Petya Ransomware Removal and Protection

Posted by @Helen

June 30, 2017

To do Petya ransomware removal, switch off power supply, disconnect network, block port 445/139, backup key files, install Windows March patch MS17-010, install antivirus software and keep away from dangerous websites.

Decrypt Petya Ransomware

Yes, ransomware comes back again on June 27, 2017! This is the third (the first two are WannaCry and EternalRocks; some people may regard it as the second for they do not count the EternalRocks in for its little influence) virus of the last two months. Seems like this is a season for seeding ransomware viruses.

About Petya Malware

Petya, also called Petna or Pneytna due to tongue-in-cheek or GlodenEye, is another ransomware spreading through network exploit the Windows ExternalBlue vulnerability and blackmail $ 300 in Bitcoin. A lot of organizations in Europe and the US has been infected by data encrypted up, including advertiser WPP, food company Mondelez, legal firm DLA Piper and Danish shipping & transport firm Maersk. Seems very like WannaCry but not actually is. Compared with WannaCry, it has pros and cons.

Pros: Petya ransomware virus not only attack computers through Windows ExternalBlue vulnerability, but also by two Windows administrative tools (PSEXEC or WMIC). It try one option to attack first. If it does not work, then it will try the other way. It has better spreading mechanism than WannaCry.

Cons:Stupid payment mechanism. The Petya ransomware virus create same payment address for all victims, which can be traced. And, it asks victims to communicate with the hackers via a single email address which has already been suspended by the email provider. (So, do not pay the money if you are affected for you even can’t contact the attackers now.)

Petya malware has more clear targets – large companies or organizations. It is said that the virus has been seeded through a software update mechanism built into an accounting program that companies working with the Ukrainian government need to use. So, the most victims are Ukrainian organizations, including state power utilities, government, banks. It spreads internally within networks but not externally. This spreading mechanism also makes Petya ransomware virus easier to be controlled down.

How Does Petya Malware Infect Your Computer?

Once it gets on your computer, it takes 10 - 60 minutes (randomly) before it starts encrypting your data. To encrypt computer files, it will first reboot the computer. Therefore, while it restarting the computer, switch off the power and disconnect from Internet, then, you can achieve Petya ransomware removal.

If you missed the chance to power off your machine and it reboot successfully, Petya ransomware virus will check for the read-only file C:\Windows\perfc.dat. If it finds this file on your computer, it won’t run encryption to personal files. Though this is not 100% true, you can try to create this file into your system files to avoid attacking.

Petya Ransomware Removal

If you are already infected by Petya malware and your crucial files are encrypted, you can try some antivirus software to do Petya ransomware fix. Or, you can first rescue your data by backup/move them out while boot from a rescue bootable media.

To create a bootable media (bootable USB is recommended for USB is convenient to be transferred among computers), first of all, find an available USB, which has no important data on it or whose crucial data has been backed up, and insert it into an unaffected computer.

1. Download, install and open AOMEI Backupper Free (especially for ransomware WannaCry) to the unaffected machine. When it opens, in its window, select “Create Bootable Media”.

Create Bootable Media

2. Then, this program will value whether your current system support make a bootable device. Most OS are certificated. If your system does not support, it may requires you to download Windows ADK/AIK, just follow its instructions and make operating system certificated.

Create Bootable Media Certification 

3. Choose “USB Bootable Device” and click “Next”.

Create Bootable USB

4. Wait for it finishes and pull out the USB flash drive.

Tip: While making the bootable USB, AOMEI Backupper Free has been packed into the bootable device. Then, you can directly use it to carry out Petya ransomware removal after the infected computer been booted up by the USB drive.

5. Connect the bootable USB into the infected machine and reboot it manually. Before it restart into its own system, enter into BIOS and change boot sequence and let it boot from the USB.

6. When it successfully boots from the USB disk, AOMEI Backupper Free will automatically pops up with the follow interface. Select “I Want to Backup Data” to go on.

Create Bootable Media

7. Choose “File Backup” to continue. You can also select “Partition Backup” if the whole partition data is what you want and it is non-system partition.

File Backup

8. Choose all the files you want to move out of the infected computer.

Select Files to Backup

9. Insert an external storage device to the infected computer (eg. another USB) as data backup destination. You might save backup image into the bootable USB device.

Backup Destination

10.   “Start Backup” and wait for it completes. Then, pull out both the bootable USB and the external image storage. Next, you may restore the backed out files to a working computer to seek for further Petya ransomware decrypt.

How to Protect Yourself from Petya Ransomware Virus?

Since Petya malware spreads through Windows EternalBlue vulnerability and two Windows administrative tools, we can prevent its infection by doing the following actions similar to defending WannaCry.

1. Disconnect Network and block port 445/139 (Control Panel > Advanced settings > Inbound Rules > New Rule > Port > Specific local ports: 445/139 > Block the connection > Next > Finish) to avoid further infection.

2. Make a backup of your key files to external device, network share, NAS or cloud drive. You can still make use of AOMEI Backupper Free to do backup work here.

3. Get a reliable antivirus software to detect and protest against future attacks by Petya ransomware virus, such as Windows Defender Advanced Threat Protection, Symantec and Kaspersky who claim to have updated to be capable of spotting the cyber attack.

4. Install the vulnerability patch released by Microsoft in March and keep Windows up to data.

5. Form a good habit of avoid opening unsafe websits.

Conclusion and Warning

According to some Security researchers, Petya is just a destructive, particularly to the Ukrainian government program but masquerade as ransomware. This makes me can’t help thinking further; if someday the nowadays terrorists attack by cyber weapons (ransomware, malware, virus, Trojan, etc.) instead of real weapons (like guns, bombs and knives), what can it be? Then, no human beings get physical injured, but great financial loss are caused, public service system get paralyzed, secret documents are leaked, etc. what should we do at that moment?

Antivirus work is not only the task of government network security centers or network operators, but also the duty of every netizen. To create a safe and clear network environment, everyone is included!