Petya Ransomware Removal Guide

Petya Ransomware is not a typical ransomware infection. This malicious threat has a different target than the one of Rush Ransomware, Better_call_saul Ransomware, Maktub Ransomware and other infamous infections. According to our research, this particular ransomware primarily targets German companies, and this might be due to the fact that big companies value their privacy more, and they might be willing to pay the ransom requested. Although regular computer users pay ransom payments and follow other demands, more and more of them learn to back up their personal files and prevent the attacks of ransomware in general. Unfortunately, we cannot guarantee that the removal of Petya Ransomware will not become a problem for regular users as well. Of course, this threat is more likely to attack the systems of big companies; however, it might turn to individual operating systems as well. In either case, deleting this ransomware is the ultimate goal.

Unlike most of other infamous ransomware infections, Petya Ransomware does not encrypt personal files to have leverage when demanding for ransom. Instead, this infection overwrites the boot files. If they are encrypted successfully, you will encounter problems when trying to load your Windows operating system. Using RSA and AES encryption algorithms, this malicious threat can make certain files inaccessible, and this is what is used to coerce you into following the demands of the vicious cyber criminals. So, how does this work? According to our research, it all starts with a harmless-looking spam email that provides a download link to Dropbox. If you download and launch the malicious file called “application folder-gepackt.exe”, your PC will instantly restart, and the MBR (Master Boot Record) will be modified. At the same time, chkdsk will scan your drives and try to repair the system on %HOMEDRIVE%. In reality, this disk check is initiated by ransomware, and it is meant to stop you from shutting down your PC. Of course, the repair will fail, after which, you will be introduced to an intimidating screen urging you to press any key. If you follow the demand, a ransom message will appear. Here is an excerpt.

You became victim of the PETYA RANSOMWARE!
The harddisks of your computer have been encrypted with an military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.

This intimidating message provides steps that include downloading the Tor Browser via torproject.org, visiting one of the provided links, and entering a personal decryption code. If you follow these instructions, you will end up paying a ransom, which starts at 0.9 BTC (~370 USD). Needless to say, the price is high; however, computer users choose to pay this sum because they want their personal files decrypted. This is particularly important for big companies that might be paralyzed due to the activity of Petya Ransomware. It is notable that the price of the ransom is said to double if the payment is not made within 7 days. Furthermore, users are discouraged from taking action themselves. For example, the countdown representing the time left to pay the ransom is followed by a warning suggesting that attempts to restore the MBR using Windows Recovery Tools will result in the complete destruction of personal data. Unfortunately, this malicious ransomware has been created by truly unpredictable, devious cyber criminals, and it is possible that they will act out if you do not follow their demands the way they want you to.

Needless to say, your files will remain locked if you delete Petya Ransomware from your operating system. If the files encrypted by this threat are backed up, you do not need to worry about anything else but the removal of this ransomware. If you decide to pay the ransom, you have to weigh all of the risks. For one, you need to consider that your files could remain encrypted after you pay the huge ransom. If you do not want to lose your money without a purpose, you need to think carefully whether you should get involved. In any case, you need to remove Petya Ransomware from your operating system, and you can do that by repairing the Master Boot Record. We have added instructions that will help you repair the MBR, and, if you perform this task successfully, all you will need to do is erase the malicious executable. If you need our assistance with the removal of this malicious threat, feel free to post your questions below.

N.B. After you fix the MBR, eliminate the malicious file of the ransomware. Do not forget to check the %TEMP% directory to look for copies of this malicious file.

Repair the Master Boot Record

First reboot your Windows operating system using an installation disk.

1. Insert the Windows installation disk into the CD/DVD-ROM.
2. Restart your computer.
3. In the Setup Utility window select Boot using arrow keys.
4. Using arrow keys select CD-ROM Drive and tap Enter.
5. Wait for the Windows to start.
6. Follow the instructions below.

Windows XP:

1. As you reboot from a CD, a Welcome to Setup screen will appear.
2. Tap the R key on the keyboard to open the Recovery Console.
3. Place the cursor after Which Windows installation would you like to log onto, type 1, and tap Enter.
4. Type the administrator password and tap Enter.
5. Type fixmbr after C:\Windows> and tap Enter.
6. If you are asked if you want to write a new MBR, type Y, and tap Enter.
7. Tap Enter again and wait for the fixmbr utility to repair MBR.
8. Remove the CD, type exit, and tap Enter.
9. Restart your computer.

Windows Vista/Windows 7:

1. Select the Language, Time, and Keyboard, and click Next.
2. Click Repair your computer.
3. In the System Recovery Options menu choose your operating system and click Next.
4. Select Command Prompt.
5. Type bootrec /fixmbr and tap Enter.
6. Type bootrec /fixboot and tap Enter.
7. Type bootrec /rebuildbcd and tap Enter.
8. If the process is successful, a conformation message will appear, after which you can remove the CD.
9. Type exit, tap Enter, and restart your computer.

Windows 8/Windows 8.1/Windows 10:

1. Select the Language, Time, and Keyboard, and click Next.
2. Click Repair your computer.
3. Click Troubleshoot and select Command Prompt.
4. Type bootrec /fixmbr and tap Enter.
5. Type bootrec /fixboot and tap Enter.
6. Type bootrec /scanos and tap Enter.
7. Type bootrec /rebuildbcd and tap Enter.
8. If the process is successful, a conformation message will appear, after which you can remove the CD.
9. Type exit, tap Enter, and restart your computer.