff – learn what those are.
Automatic file recovery software
It’s kind of interesting to know that this infection erases the original files in an unencrypted form. It’s the copies that undergo the ransomware’s crypto processing. So tools like Data Recovery Pro can restore the deleted objects even if they got removed in a secure way. This workaround is definitely worthwhile as it proved to be fairly effective.
Shadow Volume Copies
This approach relies on the native Windows backup of files on the computer, which is conducted at each restore point. There is an important condition to this method: it works if the System Restore feature was toggled on before the contamination. Also, if changes were made to a file after the most recent restore point, they won’t be reflected in the recovered file version.
The Properties dialog for random files has a tab called Previous Versions. That’s where the backed up versions are displayed and can be recovered from. So right-click on a file, go to Properties, hit the above-mentioned tab and select the Copy or Restore option, depending on the location you would like it recovered to.
The above process can be automated with a tool called Shadow Explorer. It basically does the same thing (retrieving Shadow Volume Copies), but in a more convenient way. So download and install the application, run it and browse to files and folders whose previous versions you wish to be restored. To get the job done, right-click on any of the entries and select the Export feature.
Out of all the options that aren’t ransom-related, this one is the most optimal. In the event you had been backing up your information to an external server before the ransomware hit your PC, restoring the files encrypted by Petya Ransomware is as simple as logging into the respective interface, selecting the right files and initiating the restore transaction proper. Before you do so, however, be sure to completely remove the ransomware from your computer.
In case you chose to stick to the manual cleanup technique, some fragments of the ransomware may have stayed as obfuscated objects in the operating system or registry entries. To make sure there are no malicious components of the threat left, have your computer scanned with a reliable malware security suite.