Petya Ransomware Removal Guide

Do you know what Petya Ransomware is?

If Petya Ransomware has infiltrated your operating system, there is nothing you can really do because this Trojan infection has most probably already encrypted your files. There are two ways to identify this ransomware. First, when you run its executable file, it reboots your system right away and starts up a customized chkdsk process. Second, when the encryption finishes, this infection makes sure that you know what has just happened and how you can get back your files if you pay the demanded amount through the dark web. According to our researchers, if you are fast enough and realize what is going on in the first case, you may be able to unplug your machine just in time to stop the encryption process and save some of your files. However, this is a rather tricky ransomware that modifies the master boot record (MBR). Therefore, it will start up with every reboot, so you need to be careful how you restart your computer. There is no question about what you must do as soon as you notice this malicious program on your system. If you do not remove Petya Ransomware, you will not be able to use your computer again safely. Please read our full report to understand how this infection works and how you can recover your system.

In order to be able to protect your computer from this Trojan, it is important to know how it actually infects or spreads. This ransomware seems to be mostly distributed in spam e-mails. While usually Trojans use file attachments, such as image and video files, or in some cases macro-ready documents, this infection infiltrates computers through a corrupted link that is shown in the body of the mail. This link points to a Dropbox file called "application folder-gepackt.exe,” which is indeed the executable malicious file. If you double-click this file after downloading, it will start up this ransomware right away.Petya Ransomware Removal GuidePetya Ransomware screenshot
Scroll down for full removal instructions

Since this Trojan is, and actually most Trojan ransomware programs are, initiated by the user, this kind of infection could be avoided. All you need to do is be more careful with opening your e-mails and clicking on links and attachments. More sophisticated spam e-mails may even imitate the sender of the mail so that you think that it comes from a legitimate source, such as an institution, an office, and a network provider company, etc. However, we suggest that you only open those e-mails that you actually expect. When in doubt, try to double-check with the sender to make sure the mail or the attachments were indeed intended for you to receive. This way you can avoid such nasty infections and the possibly irrevocable damage.

As we have already mentioned, once you run the malicious executable file, it reboots your system and starts up a fake chkdsk process. However, it is simply the way this ransomware hides its true purpose and action since in the background it is actually encrypting your files with RSA-4096 and AES-256 algorithms, which are built-in encryptions in the Windows operating system. If you try to restart your computer in spite of the warning or when the fake disk repair finishes claiming to be unsuccessful, a red screen appears with a huge skull and bones that is made from ASCII characters, such as “U” and “$.” When you press a key, the good old ransom note will come up on your screen, also on red background. This note claims that your hard disks have been encrypted with “military grade encryption algorithm” to sound even scarier. You are also instructed to download the Tor browser through which you can access dark web pages. If you load one of the provided pages, you will get more information about the transfer of the ransom fee. This amount might be different depending on the victims. When a company is targeted, obviously, these criminals may demand thousands of dollars’ worth of Bitcoins, which is the usual currency to settle such shady businesses. Our researchers say that this fee otherwise can start from around 400 USD, which is a usual amount to be extorted for private keys. We do not recommend that you pay this fee because you may support criminals to be able to commit more online crimes. On the other hand, you may not even get your private key. Nevertheless, this is your call. One thing is sure: You should delete Petya Ransomware if you want to use your PC again.

Finally, let us provide you with a solution to tackle this dire situation. If you want to remove Petya Ransomware, you cannot simply run an uninstaller through Control Panel. We have included a step-by-step guide for you to assist you with all the necessary steps. Please remember that you need to repair your master boot record first in order to recover your operating system. However, this process is not without risks. Please make sure that you know what you do before making more damage to your computer, if it is possible at all. If you do not want to take this risk, we advise you to download and install a trustworthy anti-malware program that will also safeguard your PC from all known malware infections. Should you need any assistance with the removal of Petya Ransomware, please let us know by leaving a comment below.

Petya Ransomware Removal from Windows

How to Fix the MBR

Windows 8/Windows 8.1/Windows 10

  1. Restart your system from the original Windows installation DVD.
  2. When the Welcome screen comes up, click Repair your computer.
  3. Choose Troubleshoot.
  4. Select Command Prompt.
  5. Enter these commands, press the Enter key after each line, and wait for the process to end:
    bootrec /FixMbr
    bootrec /FixBoot
    bootrec /ScanOs
    bootrec /RebuildBcd
  6. Eject the DVD.
  7. Type in exit and press the Enter key.
  8. Restart your computer.

Windows 7

  1. Restart your operating system from your Windows 7 installation CD/DVD.
  2. Select the “Use recovery tools that can help fix problems starting Windows” radio button and choose the operating system. Press Next.
  3. When the System Recovery Options screen comes up, pick Command Prompt.
  4. Enter these commands, press the Enter key after each line, and wait for each process to end:
    bootrec /rebuildbcd
    bootrec /fixmbr
    bootrec /fixboot
  5. Eject the CD/DVD.
  6. Restart your system.

Windows Vista

  1. Restart your system from your Windows Vista installation CD/DVD.
  2. When the Welcome screen comes up, click on Repair your computer.
  3. Select your operating system and press Next.
  4. When the System Recovery Options window shows up, choose Command Prompt.
  5. In the Command Prompt window enter these commands, press the Enter key after each line, and wait till the process finishes:
    bootrec /FixMbr
    bootrec /FixBoot
    bootrec /RebuildBcd
  6. Eject the CD/DVD.
  7. Type in exit and press the Enter key.
  8. Restart your system.

Windows XP

  1. Restart your computer from the Windows XP CD.
  2. When the Welcome to Setup screen appears, tap “R” to open the Recovery Console.
  3. Type “1” at the “Which Windows installation would you like to log onto” question and press Enter, if there is no other operating system on your hard disk.
  4. Enter your password at the “Type the Administrator password” question and press Enter.
  5. Enter fixmbr in the Command Prompt window and press Enter.
  6. When the “Are you sure you want to write a new MBR?” message appears, press “Y”, and press Enter.
  7. Eject your Windows XP CD.
  8. Type exit and press Enter.
  9. Restart your PC.

How to remove the malicious file

  1. Tap Win+E.
  2. Find the malicious executable “application folder-gepackt.exe” (wherever you saved it) and delete it.
  3. Search the %Temp% folder for copies of the malicious file. If you find any, delete them.
  4. Empty the Recycle Bin.
  5. Reboot your system.

In non-techie terms:

Petya Ransomware is a vicious Trojan ransomware that enters your computer through spam e-mails. Although this infection seems to target mostly German companies, it might show up elsewhere as well. This malware encrypt your files and tries to extort money in return for the private key that is need for you to decrypt your files. Without this key it is virtually impossible to decipher your files, which means that if you do not have backups or you do not pay the ransom fee, you may lose your files for good. We must also mention that even if you pay, there is no guarantee that these criminals will actually send you the private key. You also need to consider if your files are worth the money you are about to pay for them at all. Although it will not give your files back, you should remove Petya Ransomware because you cannot actually use your computer unless it is gone. If you are not the manual type, we suggest that you use a reliable malware removal application to make sure that all the infections are eliminated without a trace.