Infected by Petya ransomware? Use this tool to unlock your files… for now

Thank goodness ransomware sometimes contains bugs too…

David bisson
David Bisson

Infected by Petya ransomware? Use this tool to unlock your files... for now

A researcher has developed a tool that allows victims infected with the Petya ransomware to unlock their files for free – at least for the time being.

The researcher, who operates the Twitter handle @leostone, announced the tool over the weekend.

Their tool exploits a mistake made by Petya’s author in the way that the ransomware encrypts a file on a Windows machine, opening opportunities for the decryption key to be determined.

Petya first shoved its way onto the ransomware scene back in March. Already it has made quite a reputation for itself, especially for its ability to encrypt the Master File Table (MFT) on an infected machine.

Petya skull

Currently, Petya demands 0.99 BTC (approximately US $418) from its victims.

Lawrence Abrams, a computer security expert at Bleeping Computer, has tested the tool and reported it took only seven seconds for it to generate a decryption key.

Without some help, however, Leostone’s tool could be too complicated to implement for most users notes Abrams in a blog post:

“To use Leostone’s decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the site to generate the key.”

Fortunately, there is still hope.

Security researcher Fabian Wosar has developed a “Petya Sector Extractor that can collect the specific data needed to use Leostone’s tool. All a user needs to do is load up their hard drive on an uninfected Windows computer and run Wosar’s solution.

After copying and pasting the information generated by the Petya Sector Extractor, victims can then use Leostone’s tool to generate a decryption key. That key will decrypt the victim’s infected files once the hard drive has been once again loaded into the infected computer.

Petya recovery

This is all great news, though I doubt it will last for long.

In all likelihood, the author(s) of Petya have already heard about Leostone’s tool and are modifying their code to disallow the solution as we speak.

Such is the tradeoff in information security. As soon as the security industry announces something good, malicious actors begin working on ways to manipulate it or render it useless.

With that being said, if you have been affected by Petya, I urge you to use Leostone’s tool as soon as possible. There’s no guarantee the solution will continue to work indefinitely, so it’s better to not wait.

David Bisson is an infosec news junkie and security journalist. He works as Contributing Editor for Graham Cluley Security News and Associate Editor for Tripwire's "The State of Security" blog.

5 comments on “Infected by Petya ransomware? Use this tool to unlock your files… for now”

  1. Mark Dearlove

    Looks like the tool website is offline – so have the bad guys taken it out so it does not damage their profits? :-(

  2. Karl

    I have various back-up strategies (central server, shadow copies, versioning, offsite) in place so that if(when) ransomware affects me I can rather smugly wipe my disk and reinstall.

    No hassle. No decryption keys. No payments.

    Not running as an admin should help and my weekly system backup is no accessible to standard users.

    See you soon, Petya.

    1. Techno · in reply to Karl

      Not running as an admin is of limited use. It won't stop the ransomware encryting files you have access to (including in shared folders), but it does stop it encrypting the files of other user accounts that you don't have access to.

  3. Karl

    And, Techno, it stops encryption of Windows shadow copies. Remember, I said only admin can access my recovery drive.

  4. AJ

    Here is an issue rarely spoken of in any of these ransomeware forums.
    So many people say they feel safe because they make external backups.
    One thing that they are not taking into account is that the virus sometimes lays dormant for a month or more.It is very easy for the coder of this virus to set a future execution date.
    Therefore, you are making what you think are clean backups but they actually already have a variation of undetected ransomeware on them.
    When you reinstall these backups after your machine is attacked, you are unwittingly putting the ransomeware right back onto your clean machine.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.