The Petya Virus: What It Is And How to Remove It

Protect yourself against this dangerous piece of ransomware

A conceptual illustration of the Petya virus destroying a laptop computer.

Lifewire / Theresa Chiechi 

If you tried to boot your Windows PC and instead of facing the welcoming Windows login screen, find yourself with a red background and an ASCII skull demanding you pay a ransom in Bitcoin, you may well have been infected with the Petya virus. It's a nasty ransomware infection that tries to extort money from you by preventing you from using your system.

The Petya virus is only known to infect Windows machines, so if you have a MacOS system like a Mac or Macbook, you should be fine. You are vulnerable to other types of malware and ransomware though, so still maintain strong personal security practices just to make sure you stay safe online.

What is the Petya Virus?

The Petya virus is a class of malware known as ransomware, that is designed to make money for its nefarious creators by making it impossible for a computer user to access their most important files, or even properly boot their system, and then blackmail them into paying to get the files back.

The name comes from the 1995 James Bond movie, Goldeneye. In it, Petya is one of two satellites used to carry atomic bombs that could cause mass disruption through electromagnetic pulses. An alleged author of the malware also had a Twitter account which used an avatar of a character in the movie.

Petya first appeared in 2016 and proved to be a problematic malware attack over the next year or so. Variants of Petya ultimately caused more than $10 billion in damage to government and economic institutions, which ranks it as among the most damaging of cyberattacks ever.

There is a secondary version of Petya that's been designated the name NotPetya by antivirus firm, Kaspersky Labs. It appeared a year after the original Petya ransomware virus and was used as a disruptive cyberattack tool in Ukraine, rather than a money making tool. It is unlikely to be deployed again as its attack vector has been patched.

How Does Petya Ransomware Virus Work?

Petya virus splash screen

If it gains access to a system, the Petya ransomware virus works by infecting the computer's master boot record and overwrites the Windows bootloader, so that next time the system starts up, it will load Petya's encryption algorithm. It then forces a reboot to start the most damaging aspect of the Petya infection.

Once the PC starts up again, the payload encrypts the Master File Table of the NTFS file system, making it impossible to access anything on the system via normal means. It then displays a ransomware message demanding a payment in Bitcoin to decrypt the system while the rest of the screen displays fake Windows chkdsk screens suggesting that it's repairing the system.

There are a number of different variants of Petya. The original one required the user to give it administrative access, though future variants did not, or had additional payloads that would execute if not given such privileges. One in particular, would instigate "Mischa" if it wasn't given admin privileges. That is a much more typical ransomware attack that would encrypt individual files on the system.

NonPetya, another variant, would also harvest passwords from an infected system and uses various techniques to spread itself to other computers on the same network.

How Do I Know I Have the Petya Ransomware Virus?

You will know your system has been infected by Petya if it suddenly reboots, or you start it up and you're faced with the intimidating red screen above. You may also see a ransomware message appear demanding payment in Bitcoin to remove the infection.

How Did I Get the Petya Ransomware Virus?

The original Petya ransomware virus was distributed in infected PDF files, typically through email attachments. You may have opened one of these infected files believing it to be a legitimate file sent by a colleague or friend.

Further variants of Petya, like NonPetya, used the EternalBlue exploit, a flaw in the Windows Server Message Block protocol, to infect systems. It is the same exploit path used by other common ransomware like WannaCry.

If you were infected by NonPetya, it's possible that you were infected by another system on the same network as you that was infected by other means, as it can spread across local networks using a variety of attack vectors. It can use harvested passwords to run local programs and to further infect networked systems.

How Do I Get Rid of the Petya Virus?

If your system is infected with the Petya ransomware, whether it's the original or one of the variants that came after, you may be in luck. While normal antivirus won't help, a decryption tool was developed based on the master encryption key of the malware in 2017.

We would recommend making a copy of the infected drive before continuing with decryption, if you can. Make sure to only do so on a safe, non-networked system, so that the infection cannot spread any further.

Download links and full steps for removing the virus can be found on the Malwarebytes blog.

How Can I Avoid Getting the Petya Ransomware Virus Again?

In 2019, you're very unlikely to contract the Petya virus for a number of reasons. The first, is that the people behind the original's creation are no longer distributing it. Furthermore, in the case of Petya variants, like NotPetya, the EternalBlue exploit used to infect systems has been patched by Microsoft.

As long as your PC is running the latest version of Windows with all of the latest security updates, you should be well protected.

To avoid the risk of running into any rogue Petya infections (and many other viruses and malware besides) don't ever open email attachments, even from people you know. Have them distribute files to you via a cloud storage link instead.

Here are a few additional tips for keeping your system safe:

  • Update your antivirus software and malware protection. Keep your antivirus software and malware protection up to date. New virus definitions are released regularly and these keep your PC informed on what to look for with new virus and malware based threats. 
  • Be wary of new programs. It's important to know the source of the programs and apps you've downloaded. When installing them, don't blindly accept everything it suggests. Be apprehensive about what boxes you tick. 
  • Stick to well known websites. Stay away from websites you're not familiar with and never click on popup ads that might appear while you're on a site. Clicking these ads could cause you to accidentally download other suspicious files such as malware or even Trojans.