Recovery from Petya ransomware

Petya is a variant of ransomware that causes a blue screen of death (BSoD) and then puts the ransom demand on the startup screen before the operating system loads. Instead of the computer booting and the Windows logo appearing a red and white screen appears with a skull and crossbones as shown below.

Screen capture of the Petya Ransomware

Screen capture of the Petya Ransomware

Petya overwrites the Master Boot Record (MBR) of the hard drive. The infection vector seen has been via email. In one campaign, victims receive an email that appears to be business-related message from job applicant seeking a position in a company. By overwriting the MBR it prevents victims from restarting in Safe Mode. The ransom message instructs the victim to pay .99 Bitcoins, which is approximately $430.

Victims of the Petya ransomware can now recover theirs files without having to connect the drive to a different computer. A video has been posted on YouTube explaining the process (https://www.youtube.com/watch?v=mSqxFjZq_z4). Then using the following links get your Petya encrypted disk back, without paying a ransom!!! Grab some bytes from the victim-disk, encode them in Base64 and paste the two strings in the form fields.

https://petya-pay-no-ransom.herokuapp.com/
or
https://petya-pay-no-ransom-mirror1.herokuapp.com/

Always exercise caution when receiving an email with a link or attachment. Simply clicking on a link or opening a malicious attachment can be a very costly mistake that destroys your data.

 

 

 

Post by Remote Process