Petna Ransomware is a very dangerous computer infection that uses the EternalBlue exploit to infect your computer and then encrypt your files. It then demands a 0.8 BTC payment to decrypt your files. If your PC has become infected with it, then you have to remove it, but the only way to get rid of it is to repair the Master Boot Record (MBR) which can be done with the Windows Installation DVD to boot into System Recovery Options. This ransomware is very potent as it generates a very strong encryption key, so, unfortunately, you cannot decrypt your files using third-party decryption tools. All you can do if your PC has been infected with it is to recover as many of your encrypted files from external drives as you can, but only after you deleted this ransomware.
Petna Ransomware goes by many names. It is better known as Petya Ransomware, but it is also referred to as Notpetya Ransomware, Expetr Ransomware, PetrWrap Ransomware, EternalPetya Ransomware, PetyaBlue Ransomware, and several other names. This ransomware has been updated several times since 2016, and now it is as dangerous as it can possibly be. Our research has revealed that this new iteration uses the EternalBlue exploit that is believed to have been developed by the NSA and leaked by the Shadow Brokers hacker group on April 14, 2017. This exploit was used in the global WannaCry Ransomware attack that occurred in mid-May of 2017 and is now used in Petna Ransomware. This exploit was designed to exploit vulnerabilities of Windows to distribute this ransomware. However, those vulnerabilities have been patched since, so you have to have patch MS17-010 installed on your PC via Windows Update to prevent EternalBlue from infecting your PC with this ransomware. Our most recent analysis has concluded that this ransomware is installed as a DLL file at C:\027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745.bin.dll,#1. The DLL file is executed using rundll32.exe.
If this ransomware were to infect your computer, then it will encrypt many of your files. Research suggests that this ransomware was designed to target Germany-based companies specifically. It overwrites the Master Boot Record (MBR) files required to load Windows. It has been configured to encrypt a list of particular file types that include, without limitation .doc, .docx, Dwg, .eml, .fdb, .gz, .h, .hdd, .kdbx, .ppt, .pptx, .pst, .pvi, .py, .pyc, .rar, and .rtf. This ransomware generates an encryption key using CryptGenRandom that is a cryptographically secure pseudorandom number generator included in Microsoft CryptoAPI. Currently, there is no free method to decrypt your files as this encryption method has not been cracked.
Petna Ransomware was configured to clear Event Logs to hide its footprint. Furthermore, it was set to create a task “schtasks %ws/Create /SC once /TN "" /TR "%ws" /ST d:d.” This task is configured to restart your PC at a specific time. Testing has shown that it restarts the PC once it has been infected with this ransomware. This ransomware tries to disguise itself as a system repair process. You will see that it says the following:
Repairing file system on C:
The type of the file system is NTFS.
One of your disks contains errors and needs to be repaired. This process may take several hours to complete. It is strongly recommended to let it complete.
WARNING: DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOU DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!
CHKDSK is repairing sector 20365505 of 4294967266 (0%)
At this point, the MBR is already modified, and chkdsk is started, and it tries to repair the system on %HOMEDRIVE%. However, this disk check is created by Petna Ransomware to convince the victim not to shut down the PC. At this point, this ransomware encrypts the files. When the fake repair is complete (unsuccessfully) or if you try to restart the PC, then a red flashing ASCII skeleton will appear with the text "PRESS ANY KEY!" After pressing any key, another red window will appear with a ransom note. Petna Ransomware’s creators want you to pay 0.8 BTC or 1814.47 USD. The note says that you have to download the tor browser and search for "access onion page." Then visit the Tor Browser and enter your personal decryption key (provided that you have paid the ransom and received the decryption key.
In closing, Petna Ransomware is one of the most dangerous ransomware-type computer infections currently out there. Its developers spared no effort in making its encryption algorithm that cannot be decrypted currently using third-party decryption tools. It can enter your computer by stealth and trick you into thinking that your PC has started a system repair operation while this ransomware encrypts your files. To remove this ransomware, you have to repair the MBR using the original Windows installation DVD or image. Once the repair is complete, delete the malicious DLL from its location. You can also remove the malicious file using an anti-malware program such as SpyHunter which will also protect your PC from similar malware.