How to decrypt Petya Ransomware for Free

0

Ransomware has risen dramatically since last few years and is currently one of the most popular threats on the Internet.

The Ransomware infections have become so sophisticated with the time that victims end up paying ransom in order to get their critical and sensitive data back.

But if you are infected with Petya Ransomware, there is good news for you.

You can unlock your infected computer without paying the hefty ransom. Thanks to the Petya author who left a bug in the Ransomware code.

What is Petya Ransomware?

Petya is a nasty piece of ransomware that emerged two weeks ago and worked very differently from any other ransomware.

The ransomware targets the victims by rebooting their Windows computers, encrypting the hard drive’s master boot file, and rendering the master boot record inoperable.

A master boot record (MBR) is the information in the first sector of any hard disk that identifies how and where an OS is located while a master boot file is a file on NTFS volumes that includes the name, size, and location of all other files.

Once done, the infected PC restarts and the Petya ransomware code is booted rather than the operating system, displaying a ransom note that demands 0.9 Bitcoin (approx. US$381) in exchange for the decryption key to recover the system’s files.

Now, without the decryption password, the infected PC would not boot up, making all files on the startup disk inaccessible.

However, a researcher who goes by the Twitter handle @leostone has developed a tool that generates the key Petya requires decrypting the master boot file.

Here’s How to Unlock your Petya-infected Files for Free

The researcher discovered a weakness in the nasty malware’s design after Petya infected his father-in-law’s PC.

According to security researcher Lawrence Abrams from the Bleeping Computer, the key generator tool developed by Leostone could unlock a Petya-encrypted PC in just 7 seconds.

In order to use the Leostone’s password generator tool, victims must remove the startup drive from the Petya affected computer and connect it to another Windows computer that’s not infected.

The victim then needs to extract data from the hard disk, specifically:

• the base-64-encoded 512 bytes that start at sector 55 (0x37h) with an offset of 0.
• the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21).

This data then needs to be used on this Web app (mirror site) created by Leostone to generate the key. The victim will then retrieve the key Petya used to decrypt the crucial file.

Here’s a Simple Tool to Unlock your Files For Free

Since the Leostone’s tool is not a straight-forward method, extracting the encrypted data is not easy for many victims.

The good news is that Fabian Wosar, a separate researcher, has created a free tool called the Petya Sector Extractor that can be used to easily extract the data in seconds.

In order to use Petya Sector Extractor, victims must run the tool on the uninfected Windows computer that is connected to the infected hard drive from the affected computer.

Abrams provided this step-by-step tutorial that will walk victims through the entire process.

This is a great solution to decrypt your infected files, but most likely, the Petya authors have already heard about this tool and are modifying their code to disable the solution. So, there is no guarantee the tool will continue to work indefinitely.

[The Hacker News]

Leave A Reply