NotPetya ransomware virus. How to remove? (Uninstall guide)

removal by Julie Splinters - - | Type: Ransomware
12

The massive NotPetya attack cost millions of dollars for corporations

The image illustrating NotPetya virus

NotPetya is a ransomware virus that attacked thousands of computers with the help of Windows OS vulnerability. Malware caused problems not only for home computer users but corporations and infrastructure. Due to the malware attack, flights were delayed, and petrol stations ceased functioning properly. Two months after ransomware attack, companies are still counting the financial loss, and the sums of money reach to 200-300 million dollars per company.

The worldwide attack hit on the US, the UK[1], Spain, and, certainly, Ukraine[2] the hardest. However, the virus targeted Chernobyl power plant as employees had to take control of radiation levels manually.[3] So far, the virus:

  • corrupts MBR settings, individual malware samples encrypt files
  • demands 300 USD ransom
  • exploits Windows OS vulnerabilities
  • delivers wowsmith123456@posteo.net for contact purposes
  • disguises as Petya, but functions as independent malware
  • targets the US, Europe and particularly Ukraine

The threat meddles with the boot settings preventing systems from starting normally. At this stage, the threat does not seem to append any extension to the files as it does not encrypt them, but in fact, causes system failure. According to the ransom message, the threat demands $300 and indicates them to transfer to wowsmith123456@posteo.net.

Fortunately, IT expert Lawrence Abrams found an antidote to the prevent the attack of the malware.[3] Not only companies globally have been struck but individuals as well. If you happen to be one of them, make sure you remove NotPetya with the assistance of an anti-spyware tool, such as Reimage or Malwarebytes Anti Malware.

NotPetya attack might cost 200-300 million for A.P. Moller-Maersk

Danish shipping company A.P. Moller-Maersk was one of the victims of the massive ransomware attack on June 28th. Ransomware hit Maersk Line, APM Terminals and Damco that belongs to the shipping giant.

According to the company’s financial statement,[4] the attack caused a “significant business interruption” that had a negative financial impact. After the attack, computer systems were shut down in order to stop malware from spreading.

Within few days the work came back to normal. However, the company fully recovered after the ransomware infiltration only on July 9. Fortunately, A.P. Moller-Maersk did not lose any documents and hadn't suffered from the data breach.

However, NotPetya ransomware attack was an expensive lesson for the shipping company. This cyber attack proves that corporations have to pay more attention to cyber security and improve their current security systems in order to avoid financial loss.

Similarities to Petya and WannaCry viruses

The malware starts with the same remark as the notorious WannaCry threat:

Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your
files, but don’t waste your time. Nobody can recover your files without our
decryption service.
We guarantee that you can recover all your files safely and easily. All you
need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to the following address:
lflz7153HHuxXTuR2R1t78mGSdzafithBUX
2. Send your Bitcoin wallet ID and personal installation key to e-mail
wowsmith123456@posteo.net. 
If you already purchased your key, please enter it below.

Though initially, the virtual community thought the malware is Petya as it also targeted Master Boot Record settings interfering with boot processes, now IT professionals claim that the infection disguises under the title of the previous title, actually, is a different malware.[5] At the moment, the virus bears the name of NotPetya virus.

It seems that the perpetrators have learned from WannaCry developers' mistakes. NotPetya malware also feeds on Windows vulnerabilities. 

Despite the warnings from cyber security forces, the malware has managed to wreak havoc. International facilities such as airport did not update their systems which resulted in severe outcomes.

Interestingly, the first outbreak of the threat was spotted in Ukraine. It seems that the latter country has become a “test subject” for hackers. The former virus, WannaCry manifested its power there first. Right after the attack, XData virus struck Ukraine again.

The success of the attack hides behind NSA hacking tools

The cyber criminals have benefitted from previously leaked NSA hacking tools. NotPetya hijack is likely to occur if your operating system has been outdated. Mostly, Windows 7 versions have suffered the attack.

Fortunately, an “antidote” has been found – you have to create a text file entitled as perfc in your C:Windows folder.[6] It is likely that the malware might employ other distribution methods: spam emails and exploit kits. Now let us proceed to NotPetya removal section.

Guidelines for NotPetya ransomware elimination

Despite the type of ransomware you are dealing with, its elimination should become your top priority. Thus, make a rush to remove NotPetya virus. Fortunately, the malware is detected by almost all major anti-virus tools. For the elimination, we recommend Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware.

Since the virus corrupts boot process, you may not be able to access your cyber security software, in that case, below instructions will be in handy. In case, you have been struck with the version which encrypts files, decrypt data with an alternative program until NotPetya Decrypter is released. 

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove NotPetya ransomware virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall NotPetya ransomware virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.

Manual NotPetya virus Removal Guide:

Remove NotPetya using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

You will need to enter Safe Mode to get rid of NotPetya virus. It grants limited access to vital functions. Likewise, you will be able to access a cyber security tool. It should not take too long to complete NotPetya removal.

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove NotPetya

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete NotPetya removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove NotPetya using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of NotPetya. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that NotPetya removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove NotPetya from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by NotPetya, you can use several methods to restore them:

Data Recovery Pro method

This software might come in handy when restoring damaged or lost files. 

Decrypting files with ShadowExplorer

At the moment, the malware does not manifest the ability to delete volume shadow copies, so you are likely to succeed in restoring affected files with the assistance of this tool.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

NotPetya decryptor is not available yet.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NotPetya and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

About the author

Julie Splinters
Julie Splinters - Malware removal specialist

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

More information about the author

References

Removal guides in other languages