How to restore access to the operating system after an attack by the Petya virus: recommendations from the Cyber ​​Police of Ukraine

The Cyber ​​Police Department of the National Police of Ukraine has published recommendations for users on how to restore access to computers that have been subject to a cyber attack by the Petya.A encryption virus.

In the process of studying the Petya.A ransomware virus, researchers identified several options for the impact of malware (when running the virus with administrator rights):

The system is completely compromised. To recover data, a private key is required, and a window appears on the screen asking you to pay a ransom to obtain the key to decrypt the data.

Computers are infected and partially encrypted. The system started the encryption process, but external factors (eg: power outage, etc.) stopped the encryption process.

The computers are infected, but the process of encrypting the MFT table has not yet begun.

As for the first option, unfortunately, there is currently no method that is guaranteed to decrypt data. Specialists from the Cyber ​​Police Department, SBU, DSSTZI, Ukrainian and international IT companies are actively working to resolve this issue.

At the same time, in the last two cases there is a chance to restore the information that is on the computer, since the MFT partitioning table is not broken or partially broken, which means that by restoring the MBR boot sector of the system, the computer will start and work.

Thus, the modified Trojan program “Petya” works in several stages:

First: obtaining privileged rights (administrator rights). On many computers in Windows architecture (Active Directory), these rights are disabled. The virus saves the original boot sector for the operating system (MBR) in an encrypted form of a bitwise XOR operation (xor 0x7), and then writes its bootloader in place of the above sector; the rest of the Trojan code is written to the first sectors of the disk. This step creates a text file about encryption, but the data is not actually encrypted yet.

Why is that? Because what is described above is only preparation for disk encryption and it will begin only after the system is restarted.

Second: after the reboot, the second phase of the virus’s operation begins - data encryption, it now turns to its configuration sector, in which the flag is set that the data is not yet encrypted and needs to be encrypted. After this, the encryption process begins, which looks like the Check Disk program.

The encryption process was started, but external factors (eg: power outage, etc.) stopped the encryption process;
The process of encrypting the MFT table has not yet begun due to factors that did not depend on the user (a malfunction of the virus, the reaction of anti-virus software to the actions of the virus, etc.).

Boot from the Windows installation disk;

If, after booting from the Windows installation disk, a table with hard disk partitions is visible, then you can begin the MBR recovery process;

For Windows XP:

After loading the Windows XP installation disk into the PC's RAM, the "Install Windows XP Professional" dialog box will appear, containing a selection menu, you must select the item "to restore Windows XP using the recovery console, press R." . Press "R" KEY.

The Recovery Console will load.

If the PC has one OS installed and it is (by default) installed on the C drive, the following message will appear:

"1:C:\WINDOWS Which copy of Windows should I sign in to?"

Type the "1" key, press the "Enter" key.

A message will appear: “Enter your administrator password.” Enter your password, press "Enter" (if there is no password, just press "Enter").

The system prompt should appear: C:\WINDOWS> enter fixmbr

The message “WARNING” will then appear.

“Are you confirming the entry of the new MBR?” Press the "Y" key.

A message will appear: “A new primary boot sector is being created on the physical disk \Device\Harddisk0\Partition0.”

"The new primary boot sector has been successfully created."

For Windows Vista:

Download Windows Vista. Select your language and keyboard layout. On the Welcome screen, click "Restore your computer." Windows Vista will edit the computer menu.

Select your operating system and click Next.

When the System Recovery Options window appears, click on Command Prompt.

When the command prompt appears, enter the command:

bootrec/FixMbr

Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.

For Windows 7:

Download Windows 7.

Choose language.

Select your keyboard layout.

Select your operating system and click Next. When choosing an operating system, you should check "Use recovery tools that can help solve problems starting Windows."

On the System Recovery Options screen, click the Command Prompt button on the Windows 7 System Recovery Options screen

When the command prompt boots successfully, enter the command:

bootrec/fixmbr

Press the Enter key and restart your computer.

For Windows 8

Download Windows 8.

On the Welcome screen, click the Restore your computer button

Windows 8 will restore the computer menu

Select Command Prompt.

When the command prompt loads, enter the following commands:

bootrec/FixMbr

Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.

Press the Enter key and restart your computer.

For Windows 10

Download Windows 10.

On the welcome screen, click the "Repair your computer" button

Select "Troubleshooting"

Select Command Prompt.

When the command prompt loads, enter the command:

bootrec/FixMbr

Wait for the operation to complete. If everything is successful, a confirmation message will appear on the screen.

Press the Enter key and restart your computer.

After the MBR recovery procedure, researchers recommend scanning the disk with antivirus programs for infected files.

Cyber ​​police specialists note that these actions are also relevant if the encryption process was started but interrupted by the user by turning off the computer power during the initial encryption process. In this case, after loading the OS, you can use file recovery software (like RStudio), then copy them to external media and reinstall the system.

It is also noted that if you use data recovery programs that record their boot sector (like Acronis True Image), the virus does not touch this partition and you can return the working state of the system to the checkpoint date.

The cyber police reported that other than the registration data provided by users of the M.E.doc program, no information was transmitted.

Let us recall that on June 27, 2017, a large-scale cyberattack of the Petya.A encryption virus began on the IT systems of Ukrainian companies and government agencies.