As a reminder of the given message to the virus of the cipher suite petya. Petya virus: everything you need to know about this virus. Renovation of the adventurer on Windows XP

Information about the Petya virus.

What is a virus?

1. On the second day of March 27, 2017, a virus appeared under the name Petya. Rosneft companies and Home Credit Bank were attacked. When the threat is overwritten, the threat will overwrite the head exciting record(MBR) for help Ransom: DOS / Petya.A and sector encryption system disk. It should be done according to the following way: And so the PC is re-enabled and displaying a fake system alert, as if it is assigning a pardon to the disk and showing a fake re-verification of the integrity: Then you should remove the next notification, so you can enable the system to purchase the key.
2. The virus encrypts files on all disks of the Windows folder on drive C: Next extension of encrypted files:
4. Chi not long ago bula attack WannaCry virus which is richly similar to the Petya virus, which is discussed in this article. Well, for the sake of the cob, they have similarity that they stink of crypto viruses, that viruses yak encrypt the files of the koristuvacha for decoding the vikup. How did Kaspersky Lab make the same virus as before Petya, but called it ExPetr, so that this virus on a lot of modifications can be said earlier. You can find more reports on the site, although they seem to be similar in rows to the code.

Zahist and where can you get infected?

5. You can submit such malware in the list by email file Petya.apx or after installing the updated accounting program M.E.doc. Below is a description from the Microsoft blog about the taxable income program M.E.doc. If your house has a booth, or a machine is infected on the robot, then the malware will spread for help, all those quirks and the WannaCry virus using the Smb protocol. The exploit is a kind of cleverness in Windows-selling the SMB protocol. Microsoft Corporation, as it was written in the article for the protection of WannaCry, strongly recommends installing an update for all Windows systems and has published an update for products that have not been supported for a long time such as Windows Xp. It is your fault to go out of your way as for the WannaCry virus, so for Petya, however. For more details about the defense and the installation of an update, read the article. bezkoshtovnu zahist in addition to anti-viruses and anti-spyguns, you can install in the name of Kaspersky. So, just as the anti-spy gun is being corrupted, it’s already been introduced into the new one that the defender is not only in the PNP but also in the zdirnik in the ciphers, on the site it is written in the ciphers’ account: Do not let the evildoers encrypt your files with the method of taking the rip off. I think the best way is to install MBAM before your antivirus. Option like Microsoft, which is already in the system, zahisnik Windows 8.1 and Windows 10, Microsoft Security Essentials for Windows 7 i Windows Vista. So you can yourself zavantazhit for a one-time scan for infection of your computer with all types of threats. On the Microsoft website new description the virus took the sounds and how they put them into the system, more accurate description is true on English. It is said on the basis that the first infection is more precisely an impressive process that has emerged from the Ukrainian company M.E.Doc, as it develops the program for the security of taxpayers, MEDoc.
6. Accurate translation from Google Translate wiki: This vector was reviewed in detail by news and security pasts, including the Ukrainian cyberpolice, but only indirect evidence of the vector. Microsoft now has proof that a handful of active infections arose from the lawful Medoc update process.

File decryption?

7. Koristuvacham proponuyut write on orders Postal screenshot Prove that the coins have been redeemed for the recovery of the decryption key. If you choose to retransmit the code for decrypting the files, then you cannot write to the mail that you have corrected the encryption. The addresses of the electronic mail, for which the victims are guilty, were reminded if the blocking costs were overridden by the German provider, there is a mailbox on their servers. So you can translate you, but you can’t send the key to you. So let's say it's official to take the key from zdirnikiv not be possible. Hamanets vimagachiv vіdomy on given moment January 1st, 2017, data on dates are updated for 15 seconds. To download the virus on the victim's computer, you need to create an empty file on the C: \ Windows \ perfc drive. There is still no decryption tool for older versions of the virus on GitHub.

A number of Russian and Ukrainian companies have recognized attacks on the Petya encryption virus. In Merezhev, the site was consulted by experts from Kaspersky Labs, the interactive agency AGIMA, and it was reported that corporate computers could be protected from a virus and similar to Petya, no less than the WannaCry encryption virus.

Virus "Petya"

The Russian companies Rosneft, Bashneft, Mars, Nivea and Alpen Gold Mondelez International chocolate maker. Virus-vimage system of radiation monitoring of the Chornobyl nuclear power plant. In addition, the attack hit the computers of Ukraine, Privatbank and telecom operators. The virus blocks computers and makes it possible to redeem 300 dollars in bitcoin.

On Twitter, the press service of "Rosneft" spoke about a hacker attack on the company's servers. “A hacker attack has been launched on the company’s server.

Following the words of the company's press secretary, Mikhail Leontiev, Rosneft and its daughters are working in the normal mode. After the attack, the company switched to backup system management of production processes, so that the vidobutok and preparation of naphtha are not superfluous. The attack was also applied to the Home Credit bank system.

"Petya" does not infect without "Misha"

Behind the words Vice Director of AGIMA Evgen Lobanov, In fact, the attack was carried out by two encryption viruses: Petya and Misha.

"The stench is working in the sound." Petya "does not infect without" Misha ". Vіn can infect, but yesterday the attack was caused by two viruses: Petya, then Misha." Petya "rewrites the boot-device (computer capture sounds), and Misha encrypts the files using the sing algorithm, - explaining fahivets. - Petya encrypts the vanishing sector of the disk (MBR) and replaces it with his own, Misha encrypts all the files on the disk (do not encrypt) ".

Vin stating that the WannaCry encryption virus, which attacked the great world companies in grassroots, is not similar to "Petya", the price is a new version.

"Petya.A from the WannaCry family (or rather WannaCrypt), but the main thing is why not the same virus, those that manage the MBR in your own lucrative sector - the price is a novelty for Ransomware. The Petya virus appeared a long time ago, on GitHab (online service for IT-projects and common programming - site) https://github.com/leo-stone/hack-petya "target =" _blank "> decryptor for this encryptor, however, before the new modification, no deciphering is possible.

Evgen Lobanov added that the attack hit harder in Ukraine, lower in Russia.

"We are more safe before attacks, lower than the borders of Zakhod. Depending on the version of the virus, we will be protected, but if there are no roads, we will not. Our Internet is not safe, in Ukraine it is even less. operators (Vodafone, Kyivstar) and medical companies, the same Pharmmag, Shell gas stations - all the same great transcontinental companies, "- rozpovіv vіn conversation with the site.

Vikonavchiy director of AGIMA, stating that while there are no facts, they would indicate on the geographical location of the outbreak of the virus. On one thought, the virus has suddenly appeared on its own in Russia. Unfortunately, there is no direct proof of that.

"It's an excuse, why are our hackers, the first modification shards appeared in Russia, and the virus itself, which is not a secret for anyone, used the names in honor of Peter Poroshenko. . It was clear that by going to Russia, it is easy to take a computer from geolocation in the USA, for example, "- explaining the expert.

"It's as if the computer has become infected - you can't turn off the computer. If you reboot, you won't be able to log into the system any more"

"As soon as it became a" infection "computer - you can not turn off the computer, because the Petya virus causes MBR - the first invasive sector, which is why the operating system is vandalized. , navіt yakscho z'appear" tablet "to turn the data back it will be impossible. Dali, it is necessary to connect to the Internet, so that the computer does not enter the measure. At the same time, the release of the official patch from Microsoft, vіn will be safe 98 vіdsotkіv guarantor.ії not 100 vіdsotkіv. Pevnu modification of the virus (six three pieces) vіn yet to bypass "- recommending Lobanov. - However, you still need to restart and start the process of "rewiring the disk", at that moment it is necessary to turn off the computer, and the files become unencrypted ..

In addition, the expert is also aware of why the attacks are most likely to be corrupted by Microsoft, and not by MacOSX (Apple operating system - site) and Unix systems.

"Here it's better to speak not only about MacOSX, but about all Unix systems (the principle of continuance). The virus spreads only on computers, without mobile devices. The update is available as a shortcut for older versions of Windows that are no longer updated: XP, Windows 8 and Windows Server 2003," the expert said.

"MacOSX and Unix globally were not allowed to such viruses, more than a lot of great corporations beat Microsoft's infrastructure. MacOSX is not smart up to, the shards are not so wide in power structures. If there are fewer viruses, they can't be seen, so the attack segment will be smaller, even lower, attack Microsoft ", - uklav fahivets.

"The number of koristuvachs attacked reached two thousand"

At the press service of Kaspersky Lab, Experts to continue investigating the rest of the infection, rozpovіl, scho "this cipher does not belong to the already known family of Vimagachiv Petya, wanting and may have a little bit of code behind it."

At the Laboratoriya vpevneni, that in this case, the language is about a new family of shy software z istotno vіdіznyаєtsya vіd Petya functionality. Kaspersky Lab has named a new encryptor ExPetr.

"Behind the Daniy laboratory Kaspersky, the number of attackers Koristuvachov hung out a Tyoshach cucumber. Nuti, Insitivate Bulo, was stuck in the Russian Okh Ukraine, the vipads of the infection was instituted in Polish, the Great Britain, Nimechini, the Franziy, the USA, the USA "This software was victorious for attack vectors. It has been installed that for expansion in corporate networks, modifications of the EternalBlue exploit and the EternalRomance exploit have been stopped," the press service said.

Experts also show the possibility of creating a decoder tool, for the help of which it is possible to decrypt data. The Laboratory also gave recommendations for all organizations to prevent attacks from the virus in the future.

"We recommend that organizations install updates for Windows OS. For Windows XP and Windows 7, you should install the MS17-010 security update, as well as re-download, so that they can be an effective data backup system. the stench of the software was encrypted," the experts of Kaspersky Lab were pleased.

his For corporate clients The laboratory also recommends reconnection, so that all mechanisms of protection are activated, the system is uplifted, that the connection to the gloomy infrastructure kaspersky security Network, in the capacity of the additive world, it is recommended to disable the "Program Activity Control" component, so that all groups of additives can gain access (and viability) to the file with the name "perfc.dat", etc.

"If you don't win the products of Kaspersky Lab, we recommend that you lock the file called perfc.dat, and also block the launch of the PSExec utility from the Sysinternals package for the additional AppLocker function that enters the OS warehouse (operating system - site) Windows", - recommended in the laboratory.

May 12, 2017 rock rich - encryptor of data on hard disks of computers. Vіn blocking attachments and compelling to pay the ransom.
The virus hit organizations and departments in dozens of countries of the world, including Russia; style operators and kіlka great banks.

The expansion of the virus was far away to improve vipadkovo and timchasovo: like hackers to change the whole lot of a row of code, the software will be reworked again. The amount of money the programs are valued at a billion dollars. After a linguistic-criminalistic analysis, the experts determined that WannaCry had created a legacy for China or Singapore.

attack to the Petya virus.A for a few days, dozens of countries have been engulfed and grown to the scale of an epidemic in Ukraine, and the M.E.Doc. For the sake of the experts, which was the method of the evil-doers, there was an increase in the corruption of data, but, as a reminder of the cyberpolice of Ukraine, with a frequent infection of the system, there is a chance to recover the files.

Yak practice Petya

As the virus takes away the rights of the administrator, the investigators see three main scenarios for this:

• The computer was infected and encrypted, the system was completely compromised. To confirm these data, you need a closed key, and on the screen you can see a reminder in order to pay the ransom (if you want).
• Infection computer and frequent encryption - the system began to encrypt files, and then turned on eating or in other ways to recover the process.
• Infection computer, but the MFT table encryption process has not yet begun.

For the first time, there is still no way to decipher data. At the same time, fakhіvtsі cyberpolіtsії and IT-companies, as well as creator of the original virus Petya(Allowing the system to be restored with the help of a key). Well, the head table of the MFT files is often damaged, but it is not destroyed, the chance to gain access to the files is still there.

The cyberpolice named two main stages of the robot-modified Petya virus:

First: the removal of administrator privileges (when using Active Directory, the stench is turned on). The virus saves the original capture sector for the MBR operating system in an encrypted look-a-bit operation XOR (xor 0x7), after which it records its capture on its own space. Another part of the Trojan code is written in the first sector of the disk. At which stage a text file is created about encryption, but this data is not yet encrypted.

Another phase of data encryption starts after the system is re-enabled. Petya is already sent to the configurable sector, in which there is a warning about unencrypted data. When the encryption process starts, on the screen it looks like a robot of the Check Disk program. As soon as the launches, varto turn on the eating and try to hurry up in a proponated way of reviving the data.

what to preach

For the cob it is necessary to get involved with installation disk Windows. How will you see a table with divisions hard drive(Abo SSD), you can proceed to the procedure for updating the MBR vanishing sector. Let's check the disk for the presence of infected files. Today Petya recognizes all popular antiviruses.

As soon as the encryption process was broken, ale coristuvach could interrupt it, if the operating system is busy, it is necessary to speed up the software for downloading encrypted files (R-Studio and others). You will need to save the data for the old one and reinstall the system.

How to inspire a zavantazhuvach

For Windows XP OS:

After the installation of the Windows XP installation disk in operational memory The PC will appear in the dialogue window " Windows installation XP Professional "from the menu to choose, where it is necessary to select the item" To restore Windows XP for the help of the Windows XP console, press R ". Press the "R" button.

Get the console updated.

If there is one OS installed on the PC, and it is (for the lock) installed on the C drive, the next step is:

"1: C:\WINDOWS Do I have a copy of Windows with the following entry?"

Enter the number "1", press the "Enter" key.

A prompt will appear: "Enter administrator password". Enter the password, press the "Enter" key (as there is no password, just press "Enter").

Responsible for request: C: \ WINDOWS>, enter fixmbr

Then we'll show up an alert: "PREDEDZHENNYA."

“Will you confirm the recording of a new MBR?”, Press the “Y” key.

A message pops up: "A new master sector is being created on the physical disk \ Device \ Harddisk0 \ Partition0."

For Windows Vista:

Get Windows Vista. Select language and keyboard layout. On the screen of the printer, press "Innovate the practice of the computer". Windows Vista edits the computer menu.

Select the operating system and press the "Next" button. If the window "Parameters of system recovery" appears, click on the command row. If the command line appears, enter this command:

bootrec/FixMbr

Check out the completed operation. As if everything went well, a confirmation message will appear on the screen.

For Windows 7:

Get Windows 7. Select language, keyboard layout and press the "Next" button.

Select the operating system and press the "Next" button. When choosing an operating system, the next step is to review “Winning tools for innovation, which can help solve problems with Windows startup».

On the "System update settings" screen, press the "Command row" button. If the command row is successful, enter the command:

bootrec/fixmbr

For Windows 8:

Lock Windows 8. On the "Privacy" screen, press the "Welcome computer" button.

Select "Usunennya malfunctions." Choose a command row, if you want to get involved, enter:

bootrec/FixMbr

Press the "Enter" button and restart the computer.

For Windows 10:

Start Windows 10. On the startup screen, press the "Repair computer" button, select "Troubleshooting".

Select command row. If the command line is entangled, enter the command:

bootrec/FixMbr

Check until the operation is completed. As if everything went well, a confirmation message will appear on the screen.

Press the "Enter" button and restart the computer.

The Petya virus is a fast-growing virus, which is the beginning of almost all great enterprises in Ukraine on March 27, 2017. The Petya virus encrypts your files and pronounces them for them later.

The new virus attacks the computer's hard drive and works like a file encryptor virus. through song hour, The Petya virus "contaminates" files on your computer and they become encrypted
Files that were affected by the Petya encryption virus, then we don’t reconcile them anymore
Algorithm that recognizes the files affected by the Petya virus - HI
For the help of tsієї short ї i MAXIMUM coris ї statti you can save yourself a vіd # virusPetya

How to DEFINITE Virus Petya or WannaCry and DO NOT Infect with Virus

When you download a file via the Internet, turn it over with an online antivirus. Online antiviruses can detect the virus in the file later and prevent the Petya virus infection. All you have to do is to rob it, to look over the vanity file for the help of VirusTotal, and then run it already. Now you have hijacked the PETYA VIRUS, but DO NOT run the virus file, the virus is NOT active and the computer is not running. Just after launching a shoddy file you launch a virus, remember that

WE HAVE ANY METHOD GIVING YOU ALL THE CHANCES TO NOT BE INVOLVED WITH THE PETYA VIRUS
The Petya virus looks like this:

Yak Save yourself Vid Virus Petya

company Symantec she propagated a decision, as if she allowed herself to be protected from the Petya virus, having robbed looking at what you already have - installations.
Petya virus when it hits a computer, it creates in papa c:\windows\perfc file perfc or perfc.dll
What did the bivirus think, what should I do in the past, and without continuing my activity, create in the papacy c:\windows\perfc a file with an empty image and save it by setting the change mode to “Tilki Reading”
Otherwise, capture virus-petya-perfc.zip and extract the folder perfc to a folder c:\windows\ and set the change mode to "Only Reading"
Zavantage virus-petya-perfc.zip

UPDATED 06/29/2017
I also recommend zavantazhit obidva files just in Windows folder. Bagato dzherel write what file perfc or perfc.dll guilty of being in the papacy c:\windows\

What Robity How Computer Already Infected by the Petya Virus

Do not enter the computer that has already infected you with the Petya virus. The Petya virus works in such a way that while it infects the computer, it switches on and encrypts files. So, while you are trying to turn on the Petya computer virus, new and new files are being infected and encrypted.
Winchester this computer varto twist. You can convert yoga with the help of LIVECD or LIVEUSB with antivirus
Flash drive with Kaspersky Rescue Disk 10
Flash drive Dr.Web LiveDisk

Who Rozpovsyudiv Virus Petya For All Ukraine

The Microsoft company has fixed its point of view on the global infection rate in the large companies of Ukraine. The reason was the upgrade to M.E.Doc. M.E.Doc is a popular accounting program, which is why such a great puncture of the company, like a virus caught in an update and installed the Petya virus on thousands of PCs, on which the M.E.Doc program was installed. And so, like a virus, it attacks computers in one measure, expanding its veins bliskavichno.
#: Petya virus attacks android, Petya virus, how to detect and remove petya virus, petya virus how to spy, M.E.Doc, Microsoft, create folder petya virus

A few months ago, and more and more IT Security fakhivtsy revealed a new shkіdlivy - Petya (Win32.Trojan-Ransom.Petya.A). The classic rozumіnі vіn is not a cryptographer, the virus simply blocking access to the sing types of files and vimaging. The virus modified the capture record on the hard disk, re-engineered the PC in Primus style and showed the notification about the fact that “given encrypted - marry your pennies for decryption”. The scheme of viruses-encryptors is a standard scheme behind the blame for the fact that the files are actually NOT encrypted. greater popular antiviruses We started to identify and see Win32.Trojan-Ransom.Petya.A through a few days after it appeared. In addition, there were instructions for manual removal. Why do we care that Petya is not a classic cipher suite? This virus is to make changes to the Master Boot Record and change the operating system, as well as encrypt the Master File Table (head file table). Vin does not encrypt the files themselves.

However, a little later, there appeared more virus mischa, Judging from the tense writings by the shahrai themselves. This virus encrypts files and helps you pay for decryption 500 - 875 $ (in different versions 1.5 - 1.8 bitcoins). Instructions for "decryption" and payment for it are saved in the files YOUR_FILES_ARE_ENCRYPTED.HTML and YOUR_FILES_ARE_ENCRYPTED.TXT.

Mischa virus - in file YOUR_FILES_ARE_ENCRYPTED.HTML

At the same time, in fact, hackers infect the computers of the koristuvachs of two shkidlivs: Petya and Mischa. The first one needs the rights of an administrator in the system. That's why it's necessary to see Petya's administrative rights, or if you manually see the malware - Mischa is included on the right. This virus does not require administrator rights, uses a classic encryptor and effectively encrypts files using the stable AES algorithm and does not make daily changes to the Master Boot Record and file table on the victim's hard drive.

Shkidlivy Mischa encrypts not only standard file types (videos, pictures, presentations, documents), but also .exe files. The virus does not read only directories \Windows\$Recycle.Bin,\Microsoft\ Mozilla Firefox, \Opera,\ Internet Explorer, \Temp, \Local, \LocalLow and \Chrome.

Infection is very important through e-mail, Where to come the sheet from the attachment file - the virus installer. It can be encrypted as a sheet from the Submittal, from your accountant, as a deposit of receipts and checks for purchases, etc. Pay attention to the extension of files in such lists - if it is a wiki file (.exe), then it can be a container with the Petya \ Mischa virus. As a way to modify the malware is fresh - your antivirus may or may not react.

Update 06/30/2017: 27 black modifications variant to the Petya virus (Petya.A) massively attacking koristuvachs in Ukraine. The effect of this attack is a colossal and economical smash until there is no support. In one day, the work of dozens of banks, trading companies, state institutions and enterprises of various forms of power was paralyzed. The virus is spreading more importantly through frivolity in the Ukrainian system of supply accounting grade MeDoc with rest automatic updates this software. In addition, the virus hit the same lands as Russia, Spain, Great Britain, France, Lithuania.

Vidality virus Petya and Mischa with the help of an automatic cleaner

inclusive effective method work with zі shkіdlivim PZ vzagalі і programs-vimagachi zokrema. Vikoristannya, having recommended itself a zahisny complex, guarantees the reliability of the manifestation of any viral components, їх out of sight with one mouse click. Please respect me, I'm talking about two different processes: uninstalling infections and updating files on your PC. Prote, threat, insanely, pіdlyagaє vydalennya, oskolki є vіdomosti about provodzhennya іnshih computer Trojans z її help.

1. . After launching the software, press the button Start Computer Scan(Almost scanning).
2. The software was installed to set the alert according to the threats detected during the scanning process. To remove all known threats, select an option Fix Threats(Usunut threaten). The software will be seen again and again.

Restore access to encrypted files

As it was noted, the Mischa wizard blocking files behind the help of a strong encryption algorithm, so that encrypted data can be recognized with a wave of a charm wand - so do not take the payment of an unsolicited amount to respect (sometimes up to $ 1000). Ale deyakі methods can effectively become a wand-viruchalochka, as a help to remember important data. Below you can get to know them.

program automatic renewal files (decoder)

Vіdomo dosit unordinary furnishing. This infection erases all files in unencrypted form. The process of encryption with the method of imagining, in such a manner, targeting their copies. Why do we give such a chance program contributions as a reminder of the erasure of objects, as a reminder, the validity of their adoption is guaranteed. It is strongly recommended to go to the procedure of updating files, because the efficiency does not mean doubts.

Thin copies of volumes

In the basis of the approach, the Windows procedure for backing up files has been transferred, as it is repeated at the skin point of renewal. It is important to think about the work of this method: the “System Revitalization” function must be activated until the moment of infection. If you change it in the file, after the change points are added, the updated version of the file will not be displayed.

Backup

This is the best medium of all that does not fit with all methods. As the procedure for backing up data to the outgoing server was stalled before the attack of the antivirus program on your computer, in order to restore encrypted files, you just need to go to the open interface, select the necessary files and start the mechanism for restoring data from the backup. Before the end of the operation, it is necessary to take care that the wounds have been removed.

It is possible to overestimate the presence of excess components of Petya and Mischa

Cleaning in manual mode is fraught with the omission of a few fragments in the healthy software, as they can be hidden from the view of the hidden objects of the operating system or elements of the registry. To turn off the risk of private savings for the most critical elements, turn on the scan of your computer for the help of the most important software complex who specializes in software images.

A few days ago, an article appeared on our resource about those how to protect themselves against a virus and other diseases. In the same instructions, we can see the biggest option - your PC is infected. Naturally, after the exuberance of the skin of the coristuvach, you try to renew your data and personal information. In this article, I’m talking about the most efficient and most effective ways to renew data. Varto lie, what is far from being possible, we will not be able to give a guarantee.

Let's look at three main scenarios, behind which subdivisions can develop:
1. Computer infected with the Petya.A virus (or other types) and encryption, the system is completely blocked. To restore data, you need to enter a special key, for which you need to pay. Let me tell you once again what you will pay, but you won't be blocked and won't give you access to your personal computer.

2. Option which is more likely to have more options for distant diy- your computer is infected with a virus, starting to encrypt your data, and then encrypting your data (for example, turning on life).

3. The rest option is the best. Your computer is infected, but file system encryption has not started yet.

If you are in situation number 1, then all your data is encrypted, then at this stage there is a daily action to update the information of the coristuvachs. It’s completely immovable, that in a few days, or someday, you will be able to appear, but until the fahіvtsі z usima in the field of information and computer security, lam their heads over it.

If the encryption process does not begin, or the completions are in full communication, then the coristuvachevi varto negainoly interrupt yoga (encryption appears to be system process check disk). As soon as you manage to take over the operating system, then immediately install a modern anti-virus (all the stinks at the moment recognize Petya and start re-checking all disks. If Windows is not vandalized, then the owner of the infected machine should speed up the system disks for either a flash drive revitalization of the avant-garde MBR sector.

Renovation of the adventurer on Windows XP

If you take over the system disk with the Windows XP operating system, you will be presented with options. In the "Installing Windows XP Professional" window, select the item "To enable Windows XP behind the auxiliary Windows XP console, press R". Which is logical, you will need to press R on the keyboard. The console will appear before you to update the distribution and inform:

"" 1: C: \ WINDOWS Do you have a copy of Windows sled vikonati enter? ""

How do you have one installed Windows version XP, then enter from the keyboard "1" and emboss Enter. If you have a sprinkling of systems, then it is necessary to choose what you need. You will be prompted to ask for the administrator's password. If the password is empty, then just type Enter, leaving the field empty. When a row appears on the screen, enter the word " fixmbr"

Guilty z'appear such a reminder: Can you confirm the new MBR entry? ”, Press the “Y” key on the keyboard.
A message appears: “A new headline exciting sector is being created on the physical disk ....”
"A new main exciting division of successful creations."

Changeover to Windows Vista

Insert a disk or USB flash drive with Windows Vista operating system. They gave you the need to select the row “Innovate the computer's practice”. Choose how the Windows Vista operating system itself (as you have your desk) needs to be updated. If you show up at the window with options for renewal, press on the command row. At the command line, enter the command " bootrec/FixMbr".

Renovation of vantazhuvach on Windows 7

Insert a disk or a flash drive with the Windows 7 operating system. Choose how the Windows 7 operating system itself (as you have your deck) needs to be updated. Select the item "Vykoristovuvaty tools for updating, as they can help you solve problems with starting Windows". Then select "Command Row". After the command row is occupied, enter " bootrec/fixmbr

Renovation of the adventurer on Windows 8

Insert a disk or a flash drive with the Windows 8 operating system. At the main screen, select the "Enable computer" item in the lower left corner. Select "Usunennya malfunctions." Choose a command row, if you want to get involved, enter: "Bootrec/FixMbr"

Reinvention of the adventurer on Windows 10

Insert a disk or a USB flash drive with the Windows 10 operating system. At the main screen, select the "Enable computer" item in the lower left corner. Select "Usunennya malfunctions." Choose a command row, if you want to get involved, enter: "Bootrec/FixMbr" If everything went well, then you need to keep an eye on the repair and everything will be lost, not to re-engineer the computer.

(Petya.A), and gave a number of joys.

For the SBU’s data, the infection of operating systems was most importantly reported through the use of critical addenda (Word documents, PDF files), which were directed to email addresses rich commercial and state structures.

"The attack, the main method of which was to expand the encryptor of the Petya.A files, hacked into the network the inconsistency of MS17-010;

The virus attacks computers under the Windows OS controls with a way to encrypt files in the coristuvacha, after which you should display information about the transformation of files with the proposal to pay for the decryption key in bitcoin in the equivalent of $ 300 to unlock the data.

"The encrypted data, unfortunately, cannot be decrypted. We are trying to work on the possibility of decrypting the encrypted data," the SBU said.

What to work, to protect yourself from the virus

1. If the computer is switched on and works normally, but you suspect that it may be infected, but in some cases do not re-attach it (if the PC has already been damaged - you can also not re-encrypt it) - the virus m_stya on a computer.

2. Save all the most important files for a short connection to your computer, and ideally - make a backup copy at once from the OS.

3. To identify the encryptor of the files, it is necessary to complete all local tasks and check the presence of the attacking file: C: /Windows/perfc.dat

4. In the fallback version of Windows OS, install the patch.

5. Reconsider whatever computer systems anti-virus software has been installed, as it functions as a proper rank and vicorist up-to-date database of virus signatures. If necessary, install and update the antivirus.

6. In order to reduce the risk of infection, it should be respectfully placed before all electronic correspondence, not to confuse and not to open attachments in the sheets, as if sent to unknown people. At the time of issuing the sheet with the given address, which indicates suspicion, - contact the executive officer and confirm the fact of the corrected sheet.

7. Zrobiti backup copies all critically important data.

Bring assigned information to the practitioners of structural updates, prevent practitioners from working with computers on which patches have not been installed, irrespective of the fact of connecting to the local or Internet.

It is possible to try to restore access to a computer blocked by a virus in Windows OS.

The tips for malware to make changes to the MBR records through which the replacement of the operating system is shown in the window with the text about the encryption of files. Tsya problem virіshuєtsya vіdnovlennyam MBR records. For whom use special utilities. In the SBU, the Boot-Repair utility was won for this one (instruction on the power).

b). Run and switch to the one that has all the checkboxes in the box "Artifacts for collection".

c). In the "Eset Log Collection Mode" tab, set the Disk's 2nd code.

d). Click on the Select button.

e). Send archives with journals.

Even though the PK has been switched on and has not yet been mumbling, go to the mute

p. 3 for collecting information, how to write a decoder in addition,

p. 4 for the system's judging.

From an already damaged PC (not vanquished) you need to select MBR for further analysis.

You can choose yoga for the next instruction:

a). Install ESET SysRescue Live CD or USB (as described in point 3)

b). Wait for a license to coristuvannya

c). Press CTRL + ALT + T (terminal appears)

d). Write the command "parted -l" without paws, the parameter of which is a small letter "L" and type

e). View list of disks and identify PC hostiles (one of /dev/sda is to blame)

f). Write the command "dd if = / dev / sda of = / home / eset / petya.img bs = 4096 count = 256" without paws, replace "/ dev / sda" revoke the disk, which was designated in the front croc and press (File / home / eset / petya.img will be created)

g). Connect the flash drive and copy the file /home/eset/petya.img

h). The computer can be turned off.

See also - Omelyan about protection against cyberattacks

Omelyan about protection against cyberattacks

Subscribe to news

On the cob, nearly 230,000 computers in more than 150 countries were infected with the ransomware virus. The victims did not catch the traces of the attack, like a vinicla nova - under the name Petya. In the course of it, the largest Ukrainians and Russian companies, And keep it installed.

The cyberpolice of Ukraine has established that the attack to the virus began through the mechanism of updating the accounting software M.E.Doc, as a hack to prepare and correct the tax rate. So, it became clear that the infection did not destroy the companies of Bashneft, Rosneft, Zaporizhzhyaoblenergo, Dniproenergo and the Dniprovska electric power system. In Ukraine, the virus has penetrated into the computers, PCs of the Kiev metro, telephony and call operators of the Chornobyl nuclear power plant. In Russia, Mondelez International, Mars and Nivea suffered.

The Petya virus exploits EternalBlue's intelligence operating system Windows. The facsimiles of Symantec and F-Secure assert that even if Petya encrypts data, like WannaCry, it still works a little against other types of encrypting viruses. “Petya's virus is a pricey new kind of attack with malicious intent: it doesn't just encrypt files on a disk, but blocks the entire disk, making it practically unbearable,” F-Secure explains. - Zokrema, vin encrypts the MFT head file table.

How do you see it and how can you get ahead of this process?

Virus "Petya" - how does it work?

The Petya virus also has other names: Petya.A, PetrWrap, NotPetya, ExPetr. Sweeping into the computer, downloading the encryptor from the Internet and trying to attack a part of the hard drive with data necessary to capture the computer. If you don't mind, the system will see a Blue Screen of Death (" blue screen death"). After re-advancement, there will be a notification about translation of the zhorst discs with prohannyam do not include eating. In this rank, the encryption virus looks like system program by rewriting the disk, encrypting files with the same extensions at the same time. In the end of the process, there is information about blocking the computer and information about how to take a digital key to decrypt data. The Petya virus means redemption, as a rule, in bitcoins. Since the victim does not have a backup copy of the files, he will have to choose - pay the amount of $ 300 or use all the information. In the opinion of some analysts, the virus is less masked under the vimagach, at that hour like a rightful meta - a mass attack.

How to get lost in Petya?

Fahіvtsі have revealed that the Petya virus is searching for a local file and, as this file is already on the disk, enter the encryption process. Tse means that you can protect your computer from the virus-zdirnik koristuvachi can create a file and install a yogo window for reading.

Irrespective of those that this cunning scheme will prevent the launch of the vimagan process, given method can be seen sooner as "computer vaccination". In such a rank, koristuvachevi happen to independently create a file. Zrobiti tse vi can come with an offensive rank:

• For the cob, it is necessary to expand the file extensions. Reconsider that the "Folder options" window has no checkmark in the "Get extension for registering file types" checkbox.
• Open the C:\Windows folder, navigate until you run the notepad.exe program.
• Click on notepad.exe with the left button, then press Ctrl + C to copy, and then Ctrl + V to paste the file. You will reject the request for the details and allowed to copy the file.
• Press the "Continue" button, and the file will be created like a notepad - Copy.exe. Click the left mouse button on this file and press the F2 key, and then delete the Copy.exe file and enter perfc.
• After changing the file name on perfc, press Enter. Confirm the change.
• Now, if the perfc file of creations, it is necessary to make it accessible only for reading. For this, right-click on the file and select "Power".
• Displays the authority menu for this file. At the bottom, click "Tilki for reading." Check the box.
• Now click on the "Stop" button, and then the "OK" button.

Deyakі eksperti z z zpepepe proponoyut krіm file C:\windows\perfc create files C:\Windows\perfc.dat and C:\Windows\perfc.dll, to more effectively protect against the Petya virus. You can repeat the description above for these files.

Vitaemo, your computer is hijacked like NotPetya / Petya!

Symantec's experts can give you some tips on how to protect hard-core PCs to guard against them, which can lead to file blocking or spend pennies.

1. Do not pay pennies to evildoers. If you save pennies to the convicts, there is no guarantee that you will be able to restore access to your files. And in the case of NotPetya / Petya, it’s basically stupid, because the meta of the cipher machine is to get tribute, and not take pennies.
2. Make sure you make regular backups of your data. In this case, if your PC becomes the object of an attack by a virus-zdirnik, you can restore any deleted files.
3. Do not open email lists with ambiguous addresses. Malicious people will try to fool you when installing shkidlivih programs otherwise they will try to take important data for attacks. Always tell the IT-fakhivtsy about the fluctuations, so that you or your spivrobitniks will remove the suspicions of the leaves, suffocation.
4. Victory software security. An important role in the protection of computers against infection is played by the timely updating of antiviruses. I, obviously, it is necessary to win the products of reputable companies in this field.
5. Vykorist mechanisms for scanning and blocking notifications from spam. Entrance of electronic sheets of guilt is checked for the presence of threats. It is important that they blocked whether they were like a type of reminder, like in their text to avenge messages or typical keywords to phishing.
6. Reconsider that all programs are updated. The regular use of software bugs is necessary to prevent infection.

Chi varto check for new attacks?

Previously, the Petya virus declared itself in the year 2016, and its behavior once again commemorated the fahivtsy for safety. New virus Petya hit computers in Ukraine and Russia in the end of the month of 2017. Ale cim is unlikely to end everything. Hacker attacks against virus-vimagic viruses, similar to Petya and WannaCry, will be repeated, Stanislav Kuznetsov, the intercessor of the Oschadbank's board of directors, said. In an interview with TASS, having anticipated that similar attacks will definitely be, the prote zazdalegіd smoothly put forward, in what look and format the stench can appear.

Even after all the past cyberattacks, they still didn’t want to break even the smallest ones in order to protect their computer from the encryption virus, then the time has come for them to work in the corner.

Virus Petya - Vimoga Vikupu for decryption

After a few years after the beginning of the attack in DATARC, it was the first attack and we analyzed a dozen of the attacked servers. Head visnovok: є non-zero data recovery in case of attack to the Petya virus- the virus often corrupts the file system, but does not encrypt data.

At the moment, the analysis of the data can be divided into categories.

Possible 100% refurbishment

Imovirno, the virus has a pardon - you don’t know how to use your algorithm, you don’t encrypt data, you zavantazhuvach. We bachili such options for a little more:

1. Data is not encrypted, MBR is not encrypted
2. Data not encrypted, MBR + NTFS bootloader possible
3. Data is not encrypted, MBR + NTFS bootloader + MFT is disabled - the disk is marked as RAW

Reimbursement is possible, spend more than 0%

In quiet situations, if ciphering is done, some of the files may be left behind. We bachili such options for a little more:

1. Only drive C is encrypted: - other logical drives are kept in order
2. Not all files on drive C are encrypted:
3. Only the MFT record is encrypted, but the file is left without changes.

Decryption in the old version is not working

Stream version of Petya - tse (approximately) continuation of the 2016 attack (div https://blog.malwarebytes.com/threat-analysis/2016/04/petya-ransomware/ and https://securelist.com/petya-the-two -in-one-trojan/74609/). For old version a technique for selecting the decryption key was created (div https://github.com/leo-stone/hack-petya). The virus of 2017 has been changed and the old method is no longer practiced.

For example, in the old version, the MBR virus was saved to sector 55 and "encrypted" XOR 0x37. IN new version The MBR is saved to sector 34 and "encrypted" XOR 0x07.

MBR encryptions:

MBR decryption:

Petya virus - MBR after decryption

How robust, how computer infections