A week ago, Data Recovery Services published a new article on its blog titled “Ransomware Petya encrypts hard drives”. In fact, it does not encrypt the disk, only a very small part.
As soon as it is executed, one has the impression that it is crashing Windows, but before that, it has taken care to modify the MBR and the following 55 sectors, to place its code Data Recovery Services there and ensure that it is executed.
At this point, he hasn’t done anything else yet and all files are intact and recoverable. It is during the restart that it gets complicated.
To recover the files, connect the infected hard drive to another machine and use signature Wikipedia data recovery software. The excellent Photo Rec is perfect for this task and its developer offers a step-by-step tutorial.
It is important to note that this type of software only searches by signature. Thus, not all types of files can be recovered and those that are will have lost their properties their name and their place in the tree structure. Also, fragmented files will only be partially recovered.