SensorsTechForum - How to Technology and PC Security Forum

PC Security and Protection => Malware Removal Questions and Guides => Topic started by: never on March 29, 2016, 02:34:52 pm

Title: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: never on March 29, 2016, 02:34:52 pm
Petya ransomware is one of a kind. This is the first time it is observed for a ransomware type of cyber-threat to have Rootkit capabilities. What the malware does is illustrated in the following methodology:

1. Infection - once downloaded by malicious URLs or attachments sent out via email which links to a Dropbox file, the program appears to mimick a Windows Shield type of app. Once executed, it crashes the computer, resulting in a BSOD (Blue Screen Of Death).

2. Action - once the user PC is restarted, you see the following scary Skull type of screen with the ransom instructions:

(http://sensorstechforum.com/wp-content/uploads/2016/03/petya-ransomware-skull-art-acsii-master-boot-record-dropbox.jpg)
(http://sensorstechforum.com/wp-content/uploads/2016/03/STF-petya-ransomware-ransom-message-note.png)

Unlike any other ransomware, this one does not fool around. Instead of the typical given time for the victim to pay the ransom money which is several days the very most, Petya gives several hours. This is extremely effective for the cyber-criminals since it takes significantly more time than several hours to unlock the computer. What is worse, a traditional boot scan does not do the job, so the best protection against this ransomware is to run applications sandboxed (http://sensorstechforum.com/sandboxie-software-review/) and to combine this with a strong AntiVirus and Anti-Malware software.

How To Fix It?

Unfortunately at this point in time there is no direct decryption method for free. The only mehtod to decrypt drives encoded by Petya is to follow the instructions, pay the 0.9 BTC and hope for the best. In case you have  Cloud Backup (http://sensorstechforum.com/sos-online-backup-software-review/), do not worry however, you may be able to download your files on a non-infected computer and simply reformat your drive and reinstall Windows.

We will keep you posted in this thread if a new solution surfaces, regarding Petya Ransowmare. You may find more information and eventual removal instructions to be updated in the article about Petya Ransomware (http://sensorstechforum.com/remove-petya-ransomware-mission-impossible/).
Title: Re: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: sentience on April 13, 2016, 04:21:54 pm
It’s curious that there is a chance for an infected user to decrypt a Petya encrypted computer and succeed to circumvent this fierce ransomware. But I’m wondering what’s happening in the first phase when the user should react?  How can be this phase spotted? 
Title: Re: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: Execute on April 14, 2016, 10:50:00 am
@sentience,
the first phase is when you have the self-extracting archive which contains the Petya ransomware on your PC and only your Master Boot Record is encrypted. After that, you cannot start your PC normally, because of the tampered MBR. You should either try recovering the MBR with recovery tools or link the hard disks externally to boot the Operating System.

If you restart the PC, then you go to the second phase. You must know that something is up and not restart your PC at all. You can shut it down, and turn it on after a minute, but not restart in any case.
Title: Re: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: Execute on April 14, 2016, 02:44:34 pm
A researcher with the twitter handle @leo_and_stone has discovered a way to get the password for decrypting files encrypted by the Petya ransomware. If you have recovered your Master Boot Record and can load an Operating System, but your files are encrypted, you can now decrypt all of them.

N.B.: You can find binary files made for specific operating systems a in his  twitter post (https://twitter.com/leo_and_stone/status/720028141280980993).
Title: Re: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: sentience on April 22, 2016, 12:57:11 pm
Thanks for the answer @execute,

After this information I became suspicious of every pop-up that urge me to give admin privileges.. scaaary ;D
Anyway, do I correctly understand that only reboot but not power off could take me to the second phase of Petya ransomware? And are there any useful recovery tools for MBR that you recommend?
Title: Re: Petya Ransomware - Can You Decrypt Your PC If It Is Encrypted
Post by: Execute on April 22, 2016, 06:29:44 pm
@sentience,
hahaha - well, you should be suspicious - you don't want to give some malware administrative control, do you?  :P

You understood correctly. Despite the ransomware asking you to not shut down your PC, that seems to be okay. The real mess happens when you restart...

MBR recovery tools... hmm... I don't know of many, but I have been told that "Easy Recovery Essentials" works.

Anyway, if you have your original Windows installation CD/DVD, you can use the utility found there for repairs.
Select Repair your computer and search for System Recovery Options.
When the console is loaded you type in bootrec /FixMbr, but know that
there might be additional commands depending on the Windows version you own.

Best Regards,
Execute