How to decrypt files encrypted by the petya virus. The new Petya encryption virus is named after the President of Ukraine - expert

Information that any user should know about the Petya virus.

What kind of virus is this?

1. On Tuesday, June 27, 2017, a virus called Petya appeared on the Internet. Rosneft and Home Credit Bank were attacked. Once executed, this threat overwrites the Master Boot Record (MBR) with Ransom:DOS/Petya.A and encrypts the system drive sectors. This happens one by one like this: Forces the PC to reboot and displays a fake system message that notes a supposed error on the disk and shows a fake integrity check: Next, you will receive the following message containing instructions for purchasing a key to unlock the system.
2. The virus encrypts files on all drives except the Windows folder on drive C: the following extension of the encrypted files:
4. Not long ago there was an attack by the WannaCry virus, which is in many ways similar to the Petya virus that we are talking about in this article. Well, for starters, the similarity between them is that they are crypto viruses, these are viruses that encrypt the user’s files, demanding a ransom for decryption. According to Kaspersky Lab, this is not the same virus as Petya before, but its name is ExPetr, that is, this virus is much modified, let’s say it was there before. You can find out more on the website, although as they say, some lines of code are similar.

Protection and where can you get infected?

5. You can catch such malware by emailing the file Petya.apx or by installing an update to the accounting program M.E.doc. Below is a description from the Microsoft blog about this M.E.doc tax program. If an infected machine appears on your network at home or at work, the malware will spread using the same vulnerability as the WannaCry virus via the Smb protocol. An exploit that exploits a vulnerability in the Windows implementation of the SMB protocol. Microsoft, as written in the article, strongly recommends installing updates for all Windows systems to protect against WannaCry, and has even released updates for long-unsupported products such as Windows Xp. It turns out that your protection should be the same for both the WannaCry virus and the Petya virus. Read more about protection and installing updates in the article. Free protection against encryptors, in addition to antiviruses and antispyware, can be installed from Kaspersky. Also, if you use anti-spyware, it already has built-in protection not only from PUPs but also from ransomware. The website says about ransomware: Prevents attackers from encrypting your files for ransom. I think this is the best way to install MBAM to your antivirus. An option from Microsoft that is already built into the system, Windows Defender 8.1 and Windows 10, Microsoft Security Essentials for Windows 7 and Windows Vista. You can also download for a one-time scan to check if your computer is infected with all types of threats. On the Microsoft website there is a complete description of the virus where it came from and how it gets into the system, a more accurate description is in English. The blog says that the first infection, or rather the extortion process, began with the Ukrainian company M.E.Doc, which develops tax accounting software, MEDoc.
6. Exact translation using Google Translate: Although this vector has been covered in detail by news and security researchers, including Ukraine's own cyber police, there has only been circumstantial evidence of this vector. Microsoft now has evidence that several active ransomware infections originally started from a legitimate Medoc update process.

File decryption?

7. Users are asked to write proof of funds transfer to the specified mailbox to receive the decryption key. If you are going to transfer funds to decrypt files, then you will not be able to write an email to harm that you sent a ransom. The email address to which victims were supposed to report when they transferred funds was blocked by the German provider; there was a mailbox on their server. So you can translate, but they won’t be able to send you the key. So let’s say it’s not officially possible to get a key from ransomware. The ransomware wallet is currently known on July 1, 2017, data on receipts is updated within 15 seconds. To stop the virus on the victim’s computer, you need to create an empty file on the C:\Windows\perfc drive and set the properties to read-only. There are no decryptors yet, except for older versions of the virus on GitHub.

At the beginning of May, about 230,000 computers in more than 150 countries were infected with a ransomware virus. Before the victims had time to eliminate the consequences of this attack, a new one, called Petya, followed. The largest Ukrainian and Russian companies, as well as government institutions, suffered from it.

The cyber police of Ukraine established that the virus attack began through the mechanism for updating the accounting software M.E.Doc, which is used to prepare and send tax reports. Thus, it became known that the networks of Bashneft, Rosneft, Zaporozhyeoblenergo, Dneproenergo and the Dnieper Electric Power System did not escape infection. In Ukraine, the virus penetrated government computers, PCs of the Kyiv metro, telecom operators and even the Chernobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea were affected.

The Petya virus exploits the EternalBlue vulnerability in the Windows operating system. Symantec and F-Secure experts say that although Petya encrypts data like WannaCry, it is still somewhat different from other types of encryption viruses. “The Petya virus is a new type of extortion with malicious intent: it does not just encrypt files on the disk, but locks the entire disk, making it practically unusable,” explain F-Secure. “Specifically, it encrypts the MFT master file table.”

How does this happen and can this process be prevented?

Virus "Petya" - how does it work?

The Petya virus is also known by other names: Petya.A, PetrWrap, NotPetya, ExPetr. Once it gets into the computer, it downloads ransomware from the Internet and tries to attack part of the hard drive with the data necessary to boot the computer. If he succeeds, the system issues a Blue Screen of Death (“blue screen of death”). After the reboot, a message appears about checking the hard drive asking you not to turn off the power. Thus, the encryption virus pretends to be a system disk scanning program, encrypting files with certain extensions at the same time. At the end of the process, a message appears indicating that the computer is blocked and information on how to obtain a digital key to decrypt the data. The Petya virus demands a ransom, usually in Bitcoin. If the victim does not have a backup copy of his files, he is faced with the choice of paying $300 or losing all information. According to some analysts, the virus is only masquerading as ransomware, while its true goal is to cause massive damage.

How to get rid of Petya?

Experts have discovered that the Petya virus looks for a local file and, if this file already exists on the disk, exits the encryption process. This means that users can protect their computer from ransomware by creating this file and setting it as read-only.

Although this cunning scheme prevents the extortion process from starting, this method can be considered more like “computer vaccination.” Thus, the user will have to create the file themselves. You can do this as follows:

• First you need to understand the file extension. In the Folder Options window, make sure that the Hide extensions for known file types checkbox is unchecked.
• Open the C:\Windows folder, scroll down until you see the notepad.exe program.
• Left click on notepad.exe, then press Ctrl + C to copy and then Ctrl + V to paste the file. You will receive a request asking for permission to copy the file.
• Click the Continue button and the file will be created as a notepad - Copy.exe. Left-click on this file and press F2, then erase the file name Copy.exe and enter perfc.
• After changing the file name to perfc, press Enter. Confirm the rename.
• Now that the perfc file has been created, we need to make it read-only. To do this, right-click on the file and select “Properties”.
• The properties menu for this file will open. At the bottom you will see "Read Only". Check the box.
• Now click the Apply button and then the OK button.

Some security experts suggest creating C:\Windows\perfc.dat and C:\Windows\perfc.dll files in addition to the C:\windows\perfc file in order to more thoroughly protect against the Petya virus. You can repeat the above steps for these files.

Congratulations, your computer is protected from NotPetya/Petya!

Symantec experts offer some advice to PC users to prevent them from doing things that could lead to locked files or loss of money.

1. Don't pay money to criminals. Even if you transfer money to the ransomware, there is no guarantee that you will be able to regain access to your files. And in the case of NotPetya / Petya, this is basically meaningless, because the goal of the ransomware is to destroy data, and not to get money.
2. Make sure you back up your data regularly. In this case, even if your PC becomes the target of a ransomware virus attack, you will be able to recover any deleted files.
3. Don't open emails from questionable addresses. Attackers will try to trick you into installing malware or try to obtain important data for attacks. Be sure to inform IT specialists if you or your employees receive suspicious emails or links.
4. Use reliable software. Timely updating of antivirus programs plays an important role in protecting computers from infections. And, of course, you need to use products from reputable companies in this field.
5. Use mechanisms to scan and block spam messages. Incoming emails should be scanned for threats. It is important to block any types of messages that contain links or typical phishing keywords in their text.
6. Make sure all programs are up to date. Regular remediation of software vulnerabilities is necessary to prevent infections.

Should we expect new attacks?

The Petya virus first appeared in March 2016, and security specialists immediately noticed its behavior. The new Petya virus infected computers in Ukraine and Russia at the end of June 2017. But this is unlikely to be the end. Hacker attacks using ransomware viruses similar to Petya and WannaCry will be repeated, said Stanislav Kuznetsov, deputy chairman of the board of Sberbank. In an interview with TASS, he warned that such attacks will definitely happen, but it is difficult to predict in advance in what form and format they may appear.

If, after all the cyber attacks that have happened, you have not yet taken at least the minimum steps to protect your computer from a ransomware virus, then it is time to get serious about it.

The Petya.A virus attack covered dozens of countries in a few days and developed to epidemic proportions in Ukraine, where the reporting and document management program M.E.Doc was involved in the spread of the malware. Later, experts said that the attackers’ goal was to completely destroy the data, but, according to the Ukrainian cyber police, if the system is partially infected, there is a chance to restore the files.

How Petya works

If a virus gains administrator rights, researchers identify three main scenarios for its impact:

• The computer is infected and encrypted, the system is completely compromised. Data recovery requires a private key, and a message is displayed on the screen requiring you to pay a ransom (even though it is).
• The computer is infected and partially encrypted - the system began to encrypt files, but the user stopped this process by turning off the power or other means.
• The computer is infected, but the MFT table encryption process has not yet begun.

In the first case, there is no effective way to decrypt the data yet. Now specialists from the cyber police and IT companies are searching for him, as well as creator of the original Petya virus(allowing you to restore the system using a key). If the main MFT file table is partially or not affected at all, there is still a chance to gain access to the files.

The cyber police named two main stages of the modified Petya virus:

First: obtaining privileged administrator rights (they are disabled when using Active Directory). First, the virus saves the original boot sector for the MBR operating system in an encrypted form of the XOR bit operation (xor 0x7), and then writes its own bootloader in its place. The rest of the Trojan code is written to the first sectors of the disk. At this point, a text file about encryption is created, but the data is not yet encrypted.

The second phase of data encryption begins after the system is rebooted. Petya now accesses its own configuration sector, which contains a mark about unencrypted data. After this, the encryption process begins, and the screen shows how the Check Disk program is running. If it is already running, you should turn off the power and try using the proposed data recovery method.

What do they offer?

First you need to boot from the Windows installation disk. If a table with hard disk (or SSD) partitions is visible, you can begin the procedure for restoring the MBR boot sector. Then you should check the disk for infected files. Today Petya is recognized by all popular antiviruses.

If the encryption process was started, but the user managed to interrupt it, after loading the operating system, you must use software to recover encrypted files (R-Studio and others). The data will need to be saved to external media and the system reinstalled.

How to restore bootloader

For Windows XP OS:

After loading the Windows XP installation disk into the PC's RAM, the “Install Windows XP Professional” dialog box will appear with a selection menu where you need to select “to restore Windows XP using the Recovery Console, press R.” Press "R" KEY.

The Recovery Console will load.

If the PC has one OS installed and it is (by default) installed on the C drive, the following message will appear:

"1:C:\WINDOWS Which copy of Windows should I sign in to?"

Enter the number “1”, press the “Enter” key.

A message will appear: “Enter your administrator password.” Enter your password, press "Enter" (if there is no password, just press "Enter").

You should be prompted: C:\WINDOWS>, enter fixmbr

The message “WARNING” will then appear.

“Are you confirming the entry of the new MBR?”, press the “Y” key.

A message will appear: “A new primary boot sector is being created on the physical disk \Device\Harddisk0\Partition0.”

For Windows Vista:

Download Windows Vista. Select your language and keyboard layout. On the Welcome screen, click "Restore your computer." Windows Vista will edit the computer menu.

Select your operating system and click Next. When the System Recovery Options window appears, click on Command Prompt. When the command prompt appears, enter this command:

bootrec/FixMbr

Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.

For Windows 7:

Boot into Windows 7. Select your language, keyboard layout, and click Next.

Select your operating system and click Next. When choosing an operating system, you should check "Use recovery tools that can help solve problems starting Windows."

On the System Recovery Options screen, click the Command Prompt button. When the command prompt boots successfully, enter the command:

bootrec/fixmbr

For Windows 8:

Boot into Windows 8. On the Welcome screen, click the Repair your PC button.

Select Troubleshooting. Select the command line, when it loads, enter:

bootrec/FixMbr

Press the Enter key and restart your computer.

For Windows 10:

Boot into Windows 10. On the Welcome screen, click the “Repair your PC” button, select “Troubleshooting”.

Select Command Prompt. When the command prompt loads, enter the command:

bootrec/FixMbr

Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.

Press the Enter key and restart your computer.

The Petya virus is a rapidly growing virus that affected almost all large enterprises in Ukraine on June 27, 2017. The Petya virus encrypts your files and then offers a ransom for them.

The new virus infects the computer's hard drive and works as a file encryptor virus. After a certain time, the Petya virus “eats” the files on your computer and they become encrypted (as if the files were archived and a heavy password was set)
Files that have been affected by the Petya ransomware virus cannot be restored later (there is a percentage that you can restore them, but it is very small)
There is NO algorithm that restores files affected by the Petya virus
With the help of this short and MAXIMUM useful article you can protect yourself from #virusPetya

How to IDENTIFY the Petya or WannaCry virus and NOT get infected with the virus

When downloading a file via the Internet, check it with an online antivirus. Online antiviruses can detect a virus in a file in advance and prevent infection by the Petya virus. All you have to do is check the downloaded file using VirusTotal, and then run it. Even if you DOWNLOADED the PETYA VIRUS, but did NOT run the virus file, the virus is NOT active and does not cause harm. Only after running a harmful file do you launch a virus, remember this

USING THIS METHOD ONLY GIVES YOU EVERY CHANCE NOT TO BE INFECTED BY THE PETYA VIRUS
The Petya virus looks like this:

How to Protect Yourself from the Petya Virus

Company Symantec proposed a solution that allows you to protect yourself from the Petya virus by pretending that you already have it installed.
The Petya virus, when it enters a computer, creates in the folder C:\Windows\perfc file perfc or perfc.dll
To make the virus think that it is already installed and not continue its activity, create in the folder C:\Windows\perfc file with empty content and save it by setting the editing mode to “Read Only”
Or download virus-petya-perfc.zip and unzip the folder perfc to a folder C:\Windows\ and set the change mode to “Read Only”
Download virus-petya-perfc.zip

UPDATED 06/29/2017
I also recommend downloading both files simply to the Windows folder. Many sources write that the file perfc or perfc.dll must be in the folder C:\Windows\

What to do if your computer is already infected with the Petya virus

Do not turn on a computer that has already infected you with the Petya virus. The Petya virus works in such a way that while the infected computer is turned on, it encrypts files. That is, as long as you keep your computer infected with the Petya virus turned on, more and more files can be infected and encrypted.
The hard drive of this computer is worth checking. You can check it using LIVECD or LIVEUSB with antivirus
Bootable USB flash drive with Kaspersky Rescue Disk 10
Dr.Web LiveDisk bootable flash drive

Who Spread the Petya Virus Throughout Ukraine

Microsoft has expressed its point of view regarding global network infection in large Ukrainian companies. The reason was the update to the M.E.Doc program. M.E.Doc is a popular accounting program, which is why the company made such a big mistake when a virus got into the update and installed the Petya virus on thousands of PCs on which the M.E.Doc program was installed. And since the virus affects computers on the same network, it spread with lightning speed.
#: Petya virus affects android, Petya virus, how to detect and remove Petya virus, how to treat petya virus, M.E.Doc, Microsoft, create a folder Petya virus

A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not an encryptor; the virus simply blocked access to certain types of files and demanded a ransom. The virus modified the boot record on the hard drive, forcibly rebooted the PC and showed a message that “the data is encrypted - waste your money for decryption.” In general, the standard scheme of encryption viruses, except that the files were NOT actually encrypted. Most popular antiviruses began identifying and removing Win32.Trojan-Ransom.Petya.A a few weeks after its appearance. In addition, instructions for manual removal appeared. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from loading, and also encrypts the Master File Table. It does not encrypt the files themselves.

However, a more sophisticated virus appeared a few weeks ago Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay 500 - 875 $ for decryption (in different versions 1.5 - 1.8 bitcoins). Instructions for “decryption” and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus - contents of YOUR_FILES_ARE_ENCRYPTED.HTML file

Now, in fact, hackers infect users’ computers with two malwares: Petya and Mischa. The first one needs administrator rights on the system. That is, if a user refuses to give Petya admin rights or manually deletes this malware, Mischa gets involved. This virus does not require administrator rights, it is a classic encryptor and actually encrypts files using the strong AES algorithm and without making any changes to the Master Boot Record and the file table on the victim’s hard drive.

The Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the \Windows, \$Recycle.Bin, \Microsoft, \Mozilla Firefox, \Opera, \Internet Explorer, \Temp, \Local, \LocalLow and \Chrome directories.

Infection occurs primarily through e-mail, where a letter is received with an attached file - the virus installer. It can be encrypted under a letter from the Tax Service, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it may be a container with the Petya\Mischa virus. And if the modification of the malware is recent, your antivirus may not respond.

Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks, retail chains, government agencies and enterprises of various forms of ownership was paralyzed. The virus spread mainly through a vulnerability in the Ukrainian accounting reporting system MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, and Lithuania.

Remove Petya and Mischa virus using an automatic cleaner

An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components and their complete removal with one click. Please note that we are talking about two different processes: uninstalling the infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.

1. . After starting the software, click the button Start Computer Scan(Start scanning).
2. The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.

Restore access to encrypted files

As noted, the Mischa ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount (sometimes reaching up to $1,000). But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.

Automatic file recovery program (decryptor)

A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as recovery of erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt.

Shadow copies of volumes

The approach is based on the Windows file backup process, which is repeated at each recovery point. An important condition for this method to work: the “System Restore” function must be activated before the infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.

Backup

This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.

Check for possible presence of residual components of the Petya and Mischa ransomware

Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.

A few days ago, an article appeared on our resource about how to protect yourself from the virus and its varieties. In the same instructions, we will look at the worst case scenario - your PC is infected. Naturally, after recovery, each user tries to restore their data and personal information. This article will discuss the most convenient and effective methods for data recovery. It is worth considering that this is not always possible, so we will not give any guarantee.

We will consider three main scenarios in which events can develop:
1. The computer is infected with the Petya.A virus (or its variants) and is encrypted, the system is completely blocked. To restore data, you need to enter a special key, for which you need to pay. It’s worth saying right away that even if you pay, this will not remove the blocking and will not give you back access to your personal computer.

2. An option that provides the user with more options for further actions - your computer is infected and the virus began to encrypt your data, but the encryption was stopped (for example, by turning off the power).

3. The last option is the most favorable. Your computer is infected, but file system encryption has not yet begun.

If you have situation number 1, that is, all your data is encrypted, then at this stage there is no effective way to restore user information. It is likely that this method will appear in a few days or weeks, but for now experts and everyone in the field of information and computer security are scratching their heads over it.

If the encryption process has not started or is not completely completed, then the user should interrupt it immediately (encryption is displayed as a Check Disk system process). If you were able to boot the operating system, then you should immediately install any modern antivirus (all of them currently recognize Petya and do a full scan of all disks. If Windows does not boot, then the owner of the infected machine will have to use the system disk or flash drive to restore the MBR boot sector .

Restoring the bootloader on Windows XP

After loading the system disk with the Windows XP operating system, you will be presented with options for action. In the "Install Windows XP Professional" window, select "To restore Windows XP using the Recovery Console, press R." Which is logical, you will need to press R on the keyboard. A console for restoring the partition and a message should appear in front of you:

""1:C:\WINDOWS Which copy of Windows should I sign in to?""

If you have one version of Windows XP installed, then enter “1” from the keyboard and press enter. If you have several systems, then you need to select the one you need. You will see a message asking for the administrator password. If there is no password, then simply press Enter, leaving the field empty. After this, a line will appear on the screen, enter the word " fixmbr"

The following message should appear: “WARNING! Do you confirm the entry of the new MBR?”, press the “Y” key on the keyboard.
The response will appear: “A new primary boot sector is being created on the physical disk...”
"The new primary boot partition was created successfully."

Restoring the bootloader on Windows Vista

Insert a disk or flash drive with the Windows Vista operating system. Next, you need to select the line “Restore your computer.” Select which Windows Vista operating system (if you have more than one) to restore. When the recovery options window appears, click on Command Prompt. At the command prompt, enter the command " bootrec/FixMbr".

Restoring the bootloader on Windows 7

Insert a disk or flash drive with the Windows 7 operating system. Select which Windows 7 operating system (if you have several of them) you want to restore. Select "Use recovery tools that can help solve problems starting Windows." Next, select “Command Line”. After loading the command line, enter " bootrec/fixmbr

Restoring the bootloader on Windows 8

Insert a disk or flash drive with the Windows 8 operating system. On the main screen, select "Repair your computer" in the lower left corner. Select Troubleshooting. Select the command line, when it loads, enter: "bootrec/FixMbr"

Restoring the bootloader on Windows 10

Insert a disk or flash drive with the Windows 10 operating system. On the main screen, select "Repair your computer" in the lower left corner. Select Troubleshooting. Select the command line, when it loads, enter: "bootrec/FixMbr" If everything goes well, you will see a corresponding message and all that remains is to restart the computer.

(Petya.A), and gave a number of tips.

According to the SBU, infection of operating systems mainly occurred through the opening of malicious applications (Word documents, PDF files), which were sent to the email addresses of many commercial and government agencies.

“The attack, the main goal of which was to distribute the Petya.A file encryptor, used the MS17-010 network vulnerability, as a result of which a set of scripts were installed on the infected machine, which the attackers used to launch the mentioned file encryptor,” the SBU said.

The virus attacks computers running Windows OS by encrypting the user's files, after which it displays a message about converting the files with a proposal to pay for the decryption key in bitcoins in the equivalent of $300 to unlock the data.

“Unfortunately, encrypted data cannot be decrypted. Work continues on the possibility of decrypting encrypted data,” the SBU said.

What to do to protect yourself from the virus

1. If the computer is turned on and working normally, but you suspect that it may be infected, do not reboot it under any circumstances (if the PC has already been damaged, do not reboot it either) - the virus is triggered upon reboot and encrypts all files contained on the computer .

2. Save all the most valuable files to a separate drive that is not connected to the computer, and ideally, make a backup copy along with the OS.

3. To identify the file encryptor, you must complete all local tasks and check for the presence of the following file: C:/Windows/perfc.dat

4. Depending on the version of Windows OS, install the patch.

5. Ensure that all computer systems have anti-virus software installed that functions properly and uses up-to-date virus signature databases. If necessary, install and update the antivirus.

6. To reduce the risk of infection, you should carefully treat all electronic correspondence and do not download or open attachments in letters sent from unknown people. If you receive a letter from a known address that is suspicious, contact the sender and confirm that the letter was sent.

7. Make backup copies of all critical data.

Bring the specified information to employees of structural divisions, and do not allow employees to work with computers that do not have the specified patches installed, regardless of whether they are connected to a local network or the Internet.

It is possible to try to restore access to a Windows computer blocked by a specified virus.

Because the specified malware makes changes to the MBR records, which is why, instead of loading the operating system, the user is shown a window with text about file encryption. This problem can be solved by restoring the MBR record. There are special utilities for this. The SBU used the Boot-Repair utility for this (instructions at the link).

b). Run it and make sure that all the boxes in the “Artifacts to collect” window have been checked.

c). In the “Eset Log Collection Mode” tab, set the Disk Source Binary Code.

d). Click on the Collect button.

e). Send an archive of logs.

If the affected PC is turned on and has not yet been turned off, proceed to

step 3 to collect information that will help write a decoder,

point 4 for treating the system.

From an already affected PC (it won’t boot), you need to collect the MBR for further analysis.

You can assemble it according to the following instructions:

a). Download ESET SysRescue Live CD or USB (creation is described in step 3)

b). Agree to the license to use

c). Press CTRL + ALT + T (terminal will open)

d). Type the command “parted -l“ without quotes, the parameter is small letter “L“ and press

e). See the list of drives and identify the affected PC (should be one of /dev/sda)

f). Write the command “dd if=/dev/sda of=/home/eset/petya.img bs=4096 count=256“ without quotes, instead of “/dev/sda“ use the disk that you defined in the previous step and click (File/ home/eset/petya.img will be created)

g). Connect the USB flash drive and copy the file /home/eset/petya.img

h). You can turn off your computer.

See also - Omelyan about protection from cyber attacks

Omelyan about protection from cyber attacks

Subscribe to news

You may already be aware of the hacker threat recorded on June 27, 2017 in the countries of Russia and Ukraine, which were subjected to a large-scale attack similar to WannaCry. The virus locks computers and demands a ransom in bitcoins for decrypting files. In total, more than 80 companies in both countries were affected, including Russia's Rosneft and Bashneft.

The ransomware virus, like the infamous WannaCry, has blocked all computer data and demands a ransom in bitcoins equivalent to $300 be transferred to the criminals. But unlike Wanna Cry, Petya doesn’t bother with encrypting individual files—it almost instantly “takes away” your entire hard drive.

The correct name of this virus is Petya.A. ESET report reveals some of the capabilities of Diskcoder.C (aka ExPetr, PetrWrap, Petya or NotPetya)

According to statistics from all victims, the virus was distributed in phishing emails with infected attachments. Usually a letter comes with a request to open a text document, but as we know the second file extension txt.exe is hidden, and the last file extension is given priority. By default, the Windows operating system does not display file extensions and they look like this:

In 8.1, in the Explorer window (View\Folder Options\Uncheck Hide extensions for registered file types)

In 7 in the Explorer window (Alt\Tools\Folder Options\Uncheck Hide extensions for known file types)

And the worst thing is that users are not even bothered by the fact that letters come from unknown users and ask them to open incomprehensible files.

After opening the file, the user sees a “blue screen of death”.

After the reboot, it looks like the “Scan Disk” is launched; in fact, the virus encrypts the files.

Unlike other ransomware, once this virus runs, it immediately restarts your computer and when it boots up again, a message appears on the screen: “DO NOT TURN OFF YOUR PC! IF YOU STOP THIS PROCESS, YOU MAY DESTROY ALL YOUR DATA! PLEASE MAKE SURE YOUR COMPUTER IS CONNECTED TO CHARGER!” While this may look like a system error, Petya is actually silently performing encryption in stealth mode. If the user tries to reboot the system or stop file encryption, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!” Finally, after pressing the key, a new window will appear with a ransom note. In this note, the victim is asked to pay 0.9 bitcoins, which is approximately $400. However, this price is only for one computer. Therefore, for companies that have many computers, the amount can be in the thousands. What also makes this ransomware different is that it gives you a full week to pay the ransom, instead of the usual 12-72 hours that other viruses in this category give.

Moreover, the problems with Petya do not end there. Once this virus enters the system, it will try to rewrite the Windows boot files, or the so-called Boot Writer, required to boot the operating system. You will not be able to remove Petya virus from your computer unless you restore the Master Boot Recorder (MBR) settings. Even if you manage to correct these settings and remove the virus from your system, unfortunately, your files will remain encrypted because virus removal does not decrypt the files, but simply removes the infectious files. Of course, removing the virus is important if you want to continue working with your computer

Once on your Windows computer, Petya almost instantly encrypts MFT (Master File Table). What is this table responsible for?

Imagine that your hard drive is the largest library in the entire universe. It contains billions of books. So how do you find the right book? Only through the library catalogue. It is this catalog that Petya destroys. Thus, you lose any possibility of finding any “file” on your PC. To be even more precise, after Petya “works”, your computer’s hard drive will resemble a library after a tornado, with scraps of books flying everywhere.

Thus, unlike Wanna Cry, Petya.A does not encrypt individual files, spending a significant amount of time on this - it simply takes away any opportunity for you to find them.

Who created the Petya virus?

When creating the Petya virus, an exploit (“hole”) in the Windows OS called “EternalBlue” was used. Microsoft has released a patch kb4012598(from previously released lessons on WannaCry, we already talked about this update, which “closes” this hole.

The creator of Petya was able to wisely use the carelessness of corporate and private users and make money from it. His identity is still unknown (and is unlikely to be known)

How to remove Petya virus?

How to remove Petya.A virus from your hard drive? This is an extremely interesting question. The fact is that if the virus has already blocked your data, then there will actually be nothing to delete. If you do not plan to pay ransomware (which you should not do) and will not try to recover data on the disk in the future, you can simply format the disk and reinstall the OS. After this, there will be no trace of the virus left.

If you suspect that there is an infected file on your disk, scan your disk with an antivirus from ESET Nod 32 and conduct a full system scan. The NOD 32 company assured that its signature database already contains information about this virus.

Petya.A decryptor

Petya.A encrypts your data with a very strong encryption algorithm. There is currently no solution to decrypt blocked information.

Undoubtedly, we would all dream of getting the miraculous decryptor Petya.A, but there is simply no such solution. The WannaCry virus hit the world a few months ago, but a cure for decrypting the data it encrypted has never been found.

The only option is if you previously had shadow copies of the files.

Therefore, if you have not yet become a victim of the Petya.A virus, update your OS system, install an antivirus from ESET NOD 32. If you still lose control of your data, then you have several options.

Pay money. There is no point in doing this! Experts have already found out that the creator of the virus does not restore the data, and cannot restore it, given the encryption technique.

Try to remove the virus from your computer, and try to restore your files using a shadow copy (the virus does not affect them)

Remove the hard drive from your device, carefully place it in the cabinet and press the decryptor to appear.

Formatting the disk and installing the operating system. Minus - all data will be lost.

Petya.A and Android, iOS, Mac, Linux

Many users are worried about whether the Petya virus can infect their Android and iOS devices. I’ll hasten to reassure them - no, it can’t. It is intended for Windows OS users only. The same applies to fans of Linux and Mac - you can sleep peacefully, nothing threatens you.

A number of Russian and Ukrainian companies were attacked by the Petya ransomware virus. The online publication site talked to experts from Kaspersky Lab and the interactive agency AGIMA and found out how to protect corporate computers from the virus and how Petya is similar to the equally famous WannaCry ransomware virus.

Virus "Petya"

In Russia there are Rosneft, Bashneft, Mars, Nivea and Alpen Gold chocolate manufacturer Mondelez International. Ransomware virus of the radiation monitoring system of the Chernobyl nuclear power plant. In addition, the attack affected computers of the Ukrainian government, Privatbank and telecom operators. The virus locks computers and demands a ransom of $300 in bitcoins.

In the microblog on Twitter, the Rosneft press service spoke about a hacker attack on the company’s servers. “A powerful hacker attack was carried out on the company’s servers. We hope that this has nothing to do with the current legal proceedings. The company contacted law enforcement agencies regarding the cyber attack,” the message says.

According to company press secretary Mikhail Leontyev, Rosneft and its subsidiaries are operating as normal. After the attack, the company switched to a backup process control system so that oil production and treatment did not stop. The Home Credit bank system was also attacked.

"Petya" does not infect without "Misha"

According to Executive Director of AGIMA Evgeniy Lobanov, in fact, the attack was carried out by two encryption viruses: Petya and Misha.

“They work together. “Petya” does not infect without “Misha”. He can infect, but yesterday’s attack was two viruses: first Petya, then Misha. “Petya” rewrites the boot device (where the computer boots from), and Misha – “encrypts files using a specific algorithm,” explained the specialist. “Petya encrypts the boot sector of the disk (MBR) and replaces it with its own, Misha already encrypts all files on the disk (not always).”

He noted that the WannaCry encryption virus, which attacked large global companies in May of this year, is not similar to Petya, it is a new version.

"Petya.A is from the WannaCry (or rather WannaCrypt) family, but the main difference, why it is not the same virus, is that it is replaced by the MBR with its own boot sector - this is a new product for Ransomware. The Petya virus appeared a long time ago, on GitHab (an online service for IT projects and joint programming - website) https://github.com/leo-stone/hack-petya" target="_blank">there was a decryptor for this encryptor, but no decryptor is suitable for the new modification.

Yevgeny Lobanov emphasized that the attack hit Ukraine harder than Russia.

“We are more susceptible to attacks than other Western countries. We will be protected from this version of the virus, but not from its modifications. Our Internet is unsafe, in Ukraine it is even less so. Basically, transport companies, banks, and mobile operators were attacked ( Vodafone, Kyivstar) and medical companies, the same Pharmamag, Shell gas stations - all very large transcontinental companies,” he said in an interview with the site.

The executive director of AGIMA noted that there are no facts yet that would indicate the geographical location of the spreader of the virus. In his opinion, the virus supposedly appeared in Russia. Unfortunately, there is no direct evidence of this.

“There is an assumption that these are our hackers, since the first modification appeared in Russia, and the virus itself, which is no secret to anyone, was named after Petro Poroshenko. It was the development of Russian hackers, but it’s difficult to say who changed it further. It’s clear. that even if you are in Russia, it is easy to have a computer with geolocation in the USA, for example,” the expert explained.

“If your computer is suddenly “infected,” you must not turn off your computer. If you reboot, you will never log in again.”

“If your computer is suddenly “infected”, you cannot turn off the computer, because the Petya virus replaces the MBR - the first boot sector from which the operating system is loaded. If you reboot, you will never log into the system again. This will cut off the escape routes, even if it appears " tablet" it will no longer be possible to return the data. Next, you need to immediately disconnect from the Internet so that the computer does not go online. An official patch from Microsoft has already been released, it provides a 98 percent security guarantee. Unfortunately, not 100 percent yet. A certain modification of the virus (their three pieces) he’s bypassing for now,” Lobanov recommended. – However, if you do reboot and see the start of the “check disk” process, at this point you need to immediately turn off the computer and the files will remain unencrypted..

In addition, the expert also explained why Microsoft users are most often attacked, and not MacOSX (Apple operating system - website) and Unix systems.

"Here it is more correct to talk not only about MacOSX, but also about all unix systems (the principle is the same). The virus spreads only to computers, without mobile devices. The Windows operating system is subject to attack and threatens only those users who have disabled the automatic system update function. Updates as an exception, they are available even to owners of older versions of Windows that are no longer updated: XP, Windows 8 and Windows Server 2003,” the expert said.

"MacOSX and Unix are not susceptible to such viruses globally, because many large corporations use the Microsoft infrastructure. MacOSX is not susceptible because it is not so common in government agencies. There are fewer viruses for it, it is not profitable to make them, because the attack segment will be smaller than if attack Microsoft,” the specialist concluded.

"The number of attacked users has reached two thousand"

In the press service of Kaspersky Lab, whose experts continue to investigate the latest wave of infections, said that “this ransomware does not belong to the already known Petya family of ransomware, although it has several lines of code in common with it.”

The Laboratory is confident that in this case we are talking about a new family of malicious software with functionality significantly different from Petya. Kaspersky Lab has named its new ransomware ExPetr.

"According to Kaspersky Lab, the number of attacked users reached two thousand. Most incidents were recorded in Russia and Ukraine; cases of infection were also observed in Poland, Italy, Great Britain, Germany, France, the USA and a number of other countries. At the moment, our experts suggest "that this malware used several attack vectors. It was established that a modified EternalBlue exploit and an EternalRomance exploit were used for distribution in corporate networks," the press service said.

Experts are also exploring the possibility of creating a decryption tool that could be used to decrypt the data. The Laboratory also made recommendations for all organizations to avoid a virus attack in the future.

"We recommend that organizations install updates for the Windows operating system. For Windows XP and Windows 7, they should install the MS17-010 security update and ensure that they have an effective data backup system. Backing up data in a timely and secure manner allows you to restore the original files, even if they were encrypted with malware,” advised Kaspersky Lab experts.

The Laboratory also recommends that its corporate clients make sure that all protection mechanisms are activated, in particular, make sure that the connection to the Kaspersky Security Network cloud infrastructure; as an additional measure, it is recommended to use the Application Privilege Control component to deny access to all application groups (and, accordingly, execution) of a file called "perfc.dat", etc.

“If you do not use Kaspersky Lab products, we recommend that you disable the execution of the file called perfc.dat, and also block the launch of the PSExec utility from the Sysinternals package using the AppLocker function included in the Windows OS (operating system – website),” recommended in the laboratory.

May 12, 2017 for many – an encryptor of data on computer hard drives. He blocks the device and demands to pay a ransom.
The virus affected organizations and departments in dozens of countries around the world, including Russia, where the Ministry of Health, the Ministry of Emergency Situations, the Ministry of Internal Affairs, servers of mobile operators and several large banks were attacked.

The spread of the virus was stopped accidentally and temporarily: if hackers changed just a few lines of code, the malware would start working again. The damage from the program is estimated at a billion dollars. After forensic linguistic analysis, experts determined that WannaCry was created by people from China or Singapore.