NotPetya virus Removal Guide
What is NotPetya ransomware virus?
The massive NotPetya attack cost millions of dollars for corporations
NotPetya is a ransomware virus that attacked thousands of computers with the help of Windows OS vulnerability. Malware caused problems not only for home computer users but corporations and infrastructure. Due to the malware attack, flights were delayed, and petrol stations ceased functioning properly. Two months after ransomware attack, companies are still counting the financial loss, and the sums of money reach to 200-300 million dollars per company.
The worldwide attack hit on the US, the UK, Spain, and, certainly, Ukraine the hardest. However, the virus targeted Chernobyl power plant as employees had to take control of radiation levels manually. So far, the virus:
- corrupts MBR settings, individual malware samples encrypt files
- demands 300 USD ransom
- exploits Windows OS vulnerabilities
- delivers firstname.lastname@example.org for contact purposes
- disguises as Petya, but functions as independent malware
- targets the US, Europe and particularly Ukraine
The threat meddles with the boot settings preventing systems from starting normally. At this stage, the threat does not seem to append any extension to the files as it does not encrypt them, but in fact, causes system failure. According to the ransom message, the threat demands $300 and indicates them to transfer to email@example.com.
Fortunately, IT expert Lawrence Abrams found an antidote to the prevent the attack of the malware. Not only companies globally have been struck but individuals as well. If you happen to be one of them, make sure you remove NotPetya with the assistance of an anti-spyware tool, such as ReimageIntego or Malwarebytes.
NotPetya attack might cost 200-300 million for A.P. Moller-Maersk
Danish shipping company A.P. Moller-Maersk was one of the victims of the massive ransomware attack on June 28th. Ransomware hit Maersk Line, APM Terminals and Damco that belongs to the shipping giant.
According to the company’s financial statement, the attack caused a “significant business interruption” that had a negative financial impact. After the attack, computer systems were shut down in order to stop malware from spreading.
Within few days the work came back to normal. However, the company fully recovered after the ransomware infiltration only on July 9. Fortunately, A.P. Moller-Maersk did not lose any documents and hadn't suffered from the data breach.
However, NotPetya ransomware attack was an expensive lesson for the shipping company. This cyber attack proves that corporations have to pay more attention to cyber security and improve their current security systems in order to avoid financial loss.
Anti-virus tools detect NotPetya virus as Petya.
Similarities to Petya and WannaCry viruses
The malware starts with the same remark as the notorious WannaCry threat:
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your
files, but don’t waste your time. Nobody can recover your files without our
We guarantee that you can recover all your files safely and easily. All you
need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to the following address:
2. Send your Bitcoin wallet ID and personal installation key to e-mail
If you already purchased your key, please enter it below.
Though initially, the virtual community thought the malware is Petya as it also targeted Master Boot Record settings interfering with boot processes, now IT professionals claim that the infection disguises under the title of the previous title, actually, is a different malware. At the moment, the virus bears the name of NotPetya virus.
It seems that the perpetrators have learned from WannaCry developers' mistakes. NotPetya malware also feeds on Windows vulnerabilities.
Despite the warnings from cyber security forces, the malware has managed to wreak havoc. International facilities such as airport did not update their systems which resulted in severe outcomes.
Interestingly, the first outbreak of the threat was spotted in Ukraine. It seems that the latter country has become a “test subject” for hackers. The former virus, WannaCry manifested its power there first. Right after the attack, XData virus struck Ukraine again.
The success of the attack hides behind NSA hacking tools
The cyber criminals have benefitted from previously leaked NSA hacking tools. NotPetya hijack is likely to occur if your operating system has been outdated. Mostly, Windows 7 versions have suffered the attack.
Fortunately, an “antidote” has been found – you have to create a text file entitled as perfc in your C:Windows folder. It is likely that the malware might employ other distribution methods: spam emails and exploit kits. Now let us proceed to NotPetya removal section.
Guidelines for NotPetya ransomware elimination
Despite the type of ransomware you are dealing with, its elimination should become your top priority. Thus, make a rush to remove NotPetya virus. Fortunately, the malware is detected by almost all major anti-virus tools. For the elimination, we recommend ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes.
Since the virus corrupts boot process, you may not be able to access your cyber security software, in that case, below instructions will be in handy. In case, you have been struck with the version which encrypts files, decrypt data with an alternative program until NotPetya Decrypter is released.
Getting rid of NotPetya virus. Follow these steps
Manual removal using Safe Mode
You will need to enter Safe Mode to get rid of NotPetya virus. It grants limited access to vital functions. Likewise, you will be able to access a cyber security tool. It should not take too long to complete NotPetya removal.
Manual removal guide might be too complicated for regular computer users. It requires advanced IT knowledge to be performed correctly (if vital system files are removed or damaged, it might result in full Windows compromise), and it also might take hours to complete. Therefore, we highly advise using the automatic method provided above instead.
Step 1. Access Safe Mode with Networking
Manual malware removal should be best performed in the Safe Mode environment.
Windows 7 / Vista / XP
- Click Start > Shutdown > Restart > OK.
- When your computer becomes active, start pressing F8 button (if that does not work, try F2, F12, Del, etc. – it all depends on your motherboard model) multiple times until you see the Advanced Boot Options window.
- Select Safe Mode with Networking from the list.
Windows 10 / Windows 8
- Right-click on Start button and select Settings.
- Scroll down to pick Update & Security.
- On the left side of the window, pick Recovery.
- Now scroll down to find Advanced Startup section.
- Click Restart now.
- Select Troubleshoot.
- Go to Advanced options.
- Select Startup Settings.
- Press Restart.
- Now press 5 or click 5) Enable Safe Mode with Networking.
Step 2. Shut down suspicious processes
Windows Task Manager is a useful tool that shows all the processes running in the background. If malware is running a process, you need to shut it down:
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Click on More details.
- Scroll down to Background processes section, and look for anything suspicious.
- Right-click and select Open file location.
- Go back to the process, right-click and pick End Task.
- Delete the contents of the malicious folder.
Step 3. Check program Startup
- Press Ctrl + Shift + Esc on your keyboard to open Windows Task Manager.
- Go to Startup tab.
- Right-click on the suspicious program and pick Disable.
Step 4. Delete virus files
Malware-related files can be found in various places within your computer. Here are instructions that could help you find them:
- Type in Disk Cleanup in Windows search and press Enter.
- Select the drive you want to clean (C: is your main drive by default and is likely to be the one that has malicious files in).
- Scroll through the Files to delete list and select the following:
Temporary Internet Files
- Pick Clean up system files.
- You can also look for other malicious files hidden in the following folders (type these entries in Windows Search and press Enter):
After you are finished, reboot the PC in normal mode.
Remove NotPetya using System Restore
Step 1: Reboot your computer to Safe Mode with Command Prompt
Windows 7 / Vista / XP
- Click Start → Shutdown → Restart → OK.
- When your computer becomes active, start pressing F8 multiple times until you see the Advanced Boot Options window.
- Select Command Prompt from the list
Windows 10 / Windows 8
- Press the Power button at the Windows login screen. Now press and hold Shift, which is on your keyboard, and click Restart..
- Now select Troubleshoot → Advanced options → Startup Settings and finally press Restart.
- Once your computer becomes active, select Enable Safe Mode with Command Prompt in Startup Settings window.
Step 2: Restore your system files and settings
- Once the Command Prompt window shows up, enter cd restore and click Enter.
- Now type rstrui.exe and press Enter again..
- When a new window shows up, click Next and select your restore point that is prior the infiltration of NotPetya. After doing that, click Next.
- Now click Yes to start system restore.
Bonus: Recover your dataGuide which is presented above is supposed to help you remove NotPetya from your computer. To recover your encrypted files, we recommend using a detailed guide prepared by 2-spyware.com security experts.
If your files are encrypted by NotPetya, you can use several methods to restore them:
Data Recovery Pro method
This software might come in handy when restoring damaged or lost files.
- Download Data Recovery Pro;
- Follow the steps of Data Recovery Setup and install the program on your computer;
- Launch it and scan your computer for files encrypted by NotPetya ransomware;
- Restore them.
Decrypting files with ShadowExplorer
At the moment, the malware does not manifest the ability to delete volume shadow copies, so you are likely to succeed in restoring affected files with the assistance of this tool.
- Download Shadow Explorer (http://shadowexplorer.com/);
- Follow a Shadow Explorer Setup Wizard and install this application on your computer;
- Launch the program and go through the drop down menu on the top left corner to select the disk of your encrypted data. Check what folders are there;
- Right-click on the folder you want to restore and select “Export”. You can also select where you want it to be stored.
NotPetya decryptor is not available yet.
Finally, you should always think about the protection of crypto-ransomwares. In order to protect your computer from NotPetya and other ransomwares, use a reputable anti-spyware, such as ReimageIntego, SpyHunter 5Combo Cleaner or Malwarebytes
How to prevent from getting NotPetya ransomware virus
Access your website securely from any location
When you work on the domain, site, blog, or different project that requires constant management, content creation, or coding, you may need to connect to the server and content management service more often. The best solution for creating a tighter network could be a dedicated/fixed IP address.
If you make your IP address static and set to your device, you can connect to the CMS from any location and do not create any additional issues for the server or network manager that needs to monitor connections and activities. VPN software providers like Private Internet Access can help you with such settings and offer the option to control the online reputation and manage projects easily from any part of the world.
Recover files after data-affecting malware attacks
While much of the data can be accidentally deleted due to various reasons, malware is one of the main culprits that can cause loss of pictures, documents, videos, and other important files. More serious malware infections lead to significant data loss when your documents, system files, and images get encrypted. In particular, ransomware is is a type of malware that focuses on such functions, so your files become useless without an ability to access them.
Even though there is little to no possibility to recover after file-locking threats, some applications have features for data recovery in the system. In some cases, Data Recovery Pro can also help to recover at least some portion of your data after data-locking virus infection or general cyber infection.