Update! A researcher from Heise Security, Fabian Scherschel gave an analysis report of the ransomware, in German. In there it is written that the first phase encryption used by Petya is a simple set value XOR of the Master Boot Record (MBR). If the user acts while on this phase, data can be recovered by booting from another drive with an untouched MBR, by backing up the contents on it. UEFI systems that are infected by Petya ransomware may have only the boot information damaged, which will make the drive unbootable, but its data will remain unencrypted.
Decrypt Files Encrypted by Petya Ransomware
A new ransomware named Petya plagued the Internet. German users of the Windows OS report most attacks. The peculiar thing about this ransomware is that instead of encrypting files with specific extensions, it encrypts the Master Boot Record (MBR) of drives. MBR contains information that loads the Operating Systems on a computer. Without it, no OS can load.
The above picture shows the ransom message that loads instead of an operating system. Victims have only a few hours to pay the ransom. The ransomware claims to use a military encryption algorithm. The first attack was reported on March 24th by users on the www.heise.de website. The origin of the ransomware is unknown, although the name Petya is a common one given in Slavic countries.
How Does Petya Ransomware Distribute?
Petya ransomware is distributed through e-mails. These emails are written with correct and proper grammar. Many companies are targeted, and the content of the email for them is presented as from an applicant for a job position. At the end of the email, a link to DropBox is provided to a CV or related document with claims that the file is too big for the email. There are other ransomware distributing via DropBox and their names are Chimera and PacMan.
Reportedly, DropBox links are the main source for the distribution of the payload for the Petya ransomware. That doesn’t exclude social networks and file sharing services, directing users to those links or putting another clever message with a link at its end.
Technical Specifications about Petya Ransomware
After the payload file has been downloaded from a link, it will ask for elevation of privilege from the user. That file has a shield icon, so users expect the Windows User Account Control to be triggered. Unsurprisingly, they open it and give it permission, as they don’t suspect that this is a Trojan horse containing the payload for the Petya ransomware.
Next, after some time, a Blue Screen of Death (BSOD) is triggered to force the Windows OS into a restart and remember the changes made by the ransomware. The Master Boot Record (MBR) of every hard drive, SSD and USB flash storage device is encrypted. Also, the ransomware claims to use RSA 4096 bit algorithm and AES 256 bit ciphers for the encryption process. The MBR is a special boot sector of storage devices containing loading information about any installed OS. Thus, by all of that being encrypted, no operating system can load.
Instead, the computer loads an image art of a skull generated on ASCII. No matter if the user restarts the system or tries to repair the Master Boot Record, the only thing that loads is that skull art. After the art, instructions are loaded on the screen about how the user should use the Tor network to pay the ransom. The asked price is 0.9 BitCoins.
The ransom message reads:
You became victim of the PETYA RANSOMWARE!
The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy steps:
1. Download the Tor Browser at “https://www.torproject.org”. If you need help, please google for “access onion page”.
2. Visit one of the following pages with the Tor Browser:
3. Enter your personal decryption code there:[Random code]
If you already purchased your key, please enter it below.
You should know that contacting the ransomware creators wanting to pay the ransom is NOT advised. Nobody can guarantee that you will have your data and drives unlocked and restored. Paying ransomware makers is like supporting their criminal act and might endorse them to make an even more nasty malware.
Prevent Petya Ransomware from Infecting You
Petya ransomware simply shuts you down. No known ways to repair the Master Boot Record as of now. Without having an OS to load, you cannot install any program that could help with its removal. Sit tight and wait for new information. You can also write in our forum’s thread about this ransomware and leave comments with questions and information or suggest ideas about a possible solution.
For those who had the luck not to be hit with this ransomware yet – you should install an anti-malware program to prevent it. The damage can be irreparable – even if you have a backup, your disk drive may remain locked.
Spy Hunter scanner will only detect the threat. If you want the threat to be automatically removed, you need to purchase the full version of the anti-malware tool.Find Out More About SpyHunter Anti-Malware Tool / How to Uninstall SpyHunter