Peta Cryptovirus - How to remove

The recently discovered Peta ransomware (not related to Petya, Petya+, or NotPetya) encrypts the victim’s files and asks for up to one thousand dollars. The people who made this virus created it to hold people’s files for ransom. They release this virus into the world, sit back, and collect money from those who decide that they can’t afford to lose their data.

Indeed, if you don’t have secure backups, you might lose all of your files to the Peta virus. There are some ways to maybe, possibly get back some of it — they’re described at the bottom of the article — but they’re not guaranteed to work, unfortunately.

Update: if your personal ID ends in “t1”, check out this decrypter that was developed by ransomware researchers.

Description of the Peta virus

Ransomware has existed for a while but has really become viable when cryptocurrency became accessible. Cryptocurrency allows people to transfer money quickly, digitally, with no chargebacks and no scrutiny. While most cryptocurrencies are completely legitimate and useful for legal purposes, criminals have found a utility in them.

Peta and other file-locking viruses exist just to convince people to send money to some criminals. Although this sort of thing isn’t often reported to the police (the victims don’t feel like the problem will be taken seriously), cryptovirus makers have been arrested before, which shows that encrypting someone else’s files and forcing them to pay money to get the files back is not permissible.

This virus is very malicious and should be given removed as quickly as possible:

Peta virus’ actions	Disables anti-malware Possibly — installs a password-stealing trojan (Azorult) Shows a fake Windows Update window Encrypts user’s files Drops _readme notes
Harm caused	Lost data Stolen passwords (by the trojan) Repeat infections if the security isn’t improved
Remove Peta virus	Reboot in Safe Mode Use anti-malware (SpyHunter) to remove malware Delete suspicious files and programs
Restore the data	Restore data from backups Try system restore Use data recovery Wait for the possibility of a decrypter

Distribution

This malware usually gets on computers by being downloaded from the internet by the victim. The distributors of Peta hide it in various cracks, activators, “free” versions of expensive programs, and upload them online. They might also pay someone to do it for them — like trusted distributors who weren’t known to spread malware before. We know this because many previous versions of Peta that belong to the Djvu family have been distributed that way.

The truth is, pirating is dangerous and a lot of illegitimate software is infected with malware. Peta itself is no different — this ransomware secretly installs a password-stealer (so, when you’re removing Peta, remember that it’s not the only malware you need to take care of).

Symptoms

When Peta starts working, it shows a fake Windows Update pop-up. That’s meant to make you ignore that your disk is working hard, fetching the files to be locked.

Peta locks files and then renames them by adding “.peta” to their names. Luckily, that makes this virus easy to research. On the other hand, it blocks some cybersecurity sites, which makes this virus harder for the victims to look up.

Finally, after the ransomware is done corrupting the files, it creates a bunch of _readme files that include a message from the developers of this malware:

ATTENTION!

Don’t worry, you can return all your files!
All your files like photos, databases, documents and other important are encrypted with strongest encryption and unique key.
The only method of recovering files is to purchase decrypt tool and unique key for you.
This software will decrypt all your encrypted files.
What guarantees you have?
You can send one of your encrypted file from your PC and we decrypt it for free.
But we can decrypt only 1 file for free. File must not contain valuable information.
Price of private key and decrypt software is $980.
Discount 50% available if you contact us first 72 hours, that’s price for you is $490.

The criminals also give their email addresses: [email protected] and [email protected]. Their goal is to make people anxious and to make it very easy to contact the extortionists send them the money that they’re asking for, which is advised against by experts — many payers still lose their data. Paying the criminals doesn’t just risk you losing your files and your money, it finances future attacks. It could even mark you as a target who is willing and able to pay. It’s not uncommon for those who paid to be attacked again a few weeks later.

File encryption

Peta uses cryptography to lock the files. If you’ve even used Windows’ own password-protection on your folders and files, or saved an Office file as encrypted with a password, you know what that is: anyone can access the file but a password is needed to view its contents properly.

Peta uses a stronger version of encryption that can’t be broken and an asymmetric algorithm which means that only Peta’s developers ever know the password needed for decryption.

There is no way to decrypt the files without contacting the criminals. Other, less competent cryptoviruses do get free decrypters released by cybersecurity professionals, but Peta’s type of ransomware is too well-implemented. Its previous versions got a partial decrypter for files locked in certain rare circumstances, but that river has dried out, unfortunately.

Get rid of Peta ransomware

Like I said earlier, Peta installs a password-stealer, so both need to be removed — and you’ll probably need to change your passwords. You can use a professional scanner, such as Spyhunter or Malwarebytes, preferably one that works in safe mode.

Now it’s safe to restore your data from backups and use the computer as normal. However, you should probably consider changing your browsing habits. If Peta did get on your computer through pirating, you need to be more careful: scan your files, update your software. Don’t forget to keep backups of your data.

Automatic Malware removal tools

How to recover Peta Cryptovirus encrypted files and remove the virus

Step 1. Restore system into last known good state using system restore

1. Reboot your computer to Safe Mode with Command Prompt:

for Windows 7 / Vista/ XP

• Start → Shutdown → Restart → OK.
• Press F8 key repeatedly until Advanced Boot Options window appears.
• Choose Safe Mode with Command Prompt.

for Windows 8 / 10

• Press Power at Windows login screen. Then press and hold Shift key and click Restart.
• Choose Troubleshoot → Advanced Options → Startup Settings and click Restart.
• When it loads, select Enable Safe Mode with Command Prompt from the list of Startup Settings.

 

2.Restore System files and settings.

• When Command Prompt mode loads, enter cd restore and press Enter.
• Then enter rstrui.exe and press Enter again.
• Click “Next” in the windows that appeared.
• Select one of the Restore Points that are available before Peta Cryptovirus has infiltrated to your system and then click “Next”.
• To start System restore click “Yes”.

 

Step 2. Complete removal of Peta Cryptovirus

After restoring your system, it is recommended to scan your computer with an anti-malware program, like Spyhunter and remove all malicious files related to Peta Cryptovirus. You can check other tools here.  

Step 3. Restore Peta Cryptovirus affected files using Shadow Volume Copies

If you do not use System Restore option on your operating system, there is a chance to use shadow copy snapshots. They store copies of your files that point of time when the system restore snapshot was created. Usually Peta Cryptovirus tries to delete all possible Shadow Volume Copies, so this methods may not work on all computers. However, it may fail to do so. Shadow Volume Copies are only available with Windows XP Service Pack 2, Windows Vista, Windows 7, and Windows 8. There are two ways to retrieve your files via Shadow Volume Copy. You can do it using native Windows Previous Versions or via Shadow Explorer. a) Native Windows Previous Versions Right-click on an encrypted file and select Properties → Previous versions tab. Now you will see all available copies of that particular file and the time when it was stored in a Shadow Volume Copy. Choose the version of the file you want to retrieve and click Copy if you want to save it to some directory of your own, or Restore if you want to replace existing, encrypted file. If you want to see the content of file first, just click Open.

b) Shadow Explorer It is a program that can be found online for free. You can download either a full or a portable version of Shadow Explorer. Open the program. On the left top corner select the drive where the file you are looking for is a stored. You will see all folders on that drive. To retrieve a whole folder, right-click on it and select “Export”. Then choose where you want it to be stored.

Step 4. Use Data Recovery programs to recover Peta Cryptovirus encrypted files

There are several data recovery programs that might recover encrypted files as well. This does not work in all cases but you can try this:

• We suggest using another PC and connect the infected hard drive as slave. It is still possible to do this on infected PC though.
• Download a data recovery program.
• Install and scan for recently deleted files.

Note: In many cases it is impossible to restore data files affected by modern ransomware. Thus I recommend using decent cloud backup software as precaution. We recommend checking out Carbonite, BackBlaze, CrashPlan or Mozy Home.