Petya virus: what it is and how to decrypt files

Who I am
Aina Prat
@ainaprat
Author and references

The Petya virus locks the hard disk and encrypts files. Here's what it is and how to decrypt documents.

Ransomware are particular types of malware that infect the system by demanding a ransom to get their data back. As we have seen for the cryptolocker virus, these cyber threats are particularly insidious and powerful. A new one has recently spread ransomware called Petya, which directly infects the MBR sector of the hard disk.



Before describing how this virus is caught, how it works and how to solve the problem, let's see what the MBR sector of the hard disk is. MBR stands for Master Boot Record and it is the initial sector of a hard disk, made up of the first 512 bytes, which lists the sequence to start commands and instructions necessary to start the operating system. Without this section, your PC would be unusable because the system just doesn't run, without having the ability to access your data.

Petya it is generally transmitted via an email attachment, and has been especially sent to HR departments, because employees are more likely to open attachments by running the virus without their knowledge. The attachment is uploaded to the famous Dropbox service, which is now in common use. As soon as you download the email attachment and launch the file, Windows warns you that you are about to run potentially dangerous software. However, this message does not always stop the user, who can continue starting the file by installing the virus.

Il malware Petya it is installed in the MBR of the PC, it restarts the computer showing a fake message of the CHKDSK, which indicates a problem on the hard disk with the message: "One of your disks contains errors and needs to be repaired". In reality, this fake virus-simulated procedure completes the installation process of the Petya malware. A skull in ASCII font who reports that they have been the victim of a virus. Finally, a procedure is indicated to follow to regain control of your PC, by connecting to the TOR anonymous network and paying 0,9 Bitcoin, or about $ 400, to solve the problem. In this video it is possible to see how the infection from Petya occurs.



The virus blocks access to Windows, encrypt files on your computer, encrypt the MFT (Master File Table) which is the area of ​​the disk where the information of files and folders is stored, and prevents the use of the machine. Some sources claim that using the built-in features on the Windows CD it is possible to restore the MBR, however in this case the files are still encrypted and you have to reinstall Windows losing everything.

 

How to decrypt files from the Petya virus

Recently some researchers have found one falla del malware Petya. In order to eliminate and remove the virus, also decrypting files, folders and documents taken hostage, it is possible to perform a free procedure.

La first thing to do is to disconnect the infected hard disk and connect it as a secondary drive to another PC, using a classic SATA to USB adapter as shown in the image, or a docking station.

Then you have to download a tool from this link, called Petya Extractor, and start the software on the computer. At this point it is necessary to click on “Copy Sector” to copy the first ones 512 bytes and save them in Windows Notepad. Then you have to press on "Copy Nonce" to extract another ad code 8 bytes.


Then you can connect to the Petya Pay No Ransom ed paste the text of the 512 bytes in the first section and the 8-byte one in the second section.

Pressing on "Submit" the service generate the key which allows you to decrypt the hard disk with all files. At this point it is sufficient to reconnect the encrypted hard disk in the previous PC, start it and enter the code generated by the tool. After a few seconds decryption begins, after which the system will reboot and should start normally.


For the latest updates on the tool, you can consult the developer's official Twitter profile.

 

Petya virus: conclusions

Petya malware really is very powerful and insidious, however thanks to a flaw discovered by the researchers it is possible to solve the problem. If you have encountered this virus and do not know how to proceed, you can contact us for a quote.

Audio Video Petya virus: what it is and how to decrypt files
add a comment of Petya virus: what it is and how to decrypt files
Comment sent successfully! We will review it in the next few hours.