Categories: Apps: Internet & NetworksApps: SecurityMicrosoft Windows

How to Remove Petya Ransomware and Recover Data

Petya is a new and powerful ransomware that targets and encrypts the Master Boot Record (MBR) of the compromised computer, replacing it with a malicious loader. The MBR contains information that loads the Operating System on a computer which can’t load with OS). The malware forces Windows to reboot and demands 0.9 Bitcoin in return for the decryption key, or about $390 USD as of April 2016.

Petya is distributed through emails that are written in a very polite manner, and with proper grammar. The email, presented as coming from an applicant for a job position, contains a Dropbox link. This link supposedly leads to a CV, or some other important document, that is too big to be sent as an attachment. If a user opens it, the virus captures the computers. Instead of loading an Operating System, a message loads requesting the ransom, accompanied by an image of a skull generated on ASCII. Instructions are then loaded on the screen, telling users to use the Tor network to pay the ransom.

Petya claims to use a military encryption algorithm. The origin of the ransomware is unknown, although the name Petya is a common name in Russia, Bulgaria, and a few other countries with Slavic population. On the other hand, Petya and the Wolf (Op. 67), is a well-known composition written by Soviet composer Sergei Prokofiev in 1936 in the USSR. It is a children’s story, spoken by a narrator and accompanied by an orchestra.

Note that the Petya ransomware can also be distributed via social networks or file sharing services, asking users to open the link.

Here is how the message reads: “You have become a victim of the Petya Ransomware. The hard disks of your computer have been encrypted with a military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the dark net page shown in step 2. To purchase your key and restore your data, please follow these three easy steps:

Download the Tor Browser at (URL address). If you need help, please google “access onion page”.
Visit one of the following pages with the Tor Browser: (URL addresses).
Enter your personal decryption code there: (random code).

If you already purchased your key, please enter it below.”

Contacting the ransomware creators is unlikely to help. No one can guarantee that you will have your data and drives unlocked and restored. Paying the makers of the ransomware encourages them to create new ransomwares. There is no guarantee that you will get your computer back.

Unfortunately, there are currently no known ways exist to repair the Master Boot Record. Thus, the damage may be irreparable and your disk drive may remain locked forever.