Petya ransomware is aimed mostly at businesses in Germany targeting human resource departments. It comes disguised as an employment application portfolio sent as an email containing a Dropbox link. Infection itself occures by clicking the link. Then the ransomware starts the first stage of encryption and overrides the beginning of the disk and the MBR. Eventually the computer crashes into the blue screen.
It’s adviced not to reboot because if you do the second stage of encryption is gonna start. And if you let the second stage of encryption to begin it shows a CHECKDISK process while the Master File Table is being encrypted. Unfortunately, after that there’s no way to decrypt your HDD at this point. The only solution would be to use an external backup if you have one and to fully format your system.
In case you didn’t reboot there is a solution with a free decoder made by hasherezade. So keep watching.
Download Kali ISO 64 bit on another computer and record it on a DVD.
Then boot the infected PC from the recorded DVD and go to forensic mode.
Now find the identicator of your hard drive by typing FDISK -l, you should see something like that. For example SDA is the identificator
of this HDD.
Download the decoder and make it executable by typing CHOMD +X DECODER and then run it with ./DECODER /DEV/SDA .
Then you will receive a decrypting key.
Now copy the key and bear in mind that the decoder might now work with new versions of Petya ransomware. So make a full disk dumo by mounting an external drive and then type “dd if= of=”
Then you can reboot your system from your disk and when Petya screen appears put the previously received key from the decoder and the decryption process should start.
Stay tuned for more videos from us by clicking subscribe.