UPDATE: 17-th July a new version of Petya has been released. At the moment, there is no way to decrypt the disk. Don’t let the infection reach the Stage 2!
Please read first Petya key decoder for more background information.
If you opened some executable downloaded from the Internet and your system crashed, it can be attack of PETYA RANSOMWARE.
Please do not let the system reboot from the hard disk! I will cause infection to progress.
Run your computer from a live CD (i.e. Kali linux) and make a backup of the full disk. Example:
dd if=/dev/sda of=dump.bin bs=512
If you caught Petya at Stage 1 your files are still untouched and there is a chance to save them.
Petya detector in form of a bootloader:
With the help of this small tool you can easily check if Petya has been detected on your disk. In case of Petya versions 1 and 2 it can also recover the Stage 1 key.
In order to use it, just (from a different computer) download the antipetya.iso, burn on a CD and boot your machine from the CD.
Alternatively, instead of CD you can use a flash disk. In this case you need to dump antipetya.bin on to your disk. Example (using Linux):
1. Log in as root.
2. Check how your flash disk is represented in the system.
If the flash disk is /dev/sdb:
dd if=antipetya.bin of=/dev/sdb bs=512 count=1
The tool will give you a quick info, whether your bootloader has been substituted by the bootloader of Petya.
In case of versions 1 and 2 of Petya -it will give you the Stage 1 key automatically:
Output of Antpetya Live CD (Stage1):
Write down this key. This is the same key, that Petya uses to encrypt/decrypt your data:
If the Petya already erased the key, the bootloader will inform you about this fact. In case of the Red Petya, your disk still can be decrypted at the Stage 2 – you can read about it here: Stage2 decoder. Unfortunately, such recovery procedure does not work for the current Green version.