How to recover
Files Encrypted by Petya Ransomware
from Windows

Please help! My all files were encrypted by Petya ransomware, and I haven’t heard about any decryption tools so far. Does this mean that it is impossible to decrypt files encrypted by Petya? Needless to say, these records mean the world to me…

Petya is a file-encrypting virus that belongs to ransomware category. It first emerged in 2016; however, it attracted the most media attention after the 2017 cyber attack that primarily targeted Ukraine.

According to experts, the cyber criminals used the same Windows SMBv1 vulnerability that the infamous WannaCry ransomware used. Microsoft has already patched the vulnerability, however, many computer users failed to install the update in time. Petya ransomware encrypts all files on the system and demands $300 from the victim, promising to provide the decryption key in return.

The ransomware has compromised computer networks of companies such as “Rosneft” (Russian oil giant), “Kyivenergo,” “Ukrenergo,” National Bank of Ukraine, Oschadbank, and many others.

However, we must point out that Petya virus that was used in 2017 cyber attack slightly differs from the previous and original virus’ versions. After the Petya-based ransomware outbreak in June, the author of the original Petya variants known as Janus released the master decryption key, which now can be used to decrypt files locked by Red Petya, Green Petya, and Mischa. Using the published key, a security researcher known as Hasherezade has created a free decryption tool.

According to the researcher, certain Petya versions function in a slightly different way. The virus either encrypts Master File Table or cripples all files on the computer like a traditional ransomware virus. Luckily, there is no difference which method the virus used on your computer - the Petya Decryptor works for both cases.

Before you start decrypting your files, we must warn you to create an extra backup of the encrypted data and store it somewhere safe. The reason why we advise doing so is that the virus may hang during the data recovery procedure, and that can cause permanent damage to encrypted files.

Recover Files Encrypted By Petya Ransomware For Free

1. Find the ransom note that the ransomware left of your computer. It should be called YOUR_FILES_ARE_ENCRYPTED.TXT. Copy the personal decryption code (a lengthy set of numbers and letters).
2. Now, create a text file on your desktop. Simply right click anywhere on the screen and choose New > Text Document.
3. Name the file as id (the full filename should be id.txt), open it and paste the personal decryption code in the file. Click File > Save.
4. Now download and launch the key decryptor to decrypt victim’s ID.
5. Copy the decrypted key and download Mischa or GoldenEye decryptor.
6. Open the ransomware decryptor and click select to select one encrypted file from your PC.
7. Paste the decryption key you just obtained. Repeat it to confirm. You might want to select the Backup encrypted files option. Click Decrypt.
8. Now, check if the file was successfully decrypted. If yes, then use the same decryption key for all encrypted files. You can shorten the process by giving the decryptor the extension that the ransomware appended to all your files. The decryption tool will automatically find all encrypted files.

Optional: You can use an ISO file to read the victim’s ID from the encrypted computer. You can download it here. Launch the program and follow the provided instructions.

To remove remains of ransomware and to restore corrupted system files, we highly recommend using [d1] software. It will eliminate all malware remains and freshen up your computer so that you could use it without worries again.