Infected by Petya ransomware? Use this tool to unlock your files... for now

Thank goodness ransomware sometimes contains bugs too…

Infected by Petya ransomware? Use this tool to unlock your files... for now

A researcher has developed a tool that allows victims infected with the Petya ransomware to unlock their files for free - at least for the time being.

The researcher, who operates the Twitter handle @leostone, announced the tool over the weekend.

Their tool exploits a mistake made by Petya's author in the way that the ransomware encrypts a file on a Windows machine, opening opportunities for the decryption key to be determined.

Petya first shoved its way onto the ransomware scene back in March. Already it has made quite a reputation for itself, especially for its ability to encrypt the Master File Table (MFT) on an infected machine.

Petya skull

Currently, Petya demands 0.99 BTC (approximately US $418) from its victims.

Lawrence Abrams, a computer security expert at Bleeping Computer, has tested the tool and reported it took only seven seconds for it to generate a decryption key.

Without some help, however, Leostone's tool could be too complicated to implement for most users notes Abrams in a blog post:

"To use Leostone's decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the https://petya-pay-no-ransom.herokuapp.com/ site to generate the key."

Fortunately, there is still hope.

Security researcher Fabian Wosar has developed a "Petya Sector Extractor that can collect the specific data needed to use Leostone's tool. All a user needs to do is load up their hard drive on an uninfected Windows computer and run Wosar's solution.

After copying and pasting the information generated by the Petya Sector Extractor, victims can then use Leostone's tool to generate a decryption key. That key will decrypt the victim's infected files once the hard drive has been once again loaded into the infected computer.

Petya recovery

This is all great news, though I doubt it will last for long.

In all likelihood, the author(s) of Petya have already heard about Leostone's tool and are modifying their code to disallow the solution as we speak.

Such is the tradeoff in information security. As soon as the security industry announces something good, malicious actors begin working on ways to manipulate it or render it useless.

With that being said, if you have been affected by Petya, I urge you to use Leostone's tool as soon as possible. There's no guarantee the solution will continue to work indefinitely, so it's better to not wait.

Tags: , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, ,

5 Responses

  1. Mark Dearlove

    April 12, 2016 at 7:55 am #

    Looks like the tool website is offline – so have the bad guys taken it out so it does not damage their profits? :-(

  2. Karl

    April 12, 2016 at 9:59 am #

    I have various back-up strategies (central server, shadow copies, versioning, offsite) in place so that if(when) ransomware affects me I can rather smugly wipe my disk and reinstall.

    No hassle. No decryption keys. No payments.

    Not running as an admin should help and my weekly system backup is no accessible to standard users.

    See you soon, Petya.

    • Techno in reply to Karl.

      April 12, 2016 at 11:52 am #

      Not running as an admin is of limited use. It won't stop the ransomware encryting files you have access to (including in shared folders), but it does stop it encrypting the files of other user accounts that you don't have access to.

  3. Karl

    April 12, 2016 at 6:56 pm #

    And, Techno, it stops encryption of Windows shadow copies. Remember, I said only admin can access my recovery drive.

  4. AJ

    April 13, 2016 at 4:14 pm #

    Here is an issue rarely spoken of in any of these ransomeware forums.
    So many people say they feel safe because they make external backups.
    One thing that they are not taking into account is that the virus sometimes lays dormant for a month or more.It is very easy for the coder of this virus to set a future execution date.
    Therefore, you are making what you think are clean backups but they actually already have a variation of undetected ransomeware on them.
    When you reinstall these backups after your machine is attacked, you are unwittingly putting the ransomeware right back onto your clean machine.

Leave a Reply