The recently launched Petya ransomware is still being analyzed. Although researchers have discovered much of how the malware operates, there is still work to do before a decryption program can be written. The ransomware was attempting to infect businesses in Germany targeting Human Resource departments, well disguised as an employment application portfolio. As has been seen by other ransomware, corporate targets are being chosen because the down-time cost to an infected company of any size can prompt payment, as well as enhanced ransom from multi-machine encryption. The ransom is currently 0.99 Bitcoin ($430 U.S) per infected computer. This doubles after seven days. The delivery method is by e-mail which is specifically addressed to the company and contains a DropBox link attachment to a CV Clicking this installs a trojan. The e-mail is written in very good German and the CV having a cloud storage link is a very good way of making the ploy convincing.
Once the ransomware is in, it overwrites the beginning of the disk and Master Boot Record (MBR) – this is the code that starts the operating system normally. Doing this also prevents the user being able to boot-up in Safe Mode. Then Petya makes an XOR encrypted backup of the partition table and the blue Fatal Error screen is shown. It is advised not to reboot the system as would be normal with a blue screen warning because this will probably accelerate the second stage of the ransomware. Up to this point, files are salvageable if a disk dump [How To…] is created before the next stage of the attack commences.
Next it shows a fake CHKDSK (Check Disk) and by now the files are out of reach because the Master File Table (MFT) is being encrypted – so file names or their locations cannot be recognized (MFT is a file on Windows NTFS that holds critical details of all other files). Up to this Check Disk screen moment, it is possible to do a disk dump which can then be used to create a file backup on another operating system. This is possible only up until the file system has been attacked and encrypted.
At the present time, analysts are working to find a way to recover files after the Petya’s processes are finished. They are looking at key streams to try to generate a key to unlock the MFT encryption. So far there is no solution other than catching the ransomware at a stage where a memory dump can facilitate a backup disk. If there is already a comprehensive external file backup available, reformatting, reinstalling the OS is an option, though not one that many business networks would have the time for. This reasoning is part of the corporate ransomware authors’ tactics.
How to decrypt Petya ransomware encrypted HDD?
Important!!! This method should not be considered an official solution to the Petya ransowmare problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers or the author of this article. Please use at your own risk.
Important!!! Do not let the system reboot without checking if it is not infected!
This decoder is made by hasherezade and works for the current version of Petya – though in stage 1 only (only up to a point before the ransomware encrypts the MFR). If the system has rebooted, this will not work (if the CHKDSK screen has been displayed).
Step 1: After the Blue Screen fatal warning has been shown, DO NOT REBOOT.
It’s important to check that it is definitely an infection by Petya. From another computer, download Kali Linux ISO 64 bit. Record this onto a DVD.
Step 2: Boot the crashed computer from this DVD choosing: (forensic mode)
Step 3: The hard disk should now be mounted. Find its identificator, using for example:
Device Boot Start End Sectors Size Id Type
/dev/sda1 * [….]
This means your disk is sda
Step 4: Download Petya ransomware decrypter and make it executable. Run the decoder:
The decoder will display any trace of Petya on the disk. It will supply key if found:
Petya detected on the disk!
Write down the key!
Step 5: This key should decrypt Petya. There is a chance that other variants will emerge with changes that this decoder may not crack, so make a disk dump. Read here how to do this.
Step 6: After making a disk dump, reboot and use the key you wrote down, when prompted by Petya ransomware.
Your HDD should be unlocked!
A researcher with nickname Leostone and has set up a website to help with decoding Petya – https://petya-pay-no-ransom.herokuapp.com/ . There is a certain amount of preparation necessary which first involves removing the compromised drive (this being the one containing the Boot – C:\ drive, if there are multiple drives on the system) and connecting it to a clean computer (this must be running Windows). Then it’s necessary to extract 512 bytes of data that is needed to run in the decryption program. It starts at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset 33 (0x21). The data then requires conversion to Base64 to be used on the decryption ‘site. This may be too advanced for many users, so researcher Fabian Wosar has helpfully created an extraction tool. If the user is not confident about removing the hard drive and reconnecting, a USB hard drive docking station can be used; models such as Inateck FD1003 make this a simple procedure.
When the encrypted drive has been copied to the clean computer and saved, download Fabian’s extraction tool to the desktop. Follow the instructions below for data extraction and then visit Leostone’s ‘site and decrypt Petya files.
Step 1: Detach the locked HDD from your computer and attach it to another one as a slave.
Step 2: Download Petya extractor to the desktop and run it. It will scan all HDDs and find this one that contains Petya ransomware bootcode.
Step 3: Launch your browser and go to https://petya-pay-no-ransom.herokuapp.com/. On that site you will see two textboxes labeled Base64 encoded 512 bytes verification data and Base64 encoded 8 bytes nonce.
Step 4: In Petya Extractor, click on the Copy Sector button. Now go back to the browser and press Ctrl+V into the textbox labeled Base64 encoded 512 bytes verification data.
Step 5: In Petya Sector Extractor click on the Copy Nonce button.
Step 6: Go back in the browser, press Ctrl+V to paste the data into the textbox labeled Base64 encoded 8 bytes nonce.
Step 7: Click Submit.
Step 8: At the bottom of the new window you should see the text “Your key is:”, followed by your key. Please, write it down, carefully.
Step 9: Turn off the computer, detach the HDD having Petya ransomware and attach it to the original computer.
Step 10: Turn on the original computer and enter the Petya ransomware key when asked.