Petya ransomware developer releases master decryption key, giving hope for victims

Before you get too excited, it doesn’t work for NotPetya…

David bisson
David Bisson
@
@DMBisson

Petya ransomware developer releases master decryption key

The original developer of the Petya ransomware has released a master decryption key that works for all prevision versions of its enciphering creation.

On 5 July, a person or group by the name “Janus Cybercrime Solutions” tweeted out a link to an encrypted and password-protected file on Mega.nz, a cloud hosting service.

Cracking this file revealed a decryption key that works for previous versions of Petya, a form of ransomware which replaces an infected computer’s Master Boot Record before encrypting the Master File Table. Petya has undergone several modifications since its detection in the spring of 2016.

Sign up to our free newsletter.
Security news, advice, and tips.

Those changes include Petya joining up with Mischa, a regular file-encrypting ransomware, to form a ransomware-as-a-service (RaaS) affiliate system, as well as embracing a new identity as GoldenEye ransomware.

Security researchers have confirmed that the master decryption key works against all these versions of Petya. That’s the good news.

The bad news is that the decryption doesn’t work against NotPetya, the wiper malware which struck power plants, airports, and government computers in dozens of countries in late June.

NotPetya shares some code with Petya – so much so that Janus emerged shortly after the wiper’s outbreak in an effort to help victims by testing their private key against the modified threat. Unfortunately, the two malware families are entirely different programs.

As such, the computer criminals’ private key for Petya won’t help victims of NotPetya.

The master decryption key released by Janus is limited in other respects, too. Catalin Cimpanu of Bleeping Computer elaborates on that point:

“Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data.”

For affected users who went through all that effort described by Cimpanu and who are still hoping for a cure to Petya, they’re in luck!

As for regular users, it’s important to recognize that ransomware developers do release master decryption keys sometimes but not frequently. It’s therefore important that users do everything in their power to protect against a ransomware infection. That includes patching their systems of known vulnerabilities, avoiding suspicious links and email attachments, and backing up their systems regularly.


David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.