Severity scale:  
  (99/100)

Petya virus. How to remove? (Uninstall guide)

removal by Lucia Danes - -   Also known as Petya ransomware | Type: Ransomware
12

The dangerous Petya virus and facts you should know about it

Petya virus is a ransomware-type [1] program which takes over user’s computers and uses a strong encryption to lock the containing files. This ransomware has been growing ever since it hit the Internet, releasing supplementary ransomware versions, such as Mischa ransomware and even forming an affiliate campaign called the “Janus Cybercrime Solutions” [2]. The ransomware itself is extremely dangerous and may infect practically any PC, but its primary targets are the computers of German companies. This malicious program enters the victims’ computers stealthily and carries out its malicious activities without the computer owner even suspecting the computer might be under threat. Petya ransomware encrypts files with a very complex RSA-4096 and AES-256 [3] algorithms, even used for military purposes. Such code is impossible to decrypt without a private key. Of course, typically to other ransomware programs like Locky virus, CryptoWall virus, and CryptoLocker, this private key is stored on some remote server, which can only accessed by paying a ransom to the virus creators.

Unlike other ransomware programs, after this virus is launched, Petya immediately restarts your PC, and when it boots again, a message shows up on the screen saying: “DO NOT TURN OFF YOUR PC! IF YOU ABORT THIS PROCESS, YOU COULD DESTROY ALL OF YOUR DATA! PLEASE ENSURE THAT YOUR POWER CABLE IS PLUGGED IN!”. Even though it may look like a system error, in fact, at a given moment, Petya virus is silently carrying out file encryption in the system’s background. If the user tries to reboot the system or the file encryption is executed, a flashing red skeleton appears on the screen along with the text “PRESS ANY KEY!”. Finally, after pressing the key, a new window with a ransom note appears. In the ransom note, the victim is typically asked to pay 0,9 BitCoin, which equals around $400. However, this is only a price per one computer; therefore, for the companies, which have numerous of computers the sum may make up thousands. What is also different considering this ransomware is that it gives the victims a whole week to pay the ransom, instead of the usual 12-72 hours spared by other viruses of this category.

What is more, problems with Petya do not end there. Once this virus is in the system, it will try to overwrite the Windows boot files or the so-called master boot record [4], required to load your operating system. You will not be able to remove Petya virus from your computer unless you restore your MBR settings. Even if you manage to fix these settings and to delete the virus from your system, unfortunately, your files will remain locked because virus removal does not decrypt the encrypted documents but merely deletes the infectious files. Of, course, the virus removal is essential if you want to continue using your computer. We advise using sophisticated and reputable antivirus tools like Reimage to take care of the Petya removal.

How can this malware infect your PC and can you prevent the intrusion?

Petya virus is usually distributed through spam emails, which contain a Dropbox download link to a file called “application folder-gepackt.exe” attached to them. The virus activates when the mentioned file is downloaded and opened. As you already know how this virus spreads you might already have an idea how to protect your computer from this virus attack. Of course, you need to be careful about opening emails which are received from suspicious and unknown sources, feature supposedly relevant information which does not relate to your expected correspondence [5]. You should also avoid emails in the “spam” catalogue since the majority of email providers automatically filter emails and place suspicious contents in this particular catalogue. Nevertheless, you should do not trust this built-in filter entirely, because potentially hazardous emails may slip into your regular inbox as well. Also, make sure you equip your system with reputable antivirus software and keep it up to date. Finally, it is always recommended to keep system backup stored in some external drive, in the case of emergency.

UPDATE: Security experts have just announced about Petya ransomware decryption key, which can help you decrypt your files with the special algorithm. To get a change to use this algorithm, you need to visit this website. However, the decryption of your files shouldn’t be the only headache of yours. You should also make sure that you remove Petya ransomware from your computer before it starts the second encryption of your files. For that you can use Reimage or Malwarebytes Anti Malware. If you find any trouble while performing Petya removal, check the detailed removal guide on the second page of this post.

UPDATE 2: Petya ransomware creators are not stepping aside from improving and distributing their malicious software. In the latest version of the virus which emerged earlier this month, the hackers finally managed to apply a Salsa20 encryption algorithm eliminating the previous vulnerabilities of the virus. Otherwise, the virus functions similarly to its previous version, spreading in a form of a corrupted PDF file. Although it is still unclear what techniques do the virus developers apply for the distribution of this new variant of infection, it can be presumed that spam emails and fake software updates will be the main focus.

UPDATE 3: Developers of Petya and Mischa ransomware are trying out new techniques to increase the distribution rate of these fraudulent programs by setting up an affiliate campaign in which they offer regular Internet users to take part and earn some money. Depending on the volume of the ransom payment, the users can earn up to 85% of the revenue share for spreading the virus around the Internet. Of course, the criminals also require a registration fee to sift out the “timewasters and kiddies”. If you even consider becoming an affiliate of such a nasty company, keep in mind that its creators hold nothing sacred and can easily take advantage of you as well, so be very careful.

Petya removal and system recovery after the attack:

As we already mentioned, uninstalling Petya ransomware from your computer is essential for the safety of your future files. Also, restoring data from external drives can only be carried out when the virus and all its related parts are fully eliminated from the PC. Otherwise, Petya may infiltrate and lock the files in these external platforms as well.
You cannot remove Petya from your computer through the simple uninstall procedure because such option is not feasible with this malicious program. This means that you will have to delete the virus automatically. Automatic Petya removal should be carried out using some trusted antivirus software, which will detect and delete this virus from your computer. However, if you are encountering some troubles removing this virus automatically or it blocks your antivirus from running, you can always check our detailed virus removal instructions provided at the end of this article.

We might be affiliated with any product we recommend on the site. Full disclosure in our Agreement of Use. By Downloading any provided Anti-spyware software to remove Petya virus you agree to our privacy policy and agreement of use.
do it now!
Download
Reimage (remover) Happiness
Guarantee
Download
Reimage (remover) Happiness
Guarantee
Compatible with Microsoft Windows Compatible with OS X
What to do if failed?
If you failed to remove infection using Reimage, submit a question to our support team and provide as much details as possible.
Reimage is recommended to uninstall Petya virus. Free scanner allows you to check whether your PC is infected or not. If you need to remove malware, you have to purchase the licensed version of Reimage malware removal tool.

More information about this program can be found in Reimage review.

More information about this program can be found in Reimage review.
Alternate Software
Plumbytes Anti-Malware
We have tested Plumbytes Anti-Malware's efficiency in removing Petya virus (2016-07-28)
Malwarebytes Anti Malware
We have tested Malwarebytes Anti Malware's efficiency in removing Petya virus (2016-07-28)
Hitman Pro
We have tested Hitman Pro's efficiency in removing Petya virus (2016-07-28)
Webroot SecureAnywhere AntiVirus
We have tested Webroot SecureAnywhere AntiVirus's efficiency in removing Petya virus (2016-07-28)

Manual Petya virus Removal Guide:

Remove Petya using Safe Mode with Networking

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

Petya is a complex cyber infection, so don’t expect it to give up your computer easily. Be prepared to decontaminate the virus and remember the following instructions:

  • Step 1: Reboot your computer to Safe Mode with Networking

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Safe Mode with Networking from the list Select 'Safe Mode with Networking'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Networking in Startup Settings window. Select 'Enable Safe Mode with Networking'
  • Step 2: Remove Petya

    Log in to your infected account and start the browser. Download Reimage or other legitimate anti-spyware program. Update it before a full system scan and remove malicious files that belong to your ransomware and complete Petya removal.

If your ransomware is blocking Safe Mode with Networking, try further method.

Remove Petya using System Restore

Reimage is a tool to detect malware.
You need to purchase Full version to remove infections.
More information about Reimage.

One of the nastiest features of most ransomware is that they try to prevent their removal from the infected devices. Petya might be one of them. Nevertheless, you should not loose your cool if this happens to you. Just follow the guidelines below and then scan your computer with a reliable antivirus.

  • Step 1: Reboot your computer to Safe Mode with Command Prompt

    Windows 7 / Vista / XP
    1. Click Start Shutdown Restart OK.
    2. When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
    3. Select Command Prompt from the list Select 'Safe Mode with Command Prompt'

    Windows 10 / Windows 8
    1. Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
    2. Now select Troubleshoot Advanced options Startup Settings and finally press Restart.
    3. Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window. Select 'Enable Safe Mode with Command Prompt'
  • Step 2: Restore your system files and settings
    1. Once the Command Prompt window shows up, enter cd restore and click Enter. Enter 'cd restore' without quotes and press 'Enter'
    2. Now type rstrui.exe and press Enter again.. Enter 'rstrui.exe' without quotes and press 'Enter'
    3. When a new window shows up, click Next and select your restore point that is prior the infiltration of Petya. After doing that, click Next. When 'System Restore' window shows up, select 'Next' Select your restore point and click 'Next'
    4. Now click Yes to start system restore. Click 'Yes' and start system restore
    Once you restore your system to a previous date, download and scan your computer with Reimage and make sure that Petya removal is performed successfully.

Bonus: Recover your data

Guide which is presented above is supposed to help you remove Petya from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.

If your files are encrypted by Petya, you can use several methods to restore them:

What is the use of Data Recovery Pro?

Data Recover Pro is probably the quickest solution to data decryption. It does not require any extra preparation or skill and is relatively effective when it comes to the file recovery process. Here is how to use it:

Rescue your important files with Windows Previous Versions feature

Windows Previous Versions is one of the data recovery options Windows operating system offers as an in-built feature. Keep in mind that this recovery technique only works when the System Restore function is enabled. Do not hesitate to give it a try:

  • Find an encrypted file you need to restore and right-click on it;
  • Select “Properties” and go to “Previous versions” tab;
  • Here, check each of available copies of the file in “Folder versions”. You should select the version you want to recover and click “Restore”.

ShadowExplorer to help decrypt files encrypted by Petya

Unfortunately, Petya ransomware deletes Volume Shadow Copies of the files it encrypts so it is impossible to use ShadowExplorer for their recovery.

  • Download Shadow Explorer (http://shadowexplorer.com/);
  • Follow a Shadow Explorer Setup Wizard and install this application on your computer;
  • Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
  • Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.

Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from Petya and other ransomwares, use a reputable anti-spyware, such as Reimage, Plumbytes Anti-MalwareWebroot SecureAnywhere AntiVirus or Malwarebytes Anti Malware

Lucia Danes
Lucia Danes - Virus researcher

If this free removal guide helped you and you are satisfied with our service, please consider making a donation to keep this service alive. Even a smallest amount will be appreciated.

References

Removal guides in other languages


  • MontyPytonFan4Ever

    I cannot imagine losing my files! Program like these are the worst…

  • Ulysses

    It does not only target companies PCs!!! My friend got his files locked not that while ago. Im afraid he might have sent this virus to me by mail or something…