A researcher has developed a tool that allows victims infected with the Petya ransomware to unlock their files for free – at least for the time being.
The researcher, who operates the Twitter handle @leostone, announced the tool over the weekend.
— leostone (@leo_and_stone) April 9, 2016
Their tool exploits a mistake made by Petya’s author in the way that the ransomware encrypts a file on a Windows machine, opening opportunities for the decryption key to be determined.
Petya first shoved its way onto the ransomware scene back in March. Already it has made quite a reputation for itself, especially for its ability to encrypt the Master File Table (MFT) on an infected machine.
Currently, Petya demands 0.99 BTC (approximately US $418) from its victims.
Lawrence Abrams, a computer security expert at Bleeping Computer, has tested the tool and reported it took only seven seconds for it to generate a decryption key.
Without some help, however, Leostone’s tool could be too complicated to implement for most users notes Abrams in a blog post:
“To use Leostone’s decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the https://petya-pay-no-ransom.herokuapp.com/ site to generate the key.”
Fortunately, there is still hope.
Security researcher Fabian Wosar has developed a “Petya Sector Extractor that can collect the specific data needed to use Leostone’s tool. All a user needs to do is load up their hard drive on an uninfected Windows computer and run Wosar’s solution.
After copying and pasting the information generated by the Petya Sector Extractor, victims can then use Leostone’s tool to generate a decryption key. That key will decrypt the victim’s infected files once the hard drive has been once again loaded into the infected computer.
This is all great news, though I doubt it will last for long.
In all likelihood, the author(s) of Petya have already heard about Leostone’s tool and are modifying their code to disallow the solution as we speak.
Such is the tradeoff in information security. As soon as the security industry announces something good, malicious actors begin working on ways to manipulate it or render it useless.
With that being said, if you have been affected by Petya, I urge you to use Leostone’s tool as soon as possible. There’s no guarantee the solution will continue to work indefinitely, so it’s better to not wait.