Home > HOW TO GUIDES > Decrypt Drives Encrypted by Petya Ransomware Using Petya Sector Extractor

Decrypt Drives Encrypted by Petya Ransomware Using Petya Sector Extractor

how-to-DECRYPT-PETYA-RANSOMWARE-SENSORSTECHFORUMPetya ransomware is one of the most dangerous ransom viruses ever to be encountered. It is very good news that finally, a decryptor called Petya Sector Extractor had been released which-which you can be able to recover files from it. It is unfortunate, however, that this decryptor only works for Petya ransomware and may not work with its “sister” virus, called Mischa ransomware. Since it is a bit tech savvy for users to decrypt their drives, we have designed a tutorial to help explain how to successfully and simply decrypt your hard drive if it has been enciphered by Petya Ransomware. Of course for this tutorial to work, you should have left the drive as it was from the moment of infection because these instructions will not work on a formatted drive. Before we begin, let’s quickly review this virus and what it does.

Update July 2017! – Petya Sector Extractor’s website is not active at the moment and even if it was, the new virus encrypts the drives in a irreversible way. This is why we have designed theoretical instructions with which you can try to recover at least some of the files.

Petya Ransomware – Quick Background

This virus is classified by malware analysts as ransomware, meaning that it uses either one or another method to deny access to the user of the computer to his or her files and ask for ransom payoff to grant it back. To accomplish this, exploit kits and JavaScripts, as well as malicious process obfuscators, are being used in spam e-mail campaigns, file sharing websites, chat services, and social media as well.

After encryption, Petya locks the screen of the user displaying its distinctive red/white skull background:


This is very familiar to the lock screen of Mischa ransomware which however has a different distinctive colors.

Either way, the principle is all the same – the virus immediately causes a BSOD screen, after which attacks the MBR (Master Boot Record) of the infected computer, making it no longer usable. After this, it sets its own boot screen. Users were left with no choice but to pay a ransom “fee” of 0.9 BTC, until now since a free decryptor has finally been released. The response after this is that Petya ransomware bonded with Mischa ransomware to make an even more powerful virus. This is why we are aiming not only to show in this article how to recover your files but to prevent this from happening ever again on your computer.

Petya Ransomware – Decryption Instructions

Preparation Phase

To begin decrypting drives by Petya ransomware, you will need the tools to work with first:

  • A screwdriver, corresponding to your desktop/laptop.
  • A secure computer that is scanned for malware and cleaned and has a proper ransomware protection.
  • Patience.

First of all, you should choose the safe computer from which to scan your files to be a powerful Windows machine which is also secured. This is why we recommend following these steps to secure it:

1. Download an advanced malware protection program.


Malware Removal Tool

Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter
2. Download a relevant ransomware protection program.
3. Download a relevant cloud backup program that backups copies of your files on a secure server and even if your computer is affected you will stay protected. For more information you can also check another methods to safely store your data here.

After securing the test PC, you should prepare it for the decryption process which will most likely be lengthy. This is why we recommend changing the power settings so that your decryption computer does not automatically hibernate or sleep while left decrypting the drive.

Step 1: Click on the battery icon in your system tray (next to the digital clock) in Windows and then click on More Power Options.
Step 2:The mighty Power options menu will appear. In your power plan click on Change Plan Settings.
Step 3: In your plan’s settings make sure you set “Turn off the display” and “Put computer to sleep” to “Never” from the drop down minutes menu.
Step 4: Click on Save Changes and close it.
Decryption Phase

For the decryption process, we have outlined several often-met drive migration scenarios which can be possible between different computers:

  • From Laptop to Laptop with no extra components.
  • From Desktop to Desktop with no extra components.
  • From Laptop to Desktop with a SATA cable if the Desktop has an outdated chipset.
  • From Desktop to Laptop with a SATA cable if the Laptop has a newer chipset.

To simplify the process, we recommend you to choose machines that do not require any extra cables or components for the drive to run on them. In case you do not have such possibility, we recommend using an external SATA-USB adapter. Let’s begin!

Decryption Phase

Step 1: Remove battery and power from your laptop. For desktop computers, please remove eliminate the power from the contact.

Step 2: Using the screwdriver, unscrew the case which carries the hard drive. For laptops, you should follow these steps:


Step 3: Remove the hard drive again with the screwdriver. It will look similar to the one on the picture below:


Step 4: Plug-in the hard drive on a secure computer which has an internet connection and Windows installed and screw it in firmly. If connected directly, the hard drive should be detected by the OS as a separate partition, similar to the picture below:


Step 5: Download and open the archive of Petya Sector Extractor by Fabian Wosar by clicking on the button below:


Petya Sector Extractor


Step 6: Open Petya Sector Extractor’s archive and extract it on your desktop or anywhere you find comfortable to use it:


Step 7: Open Petya Sector Extractor as an administrator. You should see similar to the following interface, but with a detected drive if you connected it successfully:


Step 8: In case the Petya Sector Extractor automatically detects a drive, you will see the picture below. From it, click on the “Copy Sector” button.


Step 9: After copying the sector go to the following website:


From there, paste the sector in the field marked in red square in the picture below (It should say “Base64 encoded 512 bytes verification data”):


Step 10: Repeat the same process by clicking on the button “Copy Nonce” next to it and paste it in the field marked in red below:


Step 11: After you have copied and pasted both codes, click on the Submit button. The process of generating a password may take some time but will drop a decryption key at the bottom:

ransomware-password-petya-key-decrypted-sensorstechforumScreenshot Source: Bleeping Computer

Final Step 12: Now all you have to do is copy the key(password), insert the encrypted drive back into the infected computer and when you see Petya’s lock screen, press any key and in the screen that will appear after that (in the picture below), enter the password for decryption(in the green square of the picture below). After this, everything should be decoded.


Petya Ransomware – Conclusion

Unfortunately, the same tutorial may not work for Petya’s younger sister, Mischa ransomware. Despite this, you may still attempt and leave us a comment on whether or not this has worked for you, in case you are affected by Mischa. Ransomware creators keep developing viruses and spreading, and the situation becomes very dangerous, this is why we strongly advise you to follow our protection tips about your ransomware and your data, to prevent such unfortunate events from unfolding on your computer.

Sensorstechforum’s Ransomware Protection Tips
Safely Securing Your Data in The Future

Ventsislav Krastev

Ventsislav Krastev

Ventsislav is a cybersecurity expert at SensorsTechForum since 2015. He has been researching, covering, helping victims with the latest malware infections plus testing and reviewing software and the newest tech developments. Having graduated Marketing as well, Ventsislav also has passion for learning new shifts and innovations in cybersecurity that become game changers. After studying Value Chain Management, Network Administration and Computer Administration of System Applications, he found his true calling within the cybersecrurity industry and is a strong believer in the education of every user towards online safety and security.

More Posts - Website

Follow Me:

Leave a Comment

Your email address will not be published. Required fields are marked *

Share on Facebook Share
Share on Twitter Tweet
Share on Google Plus Share
Share on Linkedin Share
Share on Digg Share
Share on Reddit Share
Share on Stumbleupon Share