Home » Trojans » Petna Ransomware

Petna Ransomware Removal Guide

Threat Level:
9/10
Rate this Article:
Comments (0)
Article Views: 529
Category: Trojans

Petna Ransomware is a very dangerous computer infection that uses the EternalBlue exploit to infect your computer and then encrypt your files. It then demands a 0.8 BTC payment to decrypt your files. If your PC has become infected with it, then you have to remove it, but the only way to get rid of it is to repair the Master Boot Record (MBR) which can be done with the Windows Installation DVD to boot into System Recovery Options. This ransomware is very potent as it generates a very strong encryption key, so, unfortunately, you cannot decrypt your files using third-party decryption tools. All you can do if your PC has been infected with it is to recover as many of your encrypted files from external drives as you can, but only after you deleted this ransomware.

Petna Ransomware goes by many names. It is better known as Petya Ransomware, but it is also referred to as Notpetya Ransomware, Expetr Ransomware, PetrWrap Ransomware, EternalPetya Ransomware, PetyaBlue Ransomware, and several other names. This ransomware has been updated several times since 2016, and now it is as dangerous as it can possibly be. Our research has revealed that this new iteration uses the EternalBlue exploit that is believed to have been developed by the NSA and leaked by the Shadow Brokers hacker group on April 14, 2017. This exploit was used in the global WannaCry Ransomware attack that occurred in mid-May of 2017 and is now used in Petna Ransomware. This exploit was designed to exploit vulnerabilities of Windows to distribute this ransomware. However, those vulnerabilities have been patched since, so you have to have patch MS17-010 installed on your PC via Windows Update to prevent EternalBlue from infecting your PC with this ransomware. Our most recent analysis has concluded that this ransomware is installed as a DLL file at C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll,#1. The DLL file is executed using rundll32.exe.

If this ransomware were to infect your computer, then it will encrypt many of your files. Research suggests that this ransomware was designed to target Germany-based companies specifically. It overwrites the Master Boot Record (MBR) files required to load Windows. It has been configured to encrypt a list of particular file types that include, without limitation .doc, .docx, Dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, and .rtf. This ransomware generates an encryption key using CryptGenRandom that is a cryptographically secure pseudorandom number generator included in Microsoft CryptoAPI. Currently, there is no free method to decrypt your files as this encryption method has not been cracked.

Petna Ransomware was configured to clear Event Logs to hide its footprint. Furthermore, it was set to create a task “schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST d:d.” This task is configured to restart your PC at a specific time. Testing has shown that it restarts the PC once it has been infected with this ransomware. This ransomware tries to disguise itself as a system repair process. You will see that it says the following:

Repairing file system on C:

The type of the file system is NTFS.
One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.

WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOU DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!

CHKDSK is repairing sector 20365505 of 4294967266 (0%)

At this point, the MBR is already modified, and chkdsk is started, and it tries to repair the system on %HOMEDRIVE%. However, this disk check is created by Petna Ransomware to convince the victim not to shut down the PC. At this point, this ransomware encrypts the files. When the fake repair is complete (unsuccessfully) or if you try to restart the PC, then a red flashing ASCII skeleton will appear with the text "PRESS ANY KEY!" After pressing any key, another red window will appear with a ransom note. Petna Ransomware’s creators want you to pay 0.8 BTC or 1814.47 USD. The note says that you have to download the tor browser and search for "access onion page." Then visit the Tor Browser and enter your personal decryption key (provided that you have paid the ransom and received the decryption key.

In closing, Petna Ransomware is one of the most dangerous ransomware-type computer infections currently out there. Its developers spared no effort in making its encryption algorithm that cannot be decrypted currently using third-party decryption tools. It can enter your computer by stealth and trick you into thinking that your PC has started a system repair operation while this ransomware encrypts your files. To remove this ransomware, you have to repair the MBR using the original Windows installation DVD or image. Once the repair is complete, delete the malicious DLL from its location. You can also remove the malicious file using an anti-malware program such as SpyHunter which will also protect your PC from similar malware.

Fix the Master Boot Record (MBR)

Windows XP

  1. Insert the CD of Windows XP in the CD/DVD-ROM.
  2. While restarting the PC, press any key to boot.
  3. Press the R key to open the Recovery Console.
  4. Type 1 and press Enter if Windows XP is your only OS.
  5. Type your administrator password and hit Enter.
  6. Press the Y key and then hit Enter.
  7. Eject the CD from the CD/DVD-ROM.
  8. Type Exit and then press Enter to restart your PC.

Windows Vista

  1. Insert the CD of Windows Vista in the CD/DVD-ROM.
  2. While restarting the PC, press any key to boot.
  3. Select the language and keyboard layout.
  4. Click Repair your computer.
  5. Select the operating system.
  6. Click Next.
  7. Open Command Prompt.
  8. Typethe following commands.
    • bootrec /FixMbr
    • bootrec /FixBoot
    • bootrec /RebuildBcd
  9. Press Enter after you enter each of the commands.
  10. Remove your CD and type Exit.
  11. Press Enter.

Windows 7

  1. Insert the DVD of Windows 7 in the CD/DVD-ROM.
  2. While restarting the PC, press any key to boot.
  3. Select your language and keyboard layout.
  4. Click Next.
  5. Select the OS.
  6. Click Next.
  7. Click Command Prompt to open it.
    • Type bootrec /rebuildbcd. Press Enter.
    • Type bootrec /fixmbr. Press Enter.
    • Type bootrec /fixboot. Press Enter.
  8. Remove the DVD and restart your computer.

Windows 8/8.1/10

  1. Insert the DVD of Windows 7 in the CD/DVD-ROM.
  2. While restarting the PC, press any key to boot.
  3. Click Repair your computer at the Welcome screen.
  4. Click Troubleshoot and open Command Prompt.
    • Type bootrec /FixMbr and hit Enter.
    • Type bootrec /FixBoot and hit Enter.
    • Type bootrec /ScanOs and hit Enter.
    • Type bootrec /RebuildBcd and hit Enter.
  5. Remove the DVD from the CD/DVD-ROM.
  6. Type Exit and then press Enter.
  7. Reboot your computer.

Petna Ransomware Removal Guide

  1. Press Windows+E keys.
  2. Type C:\ in the address box and press Enter.
  3. Locate 027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll,#1
  4. Right-click it and click Delete.
  5. Empty the Recycle Bin.
Download Remover for Petna Ransomware *
*SpyHunter scanner, published on this site, is intended to be used only as a detection tool. To use the removal functionality, you will need to purchase the full version of SpyHunter.

Reply

Your email address will not be published.

Name
Website
Comment

Enter the numbers in the box to the right *