How to recover data after an attack by the Petya virus (step-by-step instructions). The SBU told how to cure a computer from the Petya virus
The Petya.A virus attack covered dozens of countries in a few days and developed to epidemic proportions in Ukraine, where the reporting and document management program M.E.Doc was involved in the spread of the malware. Later, experts said that the attackers’ goal was to completely destroy the data, but, according to the Ukrainian cyber police, if the system is partially infected, there is a chance to restore the files.
How Petya works
If a virus gains administrator rights, researchers identify three main scenarios for its impact:
- The computer is infected and encrypted, the system is completely compromised. To recover data, a private key is required, and a message is displayed on the screen demanding payment of a ransom (although this is).
- The computer is infected and partially encrypted - the system began to encrypt files, but the user stopped this process by turning off the power or other means.
- The computer is infected, but the MFT table encryption process has not yet begun.
In the first case, there is no effective way to decrypt the data yet. Now specialists from the cyber police and IT companies are searching for him, as well as creator of the original Petya virus(allowing you to restore the system using a key). If the main MFT file table is partially or not affected at all, there is still a chance to gain access to the files.
The cyber police named two main stages of the modified Petya virus:
First: obtaining privileged administrator rights (they are disabled when using Active Directory). First, the virus saves the original boot sector for the MBR operating system in an encrypted form of the XOR bit operation (xor 0x7), and then writes its own bootloader in its place. The rest of the Trojan code is written to the first sectors of the disk. At this point, a text file about encryption is created, but the data is not yet encrypted.
The second phase of data encryption begins after the system is rebooted. Petya now accesses its own configuration sector, which contains a mark about unencrypted data. After this, the encryption process begins, and the screen shows how the Check Disk program is running. If it is already running, you should turn off the power and try using the proposed data recovery method.
What do they offer?
First you need to boot from the Windows installation disk. If a table with hard disk (or SSD) partitions is visible, you can begin the procedure for restoring the MBR boot sector. Then you should check the disk for infected files. Today Petya is recognized by all popular antiviruses.
If the encryption process was started, but the user managed to interrupt it, after loading the operating system, you must use software to recover encrypted files (R-Studio and others). The data will need to be saved to external media and the system reinstalled.
How to restore bootloader
For Windows XP OS:
After loading the Windows XP installation disk into the PC's RAM, the “Install Windows XP Professional” dialog box will appear with a selection menu where you need to select “to restore Windows XP using the Recovery Console, press R.” Press "R" KEY.
The Recovery Console will load.
If the PC has one OS installed and it is (by default) installed on the C drive, the following message will appear:
"1:C:\WINDOWS Which copy of Windows should I sign in to?"
Enter the number “1”, press the “Enter” key.
A message will appear: “Enter your administrator password.” Enter your password, press "Enter" (if there is no password, just press "Enter").
You should be prompted: C:\WINDOWS>, enter fixmbr
The message “WARNING” will then appear.
“Are you confirming the entry of the new MBR?”, press the “Y” key.
A message will appear: “A new primary boot sector is being created on the physical disk \Device\Harddisk0\Partition0.”
"The new primary boot partition was created successfully."
For Windows Vista:
Download Windows Vista. Select your language and keyboard layout. On the Welcome screen, click "Restore your computer." Windows Vista will edit the computer menu.
Select your operating system and click Next. When the System Recovery Options window appears, click on Command Prompt. When the command prompt appears, enter this command:
bootrec/FixMbr
Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.
For Windows 7:
Boot into Windows 7. Select your language, keyboard layout, and click Next.
Select your operating system and click Next. When choosing an operating system, you should check "Use recovery tools that can help solve problems starting Windows."
On the System Recovery Options screen, click the Command Prompt button. When the command prompt boots successfully, enter the command:
bootrec/fixmbr
Press the Enter key and restart your computer.
For Windows 8:
Boot into Windows 8. On the Welcome screen, click the Repair your PC button.
Select Troubleshooting. Select the command line, when it loads, enter:
bootrec/FixMbr
Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
For Windows 10:
Boot into Windows 10. On the Welcome screen, click the “Repair your PC” button, select “Troubleshooting”.
Select Command Prompt. When the command prompt loads, enter the command:
bootrec/FixMbr
Wait for the operation to complete. If everything went well, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
A week has already passed since Petya landed in Ukraine. In general, more than fifty countries around the world were affected by this encryption virus, but 75% of the massive cyber attack hit Ukraine. Government and financial institutions across the country were affected; Ukrenergo and Kyivenergo were among the first to report that their systems had been hacked. To penetrate and block, the Petya.A virus used the accounting program M.E.Doc. This software is very popular among various institutions in Ukraine, which became fatal. As a result, for some companies it took a long time to restore their system after the Petya virus. Some managed to resume work only yesterday, 6 days after the ransomware virus.
The purpose of the Petya virus
The goal of most ransomware viruses is extortion. They encrypt information on the victim's PC and demand money from her to obtain a key that will restore access to the encrypted data. But scammers do not always keep their word. Some ransomware are simply not designed to be decrypted, and the Petya virus is one of them.
This sad news was reported by specialists from Kaspersky Lab. In order to recover data after a ransomware virus, you need a unique virus installation identifier. But in the situation with a new virus, it does not generate an identifier at all, that is, the creators of the malware did not even consider the option of restoring a PC after the Petya virus.
But at the same time, the victims received a message in which they named the address where to transfer $300 in bitcoins in order to restore the system. In such cases, experts do not recommend assisting hackers, but nevertheless, the creators of Petya managed to earn more than $10,000 in 2 days after a massive cyber attack. But experts are confident that extortion was not their main goal, since this mechanism was poorly thought out, unlike other mechanisms of the virus. From this it can be assumed that the goal of the Petya virus was to destabilize the work of global enterprises. It's also entirely possible that the hackers were simply in a hurry and didn't think through the money-getting part well.
Restoring a PC after the Petya virus
Unfortunately, once Petya is completely infected, the data on your computer cannot be restored. But nevertheless, there is a way to unlock a computer after the Petya virus if the ransomware did not have time to completely encrypt the data. It was published on the official website of the Cyber Police on July 2.
There are three options for infection with the Petya virus
— all information on the PC is completely encrypted, a window with extortion of money is displayed on the screen;
— PC data is partially encrypted. The encryption process was interrupted by external factors (including power supply);
— The PC is infected, but the process of encrypting MFT tables has not been started.
In the first case, everything is bad - the system cannot be restored. At least for now.
In the last two options, the situation is fixable.
To recover data that has been partially encrypted, it is recommended to download the Windows installation disk:
If the hard drive was not damaged by an encryption virus, the boot OS will see the files and begin MBR recovery:
For each version of Windows, this process has its own nuances.
Windows XP
After loading the installation disk, the “Windows XP Professional Settings” window appears on the screen, where you need to select “to restore Windows XP using the recovery console, press R.” After pressing R, the recovery console will begin to load.
If the devices have one operating system installed and it is located on drive C, a notification will appear:
"1: C:\WINDOWS which copy of Windows should I use to log in?" Accordingly, you need to press the “1” and “Enter” key.
Then the following message will appear: “Enter the administrator password.” Enter your password and press “Enter” (if you don’t have a password, press “Enter”).
A system prompt should appear: C:\WINDOWS>, enter fixmbr.
Then a “WARNING” will appear.
To confirm the new MBR entry, press “y”.
Then the notification “A new master boot record is being created on the physical disk\Device\Harddisk0\Partition0.” will appear.
And: “The new master boot record was successfully created.”
Windows Vista:
Here the situation is simpler. Load the OS, select the language and keyboard layout. Then “Restore your computer to normal” will appear on the screen. A menu will appear in which you must select “Next”. A window will appear with the parameters of the restored system, where you need to click on the command line, in which you need to enter bootrec /FixMbr.
After this, you need to wait for the process to complete; if everything went well, a confirmation message will appear - press “Enter” and the computer will begin to reboot. All.
Windows 7:
The recovery process is similar to Vista. After selecting your language and keyboard layout, select your OS, then click “Next.” In the new window, select “Use recovery tools that can help solve problems starting Windows.”
All other actions are similar to Vista.
Windows 8 and 10:
Boot the OS, in the window that appears, select Restore your computer>troubleshooting, where by clicking on the command line, enter bootrec /FixMbr. Once the process is complete, press “Enter” and reboot your device.
After the MBR recovery process has completed successfully (regardless of the Windows version), you need to scan the disk with an antivirus.
If the encryption process was started by a virus, you can use file recovery software, such as Rstudio. After copying them to removable media, you need to reinstall the system.
If you use data recovery programs recorded on the boot sector, for example Acronis True Image, then you can be sure that “Petya” did not affect this sector. This means that you can return the system to working condition without reinstallation.
If you find an error, please highlight a piece of text and click Ctrl+Enter.
A few months ago, we and other IT Security specialists discovered a new malware - Petya (Win32.Trojan-Ransom.Petya.A). In the classical sense, it was not an encryptor; the virus simply blocked access to certain types of files and demanded a ransom. The virus modified the boot record on the hard drive, forcibly rebooted the PC and showed a message stating that “the data is encrypted - waste your money on decryption.” In general, the standard scheme of encryption viruses, except that the files were NOT actually encrypted. Most popular antiviruses began identifying and removing Win32.Trojan-Ransom.Petya.A a few weeks after its appearance. In addition, instructions for manual removal appeared. Why do we think that Petya is not a classic ransomware? This virus makes changes to the Master Boot Record and prevents the OS from loading, and also encrypts the Master File Table. It does not encrypt the files themselves.
However, a more sophisticated virus appeared a few weeks ago Mischa, apparently written by the same scammers. This virus ENCRYPTS files and requires you to pay 500 - 875 $ for decryption (in different versions 1.5 - 1.8 bitcoins). Instructions for “decryption” and payment for it are stored in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.
Mischa virus - contents of YOUR_FILES_ARE_ENCRYPTED.HTML file
Now, in fact, hackers infect users’ computers with two malwares: Petya and Mischa. The first one needs administrator rights on the system. That is, if a user refuses to give Petya admin rights or manually deletes this malware, Mischa gets involved. This virus does not require administrator rights, it is a classic encryptor and actually encrypts files using the strong AES algorithm and without making any changes to the Master Boot Record and the file table on the victim’s hard drive.
The Mischa malware encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not affect only the \Windows, \$Recycle.Bin, \Microsoft, \Mozilla Firefox, \Opera, \Internet Explorer, \Temp, \Local, \LocalLow and \Chrome directories.
Infection occurs mainly through e-mail, where a letter is received with an attached file - the virus installer. It can be encrypted under a letter from the Tax Service, from your accountant, as attached receipts and receipts for purchases, etc. Pay attention to the file extensions in such letters - if it is an executable file (.exe), then with a high probability it may be a container with the Petya\Mischa virus. And if the modification of the malware is recent, your antivirus may not respond.
Update 06/30/2017: June 27, a modified version of the Petya virus (Petya.A) massively attacked users in Ukraine. The effect of this attack was enormous and the economic damage has not yet been calculated. In one day, the work of dozens of banks, retail chains, government agencies and enterprises of various forms of ownership was paralyzed. The virus spread mainly through a vulnerability in the Ukrainian accounting reporting system MeDoc with the latest automatic update of this software. In addition, the virus has affected countries such as Russia, Spain, Great Britain, France, and Lithuania.
Remove Petya and Mischa virus using an automatic cleaner
An extremely effective method of working with malware in general and ransomware in particular. The use of a proven protective complex guarantees thorough detection of any viral components and their complete removal with one click. Please note that we are talking about two different processes: uninstalling an infection and restoring files on your PC. However, the threat certainly needs to be removed, since there is information about the introduction of other computer Trojans using it.
- . After starting the software, click the button Start Computer Scan(Start scanning).
- The installed software will provide a report on the threats detected during scanning. To remove all detected threats, select the option Fix Threats(Eliminate threats). The malware in question will be completely removed.
Restore access to encrypted files
As noted, the Mischa ransomware locks files using a strong encryption algorithm so that encrypted data cannot be restored with a wave of a magic wand - short of paying an unheard-of ransom amount (sometimes reaching up to $1,000). But some methods can really be a lifesaver that will help you recover important data. Below you can familiarize yourself with them.
Automatic file recovery program (decryptor)
A very unusual circumstance is known. This infection erases the original files in unencrypted form. The encryption process for extortion purposes thus targets copies of them. This makes it possible for software such as recovery of erased objects, even if the reliability of their removal is guaranteed. It is highly recommended to resort to the file recovery procedure; its effectiveness is beyond doubt. 
Shadow copies of volumes
The approach is based on the Windows file backup process, which is repeated at each restore point. An important condition for this method to work: the “System Restore” function must be activated before the infection. However, any changes to the file made after the restore point will not appear in the restored version of the file.
Backup
This is the best among all non-ransom methods. If the procedure for backing up data to an external server was used before the ransomware attack on your computer, to restore encrypted files you simply need to enter the appropriate interface, select the necessary files and launch the data recovery mechanism from the backup. Before performing the operation, you must make sure that the ransomware is completely removed.
Check for possible presence of residual components of the Petya and Mischa ransomware
Manual cleaning risks missing individual pieces of ransomware that could escape removal as hidden operating system objects or registry items. To eliminate the risk of partial retention of individual malicious elements, scan your computer using a reliable security software package that specializes in malicious software.
The Cyber Police Department of the National Police of Ukraine has published recommendations for restoring access to computers that were damaged as a result.
During a detailed study of the malware, researchers identified three main scenarios for its impact (when run as an administrator):
The system is completely compromised. Data recovery requires a private key, and a window appears on the screen upon startup asking you to pay a ransom to obtain the decryption key.
The computers are infected, partially encrypted, the system started the encryption process, but external factors (power outage, etc.) stopped the encryption process.
The computers are infected, but the process of encrypting the MFT table has not yet begun.
Restoring access is possible only in the last two cases, while, unfortunately, there is no effective way to restore completely compromised systems. Specialists from the Cyber Police Department, the Security Service of Ukraine, the State Special Communications Service of Ukraine, and domestic and international IT companies are now actively searching for it.
Researchers have identified two main stages in the operation of the modified Petya Trojan program:
First: obtaining privileged rights (administrator rights). On many computers in Windows architecture (Active Directory), these rights are disabled. The virus saves the original boot sector for the operating system (MBR) in an encrypted form of a bitwise XOR operation (xor 0x7), and then replaces the above sector with a modified bootloader, the rest of the Trojan code is written to the first sectors of the disk. This step creates a text file about encryption, but the data is not actually encrypted yet.
Second: after the reboot, the second phase of the virus’s operation begins - data encryption; it now turns to its configuration sector, which contains a note that the data is not yet encrypted and needs to be encrypted. After this, the encryption process begins, which looks like the Check Disk program.
If, when booting from the Windows installation disk, a table with hard disk partitions is visible, then you can begin the procedure for restoring the MBR boot sector. It is carried out as follows:
For Windows XP OS:
After loading the Windows XP installation disk into the PC's RAM, the "Install Windows XP Professional" dialog box will appear, containing a selection menu, you must select the item "to restore Windows XP using the recovery console, press R." . Press "R".
The Recovery Console will load.
If the PC has one OS installed and it is (by default) installed on the C drive, the following message will appear:
"1:C:\WINDOWS Which copy of Windows should I sign in to?"
Type the "1" key, press the "Enter" key.
A message will appear: “Enter your administrator password.” Enter your password, press "Enter" (if there is no password, just press "Enter").
You should be prompted: C:\WINDOWS> enter fixmbr
The message “WARNING” will then appear.
“Are you confirming to write the new MBR?”, Press the “Y” key.
A message will appear: “A new primary boot sector is being created on the physical disk \Device\Harddisk0\Partition0.”
"The new primary boot sector has been successfully created."
For Windows Vista:
Download Windows Vista. Select your language and keyboard layout. On the Welcome screen, click "Restore your computer." Windows Vista will edit the computer menu.
Select your operating system and click Next.
When the System Recovery Options window appears, click on Command Prompt.
When the command prompt appears, enter this command:
bootrec/FixMbr
For Windows 7
Download Windows 7.
Choose language.
Select your keyboard layout.
Select your operating system and click Next. When choosing an operating system, you should check "Use recovery tools that can help solve problems starting Windows."
On the System Recovery Options screen, click the Command Prompt button on the Windows 7 System Recovery Options screen
When the command prompt boots successfully, enter the command:
bootrec/fixmbr
Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
For Windows 8
Download Windows 8.
On the Welcome screen, click the Restore your computer button.
Select Troubleshooting.
Select command line..
When the command prompt loads, enter the following commands:
bootrec/FixMbr
Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
For Windows 10
Download Windows 10.
On the welcome screen, click the "Repair your computer" button
Select "Troubleshooting"
Select Command Prompt.
When the command prompt loads, enter the command:
bootrec/FixMbr
Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.
Press the Enter key and restart your computer.
After the MBR recovery procedure, researchers recommend checking the disk with antivirus programs for infected files. It is also noted that other than the registration data provided by M.E.doc users, no other information was transmitted.
(Petya.A), and gave a number of tips.
According to the SBU, infection of operating systems mainly occurred through the opening of malicious applications (Word documents, PDF files), which were sent to the email addresses of many commercial and government agencies.
“The attack, the main goal of which was to distribute the Petya.A file encryptor, used the MS17-010 network vulnerability, as a result of which a set of scripts were installed on the infected machine, which the attackers used to launch the mentioned file encryptor,” the SBU said.
The virus attacks computers running Windows OS by encrypting the user's files, after which it displays a message about converting the files with a proposal to pay for the decryption key in bitcoins in the equivalent of $300 to unlock the data.
“Unfortunately, encrypted data cannot be decrypted. Work continues on the possibility of decrypting encrypted data,” the SBU said.
What to do to protect yourself from the virus
1. If the computer is turned on and working normally, but you suspect that it may be infected, do not reboot it under any circumstances (if the PC has already been damaged, do not reboot it either) - the virus is triggered upon reboot and encrypts all files contained on the computer .
2. Save all the most valuable files to a separate drive that is not connected to the computer, and ideally, make a backup copy along with the OS.
3. To identify the file encryptor, you must complete all local tasks and check for the presence of the following file: C:/Windows/perfc.dat
4. Depending on the Windows OS version, install the patch.
5. Ensure that all computer systems have anti-virus software installed that functions properly and uses up-to-date virus signature databases. If necessary, install and update the antivirus.
6. To reduce the risk of infection, you should carefully treat all electronic correspondence and do not download or open attachments in letters sent from unknown people. If you receive a letter from a known address that is suspicious, contact the sender and confirm that the letter was sent.
7. Make backup copies of all critical data.
Bring the specified information to employees of structural divisions, and do not allow employees to work with computers that do not have the specified patches installed, regardless of whether they are connected to a local network or the Internet.
It is possible to try to restore access to a Windows computer blocked by a specified virus.
Because the specified malware makes changes to the MBR records, which is why, instead of loading the operating system, the user is shown a window with text about file encryption. This problem can be solved by restoring the MBR record. There are special utilities for this. The SBU used the Boot-Repair utility for this (instructions at the link).
b). Run it and make sure that all the boxes in the “Artifacts to collect” window have been checked.
c). In the “Eset Log Collection Mode” tab, set the Disk Source Binary Code.
d). Click on the Collect button.
e). Send an archive of logs.
If the affected PC is turned on and has not yet been turned off, proceed to
step 3 to collect information that will help write a decoder,
point 4 for treating the system.
From an already affected PC (it won’t boot), you need to collect the MBR for further analysis.
You can assemble it according to the following instructions:
a). Download ESET SysRescue Live CD or USB (creation is described in step 3)
b). Agree to the license to use
c). Press CTRL + ALT + T (terminal will open)
d). Type the command “parted -l“ without quotes, the parameter is small letter “L“ and press
e). See the list of drives and identify the affected PC (should be one of /dev/sda)
f). Write the command “dd if=/dev/sda of=/home/eset/petya.img bs=4096 count=256“ without quotes, instead of “/dev/sda“ use the disk that you defined in the previous step and click (File/ home/eset/petya.img will be created)
g). Connect the USB flash drive and copy the file /home/eset/petya.img
h). You can turn off your computer.
See also - Omelyan about protection from cyber attacks
Omelyan about protection from cyber attacks
