Yesterday, more than 300 000 computers had been infected with a new ransomware virus named Petya.A / NotPetya. This virus secretly penetrates the computer, forces its reboot, and at boot time, it encrypts user files, MFT (Master File Tree) and rewrites the MBR (Master Boot Record) with a custom boot loader that shows a ransom note. When this process is complete, the following message is displayed to the user.
The full text of the Petya.A / NotPetya ransomnote is:
Ooops, your important files are encrypted.
If you see this text, then your files are no longer accessible, because they have been encrypted. Perhaps you are busy looking for a way to recover your
files, but don’t waste your time. Nobody can recover your files without our
We guarantee that you can recover all your files safely and easily. All you
need to do is submit the payment and purchase the decryption key.
Please follow the instructions:
1. Send $300 worth of Bitcoin to following address:
2. Send your Bitcoin wallet ID and personal installation key to e-mail
wowsmith1234569posteo.net. Your personal installation key:
If you already purchased your key, please enter it below.
Most of all, computers were infected in two countries: Ukraine and Russia. According to experts, this virus, as a way of penetrating the computer, used a fake update of the M.E.Doc program. After infecting an one computer, the Petya.A / NotPetya virus, using the password harvesting utility, as well as two exploits for the Windows operating system, such as ETERNALBLUE (the Wanna Cry virus used this exploit) and ETERNALROMANCE, infects all computers on the local network. As a result, the scale of the attack is amazing, they are almost to the infamous Wanna Cry virus.
Despite the fact that Petya.A / NotPetya virus actively uses these two exploits to infect as many computers as possible, it does not spread through the Internet, it hits computers only on the local network (where the virus first penetrated). Since the size of each local network is limited, the number of infected computers will not be as large as in the case of the attack of the Wanna Cry virus.
How to stop Petya.A/NotPetya virus
As it was said above, after the virus penetrates the computer, it forces system to reboot. When the operating system starts to load, a fake message appears about starting the procedure for recovering the file system on drive C, the same as the system utility CHKDSK shows.
If you shut down your computer at this point, it will stop the encryption process. Next, boot your system using a recovery disk, scan for Petya.A/NotPetya virus and remove it. Once complete, copy your files to safe location.
How to protect computer from Petya.A/NotPetya virus
A lot of experts, after obtaining the samples of the virus, began to look for a way to block its distribution and thus protect not yet infected computers. This method was found. To protect your computer from Petya.A (NotPetya) virus, the user needs to create a file named perfc and place it in the C:\Windows directory. In addition, you need to set the permissions for this file to “Read Only”. It is not difficult to do this, below we give instructions how to quickly create a perfc file and protect the system from the penetration of the Petya.A/NotPetya ransomware virus.
First, you need to configure the Windows to show file extensions. To do this, open the Explorer, left-click on the File menu.
Select “Change folder and search options”. It will open a window similar to the following.
Here, select the View tab and scroll through the list of options until you see the “Hide extensions for known file types” option. Uncheck the box, and then press the OK key. Now in Windows Explorer open drive C, then the Windows folder. Be careful not to delete or move files from this folder, as this may cause the computer to not work.
In the list of files, look for HelpPane.exe (you can use any file), right-click on it and select Copy (you can press CTRL and C at the same time on the keyboard).
The file will be copied to the clipboard, now in the Explorer window, right click and press Paste (you can just press two CTRL and V keys at the same time on the keyboard). You will be shown a warning window similar to the one below.
Click Continue button. As a result of these actions, a new file named “HelpPane – Copy.exe” will appear in the folder. Now click on it with the right key and select Rename (you can simply select the file and press on the F2 keyboard).
Delete the old file name and type perfc, then press Enter. The Windows will display a dialog box. Click Yes button.
Now you only need to change the permissions for the file. Find the perfc file and right-click on it, select Properties. It will open the following window.
Put a checkmark in the “Read only” check box and press the OK button. Now your computer is protected from penetration of the Petya.A (NotPetya) ransomware virus.
How to remove Petya.A (NotPetya) ransomware infection
Before you start the process of recovering documents, photos and music that has been encrypted, make sure Petya.A (NotPetya) ransomware is fully removed. Thankfully, there are several malicious software removal tools that will effectively find and remove Petya.A (NotPetya) virus and other crypto virus malicious software from your computer.
Remove Petya.A (NotPetya) virus with Zemana Anti-malware
We suggest using the Zemana Anti-malware which are completely clean your system of the ransomware infection. The utility is an advanced malware removal program developed by (c) Zemana lab. It’s able to help you get rid of potentially unwanted programs, ransomware viruses, adware, malware, toolbars, ransomware and other security threats from your machine for free.
Download Zemana antimalware from the link below.
Author: Zemana Ltd
Category: Security tools
Update: April 20, 2017
After the download is finished, close all applications and windows on your personal computer. Open a directory in which you saved it. Double-click on the icon that’s named Zemana.AntiMalware.Setup as shown below.
When the setup begins, you will see the “Setup wizard” that will help you install Zemana anti-malware on your personal computer.
Once installation is done, you will see window as on the image below.
Now click the “Scan” button to perform a system scan for the Petya.A (NotPetya) virus . This process can take some time, so please be patient. While the tool is scanning, you can see how many objects it has identified as being infected by malware.
When it completes the scan, the results are displayed in the scan report. Review the scan results and then click “Next” button.
The Zemana Anti-malware will begin removing Petya.A (NotPetya) ransomware virus related files, folders and registry keys.
Use Malwarebytes to delete virus
You can remove Petya.A (NotPetya) virus automatically with a help of Malwarebytes Free. We advise this free malicious software removal tool because it can easily get rid of viruses, ‘ad supported’ software, PUPs and toolbars with all their components such as files, folders and registry entries.
Download Malwarebytes on your MS Windows Desktop from the following link.
Category: Security tools
Update: May 12, 2017
Once the downloading process is finished, close all applications and windows on your PC system. Double-click the set up file named mb3-setup. If the “User Account Control” prompt pops up as on the image below, click the “Yes” button.
It will open the “Setup wizard” that will help you install Malwarebytes on your personal computer. Follow the prompts and do not make any changes to default settings.
Once installation is finished successfully, press Finish button. Malwarebytes will automatically start and you can see its main screen as shown in the figure below.
Now click the “Scan Now” button . This will begin checking the whole machine to find out Petya.A (NotPetya) ransomware virus and other trojans and malicious software. This procedure may take some time, so please be patient.
As the scanning ends, it’ll display you the results. Review the report and then click “Quarantine Selected” button. The Malwarebytes will start removing Petya.A (NotPetya) virus and other security threats. Once disinfection is finished, you may be prompted to reboot the PC.
We suggest you look at the following video, which completely explains the process of using the Malwarebytes to remove ransomware infection and other malware.
Use KVRT to remove Petya.A (NotPetya) virus from the PC system
KVRT is a free portable program that scans your computer for ad-supported software, PUPs and ransomware viruses like Petya.A (NotPetya) and helps get rid of them easily. Moreover, it’ll also help you get rid of any dangerous browser extensions and add-ons.
Download Kaspersky virus removal tool (KVRT) by clicking on the link below and save it to your Desktop.
Author: Kaspersky® lab
Category: Security tools
Update: November 3, 2015
Once the download is complete, double-click on the Kaspersky virus removal tool icon. Once initialization process is complete, you will see the KVRT screen as on the image below.
Click Change Parameters and set a check near all your drives. Click OK to close the Parameters window. Next press Start scan button to perform a system scan with this utility for the Petya.A (NotPetya) ransomware virus and other known infections. This process can take quite a while, so please be patient. When a threat is found, the number of the security threats will change accordingly.
When it has complete scanning, it’ll show a list of detected threats as displayed on the screen below.
In order to remove all items, simply press on Continue to start a cleaning process.
After completing the step-by-step instructions shown above, your system should be clean from Petya.A (NotPetya) ransomware virus and other malware.