Recently we have been face to face with the latest ransomware dubbed “Petya”. Petya comes often from a normal Dropbox Download Link, once you download a .exe file into your system and you run it: it is the begin of a probable disaster.
The .exe file have been ran on our Sandboxed desktop (Dell) and it led us to the windows Blue Screen (Failure), a Reboot and a Disk repair Screen. Afterwhile, an awful red screen is showing a message explaining that your hard disk have been encrypted (Military encryption algorithms…) and you must pay a ransom to the author so you can decrypt the HDD.
Here we share our solution to repair the corrupted HDD.
Steps:
Step 1: Attempt te repair the MBR (Master Boot Record)
- Reboot PC
- Insert Bootable Win DVD (7,8,Server…)
- Choose to boot from the DVD
- Choose Repair Computer Option
- Launch Command Prompt (Ms Dos)
- Type these commands in order:
- bootrec /fixmbr
- bootrec /fixboot
- bootrec /rebuildbcd
normally, the system show the number of windows installations, if it is “1” then you windows will boot as usual and you can proceed in cleaning your system in safemode.
but in the case of number of windows installations is “0” then your HDD is corrupted and file system is changed (the system can not see existing files).
Step 2: Windows Partion Recovery
if you have luck and you you made a backup of your windows partition then you are saved.
Choose Partition Recovery from Bootable Win DVD and proceed as it follows
if you are in the second case and you didn’t made a Windows backup, you remove the HDD from the infected computer and then you hot plug it into another Computer.
Step 3: Data Recovery
- Open disk management Tool and choose to Analyse disks from Actions Menu
- The corrupted Disk will appear as a RAW Filesystem
- Install a Good Parition Recovery tool (testDisk, icare…) and recover your partition; if it does give any thing useful you:
- Install a Good Data Recovery tool (we used EaseUS Data Recovery) and recover your lost data.
You can attempt to recover the Boot Informations and restore it to the corrupted HDD but we did not try this yet.
To prevent this pain, from now on, you must think twice before opening any exe file. Protecting you Computer with an anti-virus does not prevent 0 Day vulnerabilities.