Petya Ransomware’s encryption has been defeated (for now)

It seems to be almost a weekly, if not daily, occurrence that a new piece of hideous cryptoware hits the internet. One such piece called Petya was released into the wild only a short while ago, and was one of the nastier implementations I had seen in a while.

Petya imitates a CHKDSK scan, something computer users might see when turning on a machine after hard powering down on an evening instead of logging off. However instead of being a useful repair program it sneakily encrypts your hard drive including the MBR just to make things worse. When it finishes this process, you get a nice screen with a piece of ASCII art.

Of course the next screen shows you how you can pay some money for the privilege of getting back your data.

It seems one person however, has managed create a process for generating the password without such a payment being necessary. The person, who goes by the name Leostone has developed a bruteforcing application to generate the decryption key after you provide information recovered from the encrypted drive. They have even created a website to aid with automating the decryption of this particular strain, which you can find over at https://petya-pay-no-ransom.herokuapp.com/ with a mirror available at https://petya-pay-no-ransom-mirror1.herokuapp.com/

BleepingComputer (Love that name) go into more detail about the steps required to get the information needed. However it is likely to be a hard process for most as it requires the removal of the affected drive so it can be attached to another machine. A Hard Drive dock is an obvious solution to connect the drive to another machine.

For every White Hat out there, a Black Hat is also hiding in the shadows. It probably won’t be long until the next variant of this software is released fixing the cracks found by this person. For SysAdmins like myself, it is forever a game of cat and mouse.