Victims of Petya ransomware have experienced a lock screen warning that their hard drive was encrypted with a military grade encryption algorithm and the only way to unlock it was to cough up the bitcoins to purchase a decryption key. But hey, that’s no longer true as the encryption has been defeated and a password generator has been developed so victims can decrypt their hard drives for free.
If you aren’t someone who pays attention to new variants of ransomware, then Petya has been described by BleepingComputer, F-Secure, G Data, Kasperksy Lab, Trend Micro and more. In a nutshell, it is a nasty one since it doesn’t just selectively encrypt documents, pictures or other specific files; oh no, it locks up a victim’s entire hard drive by overwriting the master boot record.
Victims who opened spam email and clicked a link to download a file, which they may have believed was a job applicant’s resume, instead were hit with the Blue Screen of Death in a matter of seconds. When the computer rebooted after the crash, it appeared as if Windows was running check disk; in reality it was a fake CHKDSK as Petya ransomware encrypted the master file table. Victims then saw a red screen filled with a white ASCII skull and crossbones. After pressing any key, they were presented with the nasty news of being a Petya ransomware victim and instructed how to pay the specified bitcoin ransom.
After using the Tor browser to visit the onion site listed in the ransom demand, victims would see something similar to screenshot below. If not paid, the ransom would double in a week.
Hopefully that will never happen to you, but if it does then you should thank two security researchers for coming up with free solutions to save the day and your hard drive.
BleepingComputer explained that @leostone created an algorithm that, within a few seconds, can generate the password needed to decrypt a hard drive locked up by Petya. Leostone setup an online site as well as a mirror of that site where a victim can “get your encrypted disk back without paying ransom.”
First off, the drive needs to be connected to a working computer – don’t be afraid to open the panel and pull out the drive since a computer doesn’t bleed; the squeamish could use a USB docking station to connect the hard drive to a working computer. However, the technically-challenged may have no clue how to extract the specific data needed to use the Petya unlock tool.
“The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21),” wrote BleepingComputer. “This data then needs to be converted to Base64 encoding” and inputted on leostone’s site to generate the key.
There’s no need to freak out if you don’t know how to do that as Emsisoft’s Fabian Wosar has come to your rescue by creating a tool that extracts the required data for you.
Victims were advised to save the Petya Sector Extractor (download zipped file) to the desktop of a working computer, extract and run the program so it can detect and scan the infected removable drive. There is a handy “copy sector” button as well as “copy nonce” – the information required to be inputted in leostone’s site to generate the password required to decrypt the Petya ransomware. Enter that password on the Petya lock screen and voila! Your hard drive is decrypted without paying any bitcoin ransom.
If you were infected by opening spam email and clicking on a link which purportedly downloaded a resume, then don’t fall for the phishing email which “knows your address” as in “knows where you live.” The email includes a person’s address along with an overdue notice and demand for money. If you click that link, then wham-bam say hello to Maktub Locker which – like other ransomware – will increase the ransom as time goes by without it being paid.
Backups are your friend. If you aren’t acquainted, then it’s time that you are. Back up your files often!