The original developer of the Petya ransomware has released a master decryption key that works for all prevision versions of its enciphering creation.
On 5 July, a person or group by the name “Janus Cybercrime Solutions” tweeted out a link to an encrypted and password-protected file on Mega.nz, a cloud hosting service.
"They're right in front of you and can open very large doors" https://t.co/kuCUMZ5ZWP @hasherezade @MalwareTechBlog ;)
— JANUS (@JanusSecretary) July 5, 2017
Cracking this file revealed a decryption key that works for previous versions of Petya, a form of ransomware which replaces an infected computer’s Master Boot Record before encrypting the Master File Table. Petya has undergone several modifications since its detection in the spring of 2016.
Those changes include Petya joining up with Mischa, a regular file-encrypting ransomware, to form a ransomware-as-a-service (RaaS) affiliate system, as well as embracing a new identity as GoldenEye ransomware.
Security researchers have confirmed that the master decryption key works against all these versions of Petya. That’s the good news.
The published #Petya master key works for all versions including #GoldenEye pic.twitter.com/tTRLZ9kMnb
— Anton Ivanov (@antonivanovm) July 6, 2017
The bad news is that the decryption doesn’t work against NotPetya, the wiper malware which struck power plants, airports, and government computers in dozens of countries in late June.
NotPetya shares some code with Petya – so much so that Janus emerged shortly after the wiper’s outbreak in an effort to help victims by testing their private key against the modified threat. Unfortunately, the two malware families are entirely different programs.
Kernels compared: #EternalPetya vs #Goldeneye #Petya (the compared material: https://t.co/9GyB556ITn) pic.twitter.com/0DcnkCNuMb
— hasherezade (@hasherezade) June 29, 2017
As such, the computer criminals’ private key for Petya won’t help victims of NotPetya.
The master decryption key released by Janus is limited in other respects, too. Catalin Cimpanu of Bleeping Computer elaborates on that point:
“Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data.”
For affected users who went through all that effort described by Cimpanu and who are still hoping for a cure to Petya, they’re in luck!
As for regular users, it’s important to recognize that ransomware developers do release master decryption keys sometimes but not frequently. It’s therefore important that users do everything in their power to protect against a ransomware infection. That includes patching their systems of known vulnerabilities, avoiding suspicious links and email attachments, and backing up their systems regularly.
Found this article interesting? Follow Graham Cluley on Twitter or Mastodon to read more of the exclusive content we post.