How to remove NotPetya virus and restore encrypted files

NotPetya ransomware virus

NotPetya is the dangerous software penetrating machines mainly through e-mail spam and Trojans. Also, hackers use exploits to penetrate the PC, but major software vendors quickly fix them. When infection is done, the virus reviews the hard drive to find the files for encryption and their approximate value. Currently, each new virus knows how to cypher audio, image, text and video information in all known extensions. Extra attention is paid to businesslike files, because businessmen are the main objective for criminals. All programs on computer will be unaffected since hackers want only information. The process is performed with the help of famous RSA and AES algorithms, and it is so sophisticated that that decipherment of information without a key is impossible. This is the foundation for unbelievable efficiency of ransomware in recent years: an ordinary PC operator, even having a pretty good knowledge of the computer, will never be able to get back the data, and will have no choice except paying to scammers. The single way to decrypt the data is to crack the scammer's site and get the encryption keys. Some skilled malware specialists can get encryption keys due to flaws in viruse's program code. NotPetya virus requires 300 dollars in BTC as a ransom.

That article is about NotPetya ransomware that infects laptops around the world, and encrypts the files. Here we've assembled important information on what is NotPetya, and how to delete NotPetya from the computer. Furthermore, we will tell you how to recover the cyphered data and is it possible.

The knowledge of computers is very substantial in our century, because it assists customer to defend the PC from hazardous programs. For encrypting programs this is very important, because, unlike most hazardous programs, when you eliminate ransomware from the system, the effects of its actions will stay. You easily can minimize the chances of getting ransomware by following these rules:

    • Be cautious with the e-mails that contain files. If you don't know the person who send the letter and it tells about receiving some prize, a lost parcel or something similar, this is most likely a fraud letter. Also you should be attentive with business correspondence, especially if you don't know the person who send it and not sure about its content. It is normal to be interested and read the message even if it's sent to the wrong address, but remember that a single click on the viral file can cost you lots of money, headache and time.
    • Do not ignore the signs that your laptop displays. It needs a lot of computing power to encrypt the files. When the virus is starting to work, the CPU performance decreases, and the encryption process can be seen in Process Manager. You may catch this event and shut down the machine before information will be completely lost. Naturally, the certain amount of data will be encrypted, but you will protect the rest of them.
    • Do not admit any alterations to the computer, coming from suspicious programs. The easiest method of data restoration is the restoration through Shadow Copies, so the developers of NotPetya have added the elimination of shadow copies in the default functionality of malware. However removal of shadow copies requires administrator rights and your acceptance. Thus, not confirming changes from a unknown program at the right moment, you will keep the way to decrypt all encrypted data free of charge.

You should understand that deleting NotPetya is just a first and compulsory step for the safe operation of the laptop. If you remove NotPetya, you won't restore the data instantly, it will demand more actions written down in the "How to restore encrypted files" section. To eliminate NotPetya, user has to load the system in safe mode and run the scanning through antivirus tool. We don't recommend anyone to eliminate ransomware in manual mode, since it has different defensive features which can interfere you. Some ransomware can fully delete encrypted data, or part of it, when trying to delete the program. To avoid this, follow the guide below.

Removal instruction

Step 1. Boot into Safe mode

Safe mode

Start -> Msconfig.exe

Safe mode. Step 1

On the tab Boot select Safe boot

Safe mode. Step 2

Step 2. Check Startup folder

Start -> Msconfig.exe ->Disable unknown programs in the Startup tab


Step 3. Check hosts file

Modify hosts file, that located in C:\Windows\System32\drivers\etc\ .

Hosts file.Step 1

Open the file with Notepad and delete suspicious strings.

Hosts file.Step 2

It has to look like this:

Hosts file.Step 3

Step 4. Scan the system with antiviral scanner


Antivirus scanner

Why we recommend SpyHunter antimalware

Detects viruses fully: all files and even registry keys of malware will be found

Protects your system in the future

24/7 free support team

SpyHunter's scanner is only for malware detection. If program detects virus on the computer, you will need to purchase SpyHunter's malware removal tool to delete viruses. Uninstall steps and additional information EULA , Privacy Policy and Threat Assessment Criteria.

bwd  Instructions 1/2  fwd

Step 5. Disable Safe mode

Start -> Msconfig.exe ->Disable Safe boot in the Boot tab

Deactivate Safe mode

After uninstalling NotPetya from the computer, you should get back the encrypted information. We're not able to decypher the information, but we'll recover them using Windows functionality and the special software. There are the few chances, but most of the time file recovery needs lots of time and efforts. If you don't want to wait and are ready to restore the information manually - here's the useful article on data recovery.

To restore information, follow the article about files decryption.

Add comment

Security code

This website uses cookies to improve your experience. If you continue using the site, we will assume that you accept our cookies policy.