Petya+ Ransomware

The Petya+ Ransomware draws its name from the infamous variants of the Petya Ransomware family. However, this particular threat, the Petya+ Ransomware, is not actually related to the famous Petya Ransomware. Rather, the extortionists use this name to scare victims of the attack while lending their infection legitimacy. The version of the Petya+ Ransomware analyzed by PC security researchers is not capable of encrypting the victim's data, unlike the variants of the well-known Petya ransomware Trojan, which encrypts the victims' files using a powerful encryption algorithm and then demands the payment of a ransom from the victim.

The Lies Beneath this Copycat of the Petya Ransomware

The Petya+ Ransomware is written using .NET and simply designed to display a lock screen on the victim's computer and then demand the payment of a ransom. The Petya+ Ransomware pushes victims to connect to payment portals using TOR. These payment portals are located on the following locations in the Dark Web:

petya37h5tbhyvki.onion/n19fvE
petya5koahtsf7sv.onion/n19fvE

There are several aspects of the Petya+ Ransomware that make it obvious that the people responsible for the Petya+ Ransomware attack are trying to mimic the attack methods used by the original Petya Ransomware. The Petya+ Ransomware displays a bogus CHKDSK notification, which alerts the victim to avoid turning off the infected computer because the disks are supposedly being checked for errors. While this is occurring, the Petya+ Ransomware will finish installing its components on the victim's computer and making the necessary changes to the MSCONFIG panel and other Windows settings. When the computer boots, the Petya+ Ransomware will display a red screen containing a picture of a skull. After this red screen, the Petya+ Ransomware will display the following message, which will replace the victim's Desktop picture:

''You became a victim of the PETYA RANSOMWARE!
---
The harddisks of your computer have been encrypted with a military grade encryption algorithm. There is no way to restore your data without a special key. You can purchase this key on the darknet page shown in step 2.
To purchase your key and restore your data, please follow these three easy
steps:
1. Download the Tor Browser at "https://www.torproject.org/". If you need help, please google for "access onion page".
2. Visit one of the following pages with the Tor Browser:
xxxx://petya37h5tbhyvki.onion/n19fvE
xxxx://petya5koahtsf7sv.onion/n19fvE
3. Enter your personal decryption code there:
[47 RANDOM CHARACTERS]'

Dealing with a Petya+ Ransomware Infection

The main purpose of the Petya+ Ransomware is to stop the victims from accessing their files by blocking access to the infected computer with a lock screen. Since the Petya+ Ransomware uses the name of a well-known ransomware Trojan, victims searching for this Trojan may come across the original Petya on a Web search, believing that there is no way to recover their files and that they have indeed been encrypted. However, in its current form, the Petya+ Ransomware is not capable of encrypting files or causing any long term damage. Because of this, the Petya+ Ransomware lock screen may be bypassed by starting up the infected computer using Safe Mode. Once the entry has been restored to the infected computer, the victims' files will appear to be intact. The Petya+ Ransomware infection itself will be easily removable with the help of a reliable security program that is fully up-to-date. Manual removal of the Petya+ Ransomware is also not a difficult process.

The Encryption Ransomware Trojans that the Petya+ Ransomware Imitates

Although the Petya+ Ransomware infection itself is not threatening particularly, the original Petya does represent a threat to the victim's files and data. To deal with these threats, PC security researchers advise computer users to have backups copies of their files on the cloud or a mobile memory utensil. Since these infections types count on the victim not being able to recover the affected files, having the ability to do so undermines their infection process severely.