How to remove Petya ransomware virus and restore information

If you have just noticed a message with ransom demands from Petya ransomware, you should immediately unplug the infected PC and remove the hard drive. At the moment when the ransom message appears on the screen, the files are not yet encrypted, so this measure might save some of them.


For the first time the Petya virus was discovered in 2016, and for a short time became the scariest ransomware in the world. However, a few weeks after the virus appeared, a Twitter user under the nickname Leostone created an algorithm that allows to decrypt files encrypted by Petya, or rather, to find out the encryption key. The method itself was rather difficult and labor-intensive for an untrained user: in order to get the data it was necessary to extract the hard drive from the infected PC and connect it to another device, extract certain files, encrypt them using the specified algorithm and upload to the site. After completing all the above operations, within a minute the victim could receive the encryption keys. Shortly thereafter, another researcher of ransomware, Fabian Wosar, provided an easier way to decrypt files, which required only extracting the hard drive and connecting it to another working computer on which it was necessary to install a special program. Thanks to the efforts of these two researchers, the wave of spreading Petya was stopped for the first time.


Petya ransomware ransomware virus


After that, the Petya virus appeared under various names, such as GoldenEye, Mischa, PetrWrap, Mamba and others. Some of them were explicit clones of Petya, and some only mimicked his messages using very different patterns of behavior. Recently, at the end of June 2017, Petya reappeared on the Internet, claiming itself through a massive infection of ordinary users' computers, as well as the networks of representatives of small, medium and large businesses in Europe. Most of the attack affected countries such as Ukraine, Russia, Germany, UK, Netherlands, Denmark and Spain. This time, the virus did not use traditional distribution methods, but used ETERNALBLUE vulnerability, the same one as WanaCry ransomware a few months earlier. The most interesting is that Petya infected thousands of users and networks in those countries that were most affected by the WanaCry virus. Even after such a serious threat, users simply were too lazy to download the update MS17-010 from the official Microsoft site, and permanently protect their computers from attacks using this vulnerability. At the moment there is no news about how to decrypt the data encrypted by the virus, but we can tell you how to act if you notice the infection.


Petya ransomware ransomware virus


So, what is the feature of Petya ransomware, and its differences from other viruses? Now the virus spreads through the vulnerability in Windows code, but in its first edition it used standard distribution methods. The virus slightly reduced the amount of ransom: if in 2016 the ransom was about $400 in Bitcoins, now it is $300. The main difference between Petya and other ransomware is its method of operation. Standard ransomware seamlessly penetrates the user's computer, encrypts files, and after the end of the encryption shows a message with the requirements. The developers of Petya decided to act differently: their virus causes BSOD while penetrating the system, and when the system is subsequently booted, it encrypts the MFT (Master File Table) of the victim's computer. This breaks the work of MBR (Master Boot Record), so that the user can not access the materials on the hard disk, (including the virus files). At the time of system boot after BSOD, when the user sees a message with requirements in which scammers declare that the files are encrypted - all files are virtually untouched. The encryption process is just beginning, and if you immediately unplug the computer and remove the hard drive - you can save most of the data. In order to restore the functionality of your PC, you will need to restore the MBR and remove the virus from the computer. After this, it remains to expect for experienced virus researchers to make their move, and create a program for decryption.

How to protect your system from Petya ransomware Virus

A well-known virus explorer, creator and owner of forum dedicated to viruses and methods of their deletion, Lawrence Abrams said that ordinary users can protect themselves from Petya ransomware infection by creating a text file called perfc in the C:\Windows folder and making this file read-only. Some users report that you should also create perfc.dat and perfc.dll files to ensure the protection from all versions of the virus. Malware researcher Amit Serper discovered that Petya searches for some file on user's hard drive, and if the file is found, cancels all its actions and uninstalls from the system. If you do not want to lose your files - just do this, and download the MS17-010 patch to protect your data from scammers.

How to restore files encrypted by Petya ransomware

Now, when you know what Petya ransomware is and how it works – here are the advices on data recovery. As always, the one and only 100% effective recovery method is to load the backups. If you made backups of the important data or backups of the whole system, and they were stored on an external hard drive that was disconnected from PC in a moment of infection – your files are safe. So, you should clear your PC from a virus (which requires help from experienced specialist) and load the files. Also, if you use the PC without administrator rights, you might notice the pop-up window that appeared again and again and asked permission to perform changes on your computer. This was actually a virus that tried to remove Shadow Copies. If you remember this and you haven’t permitted the changes – the Shadow Copies are safe and you can restore files using Shadow Copies Service directly, or indirectly, via ShadowExplorer or Recuva programs. if you had no backups and all described alternative methods didn't work - you should wait until the representatives of large IT-companies, or independent malware fighters will create the decryption tool.

  • Click Start
  • Click Control Panel

Decrypt files. Step 1


  • Click System and Security

Decrypt files. Step 2


  • Select Backup and Restore

Decrypt files. Step 3


  • Select Restore files from backup
  • Select checkpoint to restore





Share your feedback to help other people
1 1 1 1 1 1 1 1 1 1 Rating 5.00 [2 Votes]

Add comment

Security code



Acronis suggestion to CrashPlans users

Around a month ago, there was an accident with CrashPlans backup software.

What is MicTrayDebugger and is it dangerous

This is a brief entry about MicTrayDebugger: what is it, how it appeared in the system, is it dangerous and how to get rid of it.

What is HoeflerText and is it dangerous?


This article is dedicated to the fraud scheme that is called HoeflerText font wasn't found. We will explain you what is this scheme and how to avoid it.

What is Wpad.dat virus and how it is used

The topic of our today's article is a script that had been unjustly called a virus. It’s Wpad.dat, and it is not a virus. We will explain what is Wpad.dat and how to prevent fraudsters to deceive yourself with its help.


Cancer virus trollware

This is an article about crazy Cancer virus and the madness that it brings to victim's computer.

This website uses cookies to improve your experience