entrancePetya virus file. Petya.A and WannaCry Ransomware Decryption Tool Released! How to get rid of Petya
Petya virus- ransom demand for decryption
A few hours after the start of the attack, DATARC received the first call and we analyzed several affected servers. Main conclusion: yes non-zero probability of data recovery when attacked by the Petya virus- the virus often damages the file system, but does not encrypt data.
On this moment the analyzed damage can be categorized.
100% data recovery possible
The virus probably contains errors - it does not always execute its algorithm, does not have time to encrypt data, and breaks the bootloader. We saw such damage options:
- Data is not encrypted, MBR is corrupted
- Data not encrypted, corrupted MBR + NTFS bootloader
- Data is not encrypted, MBR + NTFS bootloader + MFT is corrupted - disk is detected as RAW
Data recovery is possible, loss is more than 0%
In cases where encryption occurs, some of the files may remain intact. We saw such damage options:
- Only the C: drive is encrypted - the rest logical drives stay ok
- Not all files on the C drive are encrypted:
- Only the MFT record is encrypted, the contents of the file remain unchanged.
Decryption from old version doesn't work
The current version of Petya is (presumably) a continuation of the 2016 attack (see https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ and https://securelist.com/petya-the-two -in-one-trojan / 74609 /). For old version a decryption key guessing technique was created (see https://github.com/leo-stone/hack-petya). The 2017 virus has been changed and the old technique does not work.
For example, in the old version of the virus, the MBR was stored in sector 55 and “encrypted” with XOR 0x37. V new version The MBR is stored in sector 34 and is “encrypted” with XOR 0x07.
Encrypted MBR:
Decrypted MBR:
Petya virus - MBR after decryption
What to do if your computer is infected
Antivirus programs are installed on the computer of almost every user, but sometimes a Trojan or virus appears that is able to bypass the most better protection and infect your device, or even worse, encrypt your data. This time, such a virus was the encrypted Trojan Petya or, as it is also called, Petya. Spread rate given threat very impressive: in a couple of days he was able to “visit” Russia, Ukraine, Israel, Australia, the USA, all major European countries and not only. It mainly hit corporate users (airports, power plants, tourism industry), but also ordinary people... In terms of its scale and methods of influence, it is extremely similar to the sensational one recently.
You must undoubtedly protect your computer in order not to fall victim to the new Petya ransomware Trojan. In this article I will tell you what this "Petya" virus is, how it spreads, how to protect yourself from this threat. In addition, we will touch upon the issues of removing a Trojan and decrypting information.
What is “Petya” virus?
First, we need to understand what Petya is. The Petya virus is a malicious software that is a Trojan like ransomware (ransomware). These viruses are designed to blackmail the owners of infected devices in order to obtain a ransom from them for encrypted data. Unlike Wanna cry, Petya does not bother with encrypting individual files - it almost instantly "takes away" all HDD entirely.
The correct name for the new virus is Petya.A. In addition, Kaspersky calls it NotPetya / ExPetr.
Description of the "Petya" virus
Once it enters your Windows computer, Petya encrypts almost instantly MFT(Master File Table). What is this table responsible for?
Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the book you want? Only using the library catalog. It is this directory that Petya destroys. Thus, you lose any opportunity to find any “file” on your PC. To be more precise, after Petit's “work”, your computer's hard drive will resemble a library after a tornado, with scraps of books flying all over the place.
Thus, unlike Wanna Cry, which I mentioned at the beginning of the article, Petya.A does not encrypt separate files, spending an impressive amount of time on it - it simply takes away from you every opportunity to find them.
After all his manipulations, he demands a ransom from users - $ 300, which must be transferred to a bitcoin account.
Who created the Petya virus?
When creating the virus, Petya used an exploit (“hole”) in the Windows OS called “EternalBlue”. Microsoft released a patch that "closes" this hole a few months ago, however, not everyone uses a licensed copy of Windows and installs all system updates, right?)
The creator of "Petit" was able to wisely use the carelessness of corporate and private users and make money on it. His identity is still unknown (and is unlikely to be known)
How does Petya's virus spread?
The Petya virus most often spreads under the guise of attachments to emails and in archives with pirated infected software. The attachment can contain absolutely any file, including a photo or mp3 (it seems so at first glance). After you run the file, your computer will restart and the virus will simulate a disk check for CHKDSK errors, and at this moment he will modify boot record your computer (MBR). After that, you will see a red skull on your computer screen. By clicking on any button, you can access a text in which you will be asked to pay for decrypting your files and transfer the required amount to a bitcoin wallet.
How to protect yourself from Petya virus?
- The most important and basic thing - make it a rule to install updates for your operating system! This is incredibly important. Do it now, don't delay.
- Pay close attention to all attachments that are attached to letters, even if letters from people you know. During the epidemic, it is better to use alternative sources data transmission.
- Activate the option "Show file extensions" in the OS settings - so you can always see the true file extension.
- Turn on “User Account Control” in Windows settings.
- You need to install one of them to avoid infection. Start by installing an OS update, then install an antivirus and you'll be much safer than before.
- Be sure to make "backups" - save all important data on external hard disk or cloud. Then, if the Petya virus penetrates your PC and encrypts all data, it will be quite easy for you to format your hard disk and reinstall the OS.
- Always check the relevance of your antivirus databases. All good antiviruses monitor threats and respond to them in a timely manner by updating threat signatures.
- Install free utility Kaspersky Anti-Ransomware. It will protect you from encryption viruses. Installing this software does not relieve you of the need to install an antivirus.
How to remove the Petya virus?
How to remove Petya.A virus from your hard drive? It is extremely interest Ask... The fact is that if the virus has already blocked your data, then, in fact, there will be nothing to delete. If you do not plan to pay the ransomware (which you should not do) and will not try to recover data on the disk in the future, you just need to format the disk and reinstall the OS. After that, there will be no trace of the virus.
If you suspect that an infected file is present on your disk, scan your disk with one of them, or install Kaspersky Anti-Virus and perform a full system scan. The developer assured that his signature database already contains information about this virus.
Decoder Petya.A
Petya.A encrypts your data with a very strong algorithm. At the moment, there is no solution to decrypt the locked information. Moreover, you should not try to access data at home.
Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The virus hit the world a few months ago, but no cure has been found to decrypt the data it encrypted.
Therefore, if you have not yet become a victim of the Petya virus, listen to the advice that I gave at the beginning of the article. If you nevertheless lost control of your data, then you have several ways.
- Pay money. It makes no sense to do this! Experts have already found out that the creator of the virus does not restore data, nor can it recover, given the encryption method.
- Remove the hard drive from your device, carefully put it in the cabinet and wait for the decoder to appear. By the way, Kaspersky Lab is constantly working in this direction. There are available decoders on the No Ransom website.
- Formatting the disk and installing the operating system. Minus - all data will be lost.
Petya.A virus in Russia
More than 80 companies have been attacked and infected in Russia and Ukraine at the time of this writing, including such large ones as Bashneft and Rosneft. The infection of the infrastructure of such large companies indicates the seriousness of the Petya.A virus. There is no doubt that the ransomware Trojan will continue to spread throughout Russia, so you should take care of the security of your data and follow the advice given in the article.
Petya.A and Android, iOS, Mac, Linux
Many users are worried - “can the Petya virus infect their devices under Android and iOS. I will hasten to calm them down - no, it cannot. It is intended for Windows users only. The same goes for Linux and Mac fans - you can sleep soundly, nothing threatens you.
Conclusion
So today we discussed in detail new virus Petya.A. We understood what this Trojan is and how it works, learned how to protect ourselves from infection and remove the virus, and where to get the Petya decryptor. Hope this article and my tips were helpful to you.
In a few days, the Petya.A virus attack spread to dozens of countries and developed to the scale of an epidemic in Ukraine, where the M.E.Doc reporting and document management program was involved in the spread of the malware. Later, experts said that the goal of the attackers was the complete destruction of data, but, according to the cyber police of Ukraine, if the system is partially infected, there is a chance to restore the files.
How Petya works
If a virus gains administrator rights, researchers identify three main scenarios for its impact:
- The computer is infected and encrypted, the system is completely compromised. Data recovery requires private key, and the screen displays a message demanding the ransom (although it is).
- Computer infected and partially encrypted - the system started encrypting files, but the user stopped this process by turning off the power or by other means.
- The computer is infected, but the encryption process for the MFT has not started yet.
In the first case, there is no effective way to decrypt the data yet. Now specialists from the cyber police and IT companies are looking for him, as well as creator of the original Petya virus(allowing you to restore the system using the key). If the main table of MFT files is partially damaged or not affected at all, there is still a chance to access the files.
The cyberpolice named two main stages of the modified Petya virus:
First: obtaining privileged administrator rights (when using Active Directory they are disabled). First, the virus saves the original boot sector for the MBR operating system in the encrypted form of the bitwise XOR operation (xor 0x7), after which it writes its own bootloader in its place. The rest of the Trojan's code is written to the first sectors of the disk. At this stage, text file about encryption, but the data is not encrypted yet.
The second phase of data encryption begins after a system reboot. Petya already refers to its own configuration sector, in which there is a mark about not encrypted data. After that, the encryption process begins, on the screen it is displayed as the work of the Check Disk program. If it is already running, you should turn off the power and try using the proposed data recovery method.
What do they offer
First you need to boot from the installation Windows disk... If at the same time a table with partitions of the hard disk (or SSD) is visible, you can proceed to the procedure for restoring the bootable MBR sectors... Then it is worth checking the disk for infected files. Today Petya is recognized by all popular antiviruses.
If the encryption process was started, but the user managed to interrupt it, after loading the operating system, it is necessary to use software to recover encrypted files (R-Studio and others). The data will need to be saved to external media and the system will be reinstalled.
How to restore the bootloader
For Windows XP:
After loading installation disk Windows XP in RAM PC will display a dialog box " Installing Windows XP Professional "from the selection menu, where you need to select the item" to restore Windows XP using the recovery console, press R ". Press the "R" KEY.
The Recovery Console will load.
If the PC has one OS installed and it is (by default) installed on the C drive, the following message will appear:
"1: C: \ WINDOWS Which copy of Windows should you sign in? "
Enter the number "1", press the "Enter" key.
A message will appear: "Enter the administrator password." Enter the password, press the "Enter" key (if there is no password, just press "Enter").
You should be prompted: C: \ WINDOWS> enter fixmbr
Then the message "WARNING" appears.
"Are you confirming the recording of the new MBR?", Press the "Y" key.
A message will appear: "A new master boot sector is being created on the physical disk \ Device \ Harddisk0 \ Partition0."
For Windows Vista:
Download Windows Vista. Select your language and keyboard layout. On the welcome screen, click "Get your computer back on track." Windows Vista will edit the computer menu.
Select your operating system and click Next. When the System Recovery Options window appears, click on command line... When the command prompt appears, enter this command:
bootrec / FixMbr
Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.
For Windows 7:
Start Windows 7. Select your language, keyboard layout and click Next.
Select your operating system and click Next. When choosing an operating system, you should check "Use recovery tools that can help solve problems with running Windows».
On the System Recovery Options screen, click the Command Prompt button. When the command prompt has loaded successfully, enter the command:
bootrec / fixmbr
For Windows 8:
Start Windows 8. On the Welcome screen, click the Repair your computer button.
Select "Troubleshoot". Select the command line, when it boots, enter:
bootrec / FixMbr
Press the Enter key and restart your computer.
For Windows 10:
Start Windows 10. On the welcome screen, click the "Repair your computer" button, select "Troubleshoot".
Select Command Prompt. When the command prompt loads, enter the command:
bootrec / FixMbr
Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
The Petya virus is a rapidly growing virus that put almost all large enterprises in Ukraine on June 27, 2017. The Petya virus encrypts your files and then offers a ransom for them.
The new virus infects the hard drive of the computer and works as a file encryption virus. Across certain time, the Petya virus "eats" files on your computer and they become encrypted (as if the files were archived and set a heavy password)
Files that have suffered from the Petya ransomware virus cannot be recovered later (there is a percentage that you will recover them, but it is very small)
There is NO algorithm that restores files affected by the Petya virus
With the help of this short and MOST useful article, you can protect yourself from the #Petya virus
How to DETECT Petya or WannaCry Virus and NOT Get Infected
When uploading a file over the Internet, check it with an online antivirus. Online antiviruses can pre-detect the virus in the file and prevent Petya virus infection. All you have to do is check the downloaded file with VirusTotal, and then run it. Even if you DOWNLOADED THE PETYA VIRUS, but did NOT run the virus file, the virus is NOT active and does no harm. Only after launching a harmful file do you launch a virus, remember this
USING EVEN ONLY THIS METHOD GIVES YOU ALL THE CHANCE TO NOT BE INVOLVED WITH THE PETYA VIRUS
The Petya virus looks like this:
How to Protect Yourself From Petya Virus
Company Symantec offered a solution that allows you to protect yourself from the Petya virus, pretending that you already have it installed.
When the Petya virus enters the computer, it creates in the folder C: \ Windows \ perfc file perfc or perfc.dll
To make the virus think that it is already installed and not continue its activity, create in the folder C: \ Windows \ perfc file with empty content and save it by setting the change mode to "Read Only"
Or download virus-petya-perfc.zip and unzip the folder perfc to folder C: \ Windows \ and set the change mode to "Read Only"
Download virus-petya-perfc.zip
UPDATED 06/29/2017
I also recommend uploading both files simply in Windows folder... Many sources write that the file perfc or perfc.dll should be in the folder C: \ Windows \
What To Do If Your Computer Is Already Infected With Petya Virus
Do not turn on a computer that has already infected you with the Petya virus. The Petya virus works in such a way that while the infected computer is turned on, it encrypts files. That is, as long as you keep the computer affected by the Petya virus turned on, new and new files can be infected and encrypted.
Winchester this computer worth checking out. You can check it using LIVECD or LIVEUSB with antivirus
Bootable USB flash drive with Kaspersky Rescue Disk 10
Dr.Web LiveDisk bootable USB flash drive
Who Spread Petya's Virus All Over Ukraine
Microsoft has expressed its point of view on the global infection of the network in large companies Ukraine. The reason was the update to the M.E.Doc program. M.E.Doc is a popular accounting program, which is why such a big puncture of the company, like getting a virus in an update and installing the Petya virus on thousands of PCs running the M.E.Doc program. And since the virus infects computers on the same network, it spread with lightning speed.
#: Petya virus infects Android, Petya virus, how to detect and remove Petya virus, Petya virus how to treat, M.E.Doc, Microsoft, create a folder Petya virus
A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A)... In the classical sense, he was not a ransomware, the virus simply blocked access to certain types of files and demanded a ransom. The virus modified the boot record on the hard disk, forcibly rebooted the PC and showed a message stating that "data is encrypted - drive your money for decryption." In general, this is a standard encryption virus scheme, except that the files were NOT actually encrypted. Most of the popular antiviruses began to identify and remove Win32.Trojan-Ransom.Petya.A a few weeks after its release. In addition, there were instructions for manual removal... Why do we think Petya is not a classic ransomware? This virus alters the Master Boot Record and prevents the OS from booting, and also encrypts the Master File Table. It does not encrypt the files themselves.
However, a few weeks ago, a more sophisticated virus appeared. Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay for decryption 500 - 875 $ (in different versions 1.5 - 1.8 bitcoin). Instructions for "decryption" and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.
Mischa Virus - Content of YOUR_FILES_ARE_ENCRYPTED.HTML File
Now, in fact, hackers infect users' computers with two malware: Petya and Mischa. The first one needs administrator rights on the system. That is, if the user refuses to give Petya administrator rights or has manually deleted this malware, Mischa is included in the case. This virus does not need administrator rights, it is a classic ransomware and really encrypts files using the strong AES algorithm and does not make any changes to the Master Boot Record and the file table on the victim's hard drive.
Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the directories \ Windows, \ $ Recycle.Bin, \ Microsoft, \ Mozilla Firefox, \ Opera, \ Internet Explorer, \ Temp, \ Local, \ LocalLow and \ Chrome.
Infection occurs mainly through email, where the letter comes with an attached file - a virus installer. It can be encrypted under a letter from the Tax Office, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is executive file(.exe), then with a high probability it can be a container with the Petya \ Mischa virus. And if the modification of the malware is fresh, your antivirus may not react.
Update 06/30/2017: June 27 modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was colossal and the economic damage has not yet been calculated. In one day, the work of dozens of banks was paralyzed, retail chains, government agencies and enterprises of different forms of ownership. The virus spread mainly through a vulnerability in the Ukrainian accounting reporting system MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, Lithuania.
Remove Petya and Mischa virus with an automatic cleaner
An extremely effective method of dealing with malware in general and ransomware in particular. The use of a well-proven protective complex guarantees the thoroughness of the detection of any viral components, their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. Nevertheless, the threat must certainly be removed, since there is information about the introduction of other computer Trojans with its help.
- ... After starting the software, click the button Start Computer Scan(Start Scanning).
- The installed software will provide a report on the threats detected during the scan. To remove all found threats, select the option Fix threats(Eliminate threats). The malware in question will be completely removed.
Restore access to encrypted files
As noted, Mischa ransomware locks files with a strong encryption algorithm so that encrypted data cannot be restored with a flick. magic wand- if you do not take into account the payment of an unheard-of ransom amount (sometimes it reaches $ 1000). But some methods can really become a lifesaver that will help you recover important data. Below you can familiarize yourself with them.
Program automatic recovery files (decoder)
A very extraordinary circumstance is known. This infection erases source files in unencrypted form. The ransomware encryption process thus targets copies of them. This provides an opportunity for such software how to recover deleted objects, even if the reliability of their elimination is guaranteed. It is highly recommended to resort to the file recovery procedure, its effectiveness is beyond doubt. 
Volume shadow copies
The approach is based on the Windows procedure Reserve copy files, which is repeated at each recovery point. An important condition work this method: System Restore must be activated before infection. However, any changes made to the file after the restore point will not be displayed in the restored version of the file.
Backup
This is the best of all non-redemption methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files, you simply need to enter the appropriate interface, select the necessary files and start the data recovery mechanism from the backup. Before performing the operation, you need to make sure that the ransomware is completely removed.
Check for possible leftover components of the Petya and Mischa ransomware
Cleaning in manual mode is fraught with the omission of certain fragments of ransomware that can avoid deletion in the form of hidden operating system objects or registry entries. To eliminate the risk of partial saving of certain malicious elements, scan your computer using a reliable security software package specializing in malware.
A few days ago, an article appeared on our resource on how to protect yourself from the virus and its varieties. In the same instructions, we will consider the worst case scenario - your PC is infected. Naturally, after recovery, each user tries to recover their data and personal information. This article will focus on the most convenient and efficient ways to recover data. It is worth considering that this is far from always possible, so we will not give any kind of guarantee.
We will consider three main scenarios according to which events can develop:
1. The computer is infected with the Petya.A virus (or its variants) and is encrypted, the system is completely locked. To recover data, you need to enter a special key for which you need to pay. It should be said right away that even if you pay, it will not release the lock and will not return you access to your personal computer.
2. An option that provides the user with more options for further action- your computer is infected and the virus started encrypting your data, but the encryption was stopped (for example, by turning off the power).
3. The last option is the most favorable. Your computer is infected, but encryption file system has not started yet.
If you have situation number 1, that is, all your data is encrypted, then on this stage absent efficient way to restore user information. It is likely that in a few days or weeks this method will appear, but for now specialists with everyone in the field of information and computer security puzzle over it.
If the encryption process has not started or is not completed completely, then the user should immediately interrupt it (encryption is displayed as system process Check Disk). If you managed to load the operating system, then immediately install any modern antivirus (all of them currently recognize Petya and do a full scan of all disks. If Windows does not boot, then the owner of the infected machine will have to use the system disks or a flash drive to restore the MBR boot sector) ...
Repairing the bootloader on Windows XP
After loading system disk with the Windows XP operating system, you will be presented with options for action. In the "Install Windows XP Professional" window, select "To restore Windows XP using the Recovery Console, press R". Which is logical, you will need to press R. On the keyboard you should see the console to restore the partition and the message:
"" 1: C: \ WINDOWS Which copy of Windows should you log on to? ""
If you have one version of Windows XP installed, then enter "1" from the keyboard and press enter. If you have several systems, then you need to select the one you need. You will see a message asking for an administrator password. If there is no password, then just press Enter, leaving the field blank. After that, a line will appear on the screen, enter the word " fixmbr"
The following message should appear: “WARNING! Are you confirming the write of the new MBR? ", Press the" Y "key on the keyboard.
The answer will appear: "A new master boot sector is being created on the physical disk ...."
"The new main boot partition successfully created. "
Repairing the bootloader on Windows Vista
Insert a disk or USB flash drive with Windows Vista operating system. Next, you need to select the line "Restore your computer to work." Select which Windows Vista operating system (if you have more than one) you want to restore. When a window with recovery options appears, click on the command prompt. At the command prompt, enter the command " bootrec / FixMbr".
Repairing the bootloader on Windows 7
Insert a disk or USB flash drive with the Windows 7 operating system. Select which Windows 7 operating system (if you have several) you want to restore. Select the option "Use recovery tools that can help solve problems with starting Windows." Next, select "Command Line". After loading the command line, enter " bootrec / fixmbr
Repairing the bootloader on Windows 8
Insert a disk or USB flash drive with Windows 8. On the main screen, select "Repair your computer" in the lower left corner. Select "Troubleshoot". Select the command line, when it boots, enter: "bootrec / FixMbr"
Repairing the bootloader on Windows 10
Insert a disk or flash drive with Windows 10. On the main screen, select "Repair your computer" in the lower left corner. Select "Troubleshoot". Select the command line, when it boots, enter: "bootrec / FixMbr" If everything goes well, you will see a corresponding message and all that remains is to restart your computer.
(Petya.A), and gave some advice.
According to the SBU, the infection of operating systems mainly occurred through the opening of malicious applications ( Word documents, PDF files), which were directed to email addresses many commercial and government structures.
“The attack, the main purpose of which was to distribute the file ransomware Petya.A, exploited the MS17-010 network vulnerability, as a result of which a set of scripts were installed on the infected machine, which were used by cybercriminals to launch the said file ransomware,” the SBU said.
The virus attacks computers running Windows by encrypting the user's files, after which it displays a message about converting files with a proposal to pay for the decryption key in bitcoins in the equivalent of $ 300 to unlock the data.
“The encrypted data, unfortunately, cannot be decrypted. Work continues on the ability to decrypt encrypted data, "the SBU said.
What to do to protect yourself from the virus
1. If the computer is turned on and working normally, but you suspect that it may be infected, in no case restart it (if the PC is already damaged, do not restart it either) - the virus is triggered upon restart and encrypts all files contained on the computer ...
2. Save all the most valuable files on a separate media not connected to the computer, and ideally - make a backup along with the OS.
3. To identify the file encryptor, complete all local tasks and check for next file: C: /Windows/perfc.dat
4. Depending on the version of Windows OS, install the patch.
5. Make sure that at all computer systems Antivirus software has been installed that is functioning properly and uses an up-to-date virus signature database. Install and update antivirus if necessary.
6. To reduce the risk of infection, you should be careful about all email correspondence, do not download or open attachments in letters sent from unknown people. If you receive a letter from a known address that arouses suspicion, contact the sender and confirm that the letter was sent.
7. Make backups all critical data.
To bring the specified information to the employees of structural divisions, to prevent employees from working with computers on which the specified patches are not installed, regardless of the fact of connection to the local or Internet.
It is possible to try to restore access to a Windows computer blocked by a specified virus.
Since the specified malware makes changes to the MBR records, which is why, instead of loading the operating system, the user is shown a window with the text about file encryption. This problem is solved by restoring the MBR record. For this there are special utilities... The SBU used the Boot-Repair utility for this (instructions on the link).
b). Run it and make sure all the boxes in the “Artifacts to Collect” window have been checked.
c). In the “Eset Log Collection Mode” tab, set the Initial binary code disk.
d). Click on the Collect button.
e). Send archive with logs.
If the affected PC is turned on and hasn't turned off yet, skip to execution
p. 3 to collect information that will help write a decoder,
p. 4 to treat the system.
From an already infected PC (does not boot), you need to collect the MBR for further analysis.
You can collect it according to the following instructions:
a). Download ESET SysRescue Live CD or USB (creation as described in section 3)
b). Agree to the license to use
c). Press CTRL + ALT + T (Terminal will open)
d). Write the command “parted -l“ without quotes, the parameter of this is a small letter “L“ and press
e). See the list of drives and identify the affected PC (must be one from / dev / sda)
f). Write the command “dd if = / dev / sda of = / home / eset / petya.img bs = 4096 count = 256“ without quotes, instead of “/ dev / sda“ use the disk you defined in the previous step and press (File / home / eset / petya.img will be created)
g). Connect the flash drive and copy the file /home/eset/petya.img
h). The computer can be turned off.
See also - Omelyan about protection from cyberattacks
Omelyan about protection from cyberattacks
Subscribe to news
Perhaps you are already aware of the hacker threat recorded on June 27, 2017 in the countries of Russia and Ukraine, which were subjected to a large-scale attack similar to WannaCry. The virus blocks computers and demands a ransom in bitcoins for decrypting files. In total, more than 80 companies in both countries were affected, including Russia's Rosneft and Bashneft.
The ransomware virus, like the infamous WannaCry, has blocked all computer data and demands that a ransom in bitcoins, equivalent to $ 300, be transferred to the criminals. But unlike Wanna Cry, Petya does not bother encrypting individual files - it almost instantly "takes away" your entire hard drive.
The correct name for this virus is Petya.A. ESET report reveals some of the features of Diskcoder.C (aka ExPetr, PetrWrap, Petya or NotPetya)
According to the statistics of all victims, the virus was spread in phishing emails with infected attachments. Usually a letter comes with a request to open Text Document, but as we know the second file extension txt.exe is hidden, and the last file extension takes precedence. Operating default Windows system does not display file extensions and they look like this:
In 8.1 in the explorer window (View \ Folder Options \ Uncheck the Hide extensions for registered file types checkbox)
In 7 in the explorer window (Alt \ Tools \ Folder options \ Uncheck the Hide extensions for registered file types checkbox)
And the worst thing is that users are not even embarrassed that letters come from unknown users and ask to open incomprehensible files.
After opening the file, the user sees “ blue screen of death".
After the reboot, it looks like the "Scan Disk" is being launched, in fact, the virus encrypts files.
Unlike other ransomware, once this virus is launched, it immediately restarts your computer, and when it boots up again, a message appears on the screen: “DO NOT TURN OFF YOUR PC! IF YOU STOP THIS PROCESS, YOU MAY DESTROY ALL YOUR DATA! PLEASE MAKE SURE YOUR COMPUTER IS CONNECTED TO CHARGER! ”. Although it might look like system error, in fact, at the moment Petya silently performs encryption in stealth mode. If the user tries to reboot the system or stop encrypting files, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!”. Finally, after pressing the key, a new window will appear with the ransom note. In this note, the victim is asked to pay 0.9 bitcoins, which is roughly $ 400. However, this is the price for just one computer. Therefore, for companies that have many computers, the amount can be thousands. What also distinguishes this ransomware is that it gives you a whole week to pay the ransom, instead of the usual 12-72 hours that other viruses in this category give.
Moreover, the problems with Petya don't end there. After this virus enters the system, it will try to rewrite boot files Windows, or the so-called boot recording wizard, required to boot the operating system. You will not be able to remove the Petya virus from your computer if you do not restore the bootable master record (MBR) settings. Even if you manage to correct these settings and remove the virus from your system, unfortunately, your files will remain encrypted, because removing the virus does not decrypt files, but simply deletes the infectious files. Of course, virus removal is essential if you want to continue working with your computer
Once on your Windows computer, Petya encrypts MFT (Master File Table) almost instantly. What is this table responsible for?
Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the book you want? Only using the library catalog. It is this directory that Petya destroys. Thus, you lose any opportunity to find any "file" on your PC. To be more precise, after Petya "works" your computer hard drive will resemble a library after a tornado, with scraps of books flying all over the place.
Thus, unlike Wanna Cry, Petya.A does not encrypt individual files, wasting an impressive amount of time - it simply takes away every chance you have to find them.
Who created the Petya virus?
When creating the virus, Petya used an exploit ("hole") in the Windows OS called "EternalBlue". Microsoft has released a patch kb4012598(from the earlier released WannaCry tutorials, we already talked about this update, which "closes" this hole.
The creator of "Petya" was able to wisely use the carelessness of corporate and private users and make money on it. His identity is still unknown (and is unlikely to be known)
How to remove the Petya virus?
How to remove Petya.A virus from your hard drive? This is an extremely interesting question. The fact is that if the virus has already blocked your data, then, in fact, there will be nothing to delete. If you do not plan to pay the ransomware (which you should not do) and will not try to recover data on the disk in the future, you just need to format the disk and reinstall the OS. After that, there will be no trace of the virus.
If you suspect that an infected file is present on your disk, scan your disk with ESET Nod 32 antivirus and perform a full system scan. NOD 32 has assured that its signature database already contains information about this virus.
Decoder Petya.A
Petya.A encrypts your data with a very strong encryption algorithm. At the moment, there is no solution to decrypt the locked information.
Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. WannaCry virus struck the world a few months ago, but no cure has been found to decrypt the data he encrypted.
The only option is if you previously had shadow copies of files.
Therefore, if you have not yet become a victim of the Petya.A virus - update your OS system, install an antivirus from ESET NOD 32. If you still lost control of your data, then you have several ways.
Pay money. It makes no sense to do this! Experts have already found out that the creator of the virus does not restore data, nor can it recover, given the encryption method.
Try to remove the virus from your computer, and try to restore your files using shadow copy(the virus does not infect them)
Remove the hard drive from your device, carefully put it in the cabinet and wait for the decoder to appear.
Formatting the disk and installing the operating system. Minus - all data will be lost.
Petya.A and Android, iOS, Mac, Linux
Many users are worried - “but whether the Petya virus can infect their devices running Android and iOS. I will hasten to calm them down - no, it cannot. It is intended for Windows users only. The same goes for Linux and Mac fans - you can sleep soundly, nothing threatens you.
A number of Russian and Ukrainian companies were attacked by the Petya ransomware virus. The network edition of the site talked with experts from Kaspersky Lab, the interactive agency AGIMA and found out how to protect corporate computers from a virus and how Petya is similar to the equally well-known WannaCry ransomware virus.
Petya virus
In Russia, the companies Rosneft, Bashneft, Mars, Nivea and the chocolate manufacturer Alpen Gold Mondelez International. A ransomware virus radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected the computers of the Ukrainian government, Privatbank and telecom operators. The virus blocks computers and demands a ransom of $ 300 in bitcoins.
In a microblog on Twitter, the press service of Rosneft spoke about a hacker attack on the company's servers. "A powerful hacker attack was carried out on the company's servers. We hope that this has nothing to do with the current judicial procedures. In fact, the company turned to law enforcement agencies on the fact of the cyberattack," the message says.
According to the company's press secretary, Mikhail Leontyev, Rosneft and its subsidiaries are operating normally. After the attack, the company switched to backup system management of production processes, so that the production and treatment of oil is not stopped. The Home Credit bank system was also attacked.
"Petya" does not infect without "Misha"
According to Executive Director of AGIMA Evgeny Lobanova, in fact, the attack was carried out by two ransomware viruses: Petya and Misha.
"They work in conjunction. Petya does not infect without Misha. He can infect, but yesterday's attack was two viruses: first Petya, then Misha. Petya rewrites the boot device (where the computer boots from), and Misha - encrypts files according to a certain algorithm, - the specialist explained. - Petya encrypts the disk boot sector (MBR) and replaces it with its own, Misha already encrypts all files on the disk (not always). "
He noted that the WannaCry ransomware virus that attacked major global companies in May this year does not look like Petya, it is a new version.
"Petya.A is from the WannaCry family (or rather WannaCrypt), but the main difference is why it is not the same virus, it is that the MBR is replaced by its own boot sector - this is a novelty for Ransomware. The Petya virus appeared a long time ago, on GitHab (an online service for IT projects and joint programming - site) https://github.com/leo-stone/hack-petya "target =" _blank "> there was a decryptor for this encryptor, but no decryptor is suitable for the new modification.
Yevgeny Lobanov stressed that the attack hit Ukraine harder than Russia.
"We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but we will not be protected from its modifications. Our Internet is unsafe, in Ukraine it is even less. Basically, transport companies, banks, mobile operators(Vodafone, Kyivstar) and medical companies, the same Farmmag, Shell petrol stations - all very large transcontinental companies, "he said in an interview with the site.
The executive director of AGIMA noted that so far there are no facts that would indicate the geographical location of the distributor of the virus. In his opinion, the virus presumably originated in Russia. Unfortunately, there is no direct evidence of this.
“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was a development of Russian hackers, but who changed it further - it's hard to say. that being even in Russia, it is easy to get hold of a computer with geolocation in the United States, for example, "the expert explained.
"If your computer is suddenly infected, you cannot turn off the computer. If you reboot, you will never enter the system again."
"If a computer is suddenly infected, you cannot turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never enter the system again. tablet "it will be impossible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides a 98 percent security guarantee. Unfortunately, not yet 100 percent. A certain modification of the virus (their three pieces), he bypasses so far, "Lobanov recommended. - However, if you nevertheless rebooted and saw the beginning of the "check disk" process, at this moment you need to immediately turn off your computer, and the files will remain unencrypted ..
In addition, the expert also explained why Microsoft users rather than MacOSX (Apple's operating system - site) and Unix systems.
"Here it is more correct to speak not only about MacOSX, but also about all unix systems (the principle is the same). The virus spreads only to computers, without mobile devices... The attack affects the Windows operating system and only threatens those users who have disabled the function automatic update systems. Exceptional updates are available even to older owners Windows versions that are no longer updated: XP, Windows 8 and Windows Server 2003 ", - said the expert.
"MacOSX and Unix are not globally exposed to such viruses, because many large corporations use the Microsoft infrastructure. MacOSX is not susceptible, because it is not so widespread in government agencies. attack Microsoft, "the specialist concluded.
"The number of attacked users has reached two thousand"
At the press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that "this ransomware does not belong to the already well-known Petya ransomware family, although it has several lines of code in common with it."
The Laboratory is confident that in this case we are talking about a new family of malicious software with significantly different functionality from Petya. Kaspersky Lab has named the new ransomware ExPetr.
"According to Kaspersky Lab, the number of attacked users has reached two thousand. Most of the incidents were recorded in Russia and Ukraine, as well as cases of infection were observed in Poland, Italy, Great Britain, Germany, France, the United States and a number of other countries. At the moment, our experts suggest that the malware used several attack vectors. corporate networks the modified EternalBlue exploit and the EternalRomance exploit were used, "the press service said.
Experts are also exploring the possibility of creating a decoder tool that could be used to decrypt the data. The Lab also made recommendations to all organizations to avoid a virus attack in the future.
"We recommend that organizations install Windows updates. Windows XP and Windows 7 should install security update MS17-010 and ensure they have an effective backup system. Timely and secure data backups can restore the original files, even if they were encrypted by malware, "Kaspersky Lab experts advised.
The Laboratory also recommends to its corporate clients to make sure that all protection mechanisms are activated, in particular, make sure that the connection to cloud infrastructure Kaspersky Security Network, as an additional measure it is recommended to use the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) a file named "perfc.dat", etc.
"If you do not use Kaspersky Lab products, we recommend blocking the execution of the file named perfc.dat, as well as blocking the launch of the PSExec utility from the Sysinternals package using the AppLocker function included in the OS (operating system - website) Windows", recommended in the laboratory.
May 12, 2017 many - data encryptor on hard drives computers. He locks the device and demands to pay the ransom.
The virus has affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergencies, the Ministry of Internal Affairs, servers were attacked cellular operators and several large banks.
The spread of the virus was halted accidentally and temporarily: if hackers change just a few lines of code, the malware will start working again. The damage from the program is estimated at $ 1 billion. After a linguistic forensic analysis, experts found that WannaCry was created by immigrants from China or Singapore.