CRaZyKeL Posted April 11, 2016 #1 Posted April 11, 2016 (edited) I made a decoder for key of Petya ransomware . It works for Stage 1 of encryption – if the system was not rebooted after the infection. Research about a possibility to decrypt Stage 2 is in progress. UPDATE: 8-th April 2016 Petya at Stage 2 has been cracked by leo-stone. Read more: petya-pay-no-ransom.herokuapp.com and github.com/leo-stone/hack-petya. Congratulations to the author! I updated my decoder – now if cannot give you the Stage1 key, it will give you the data necessary to suply on the website: petya-pay-no-ransom.herokuapp.com or petya-pay-no-ransom-mirror1.herokuapp.com I noted down some tips for the users. My research is possible thanks to Malwarebytes. Disclaimer: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will help in your particular case. This tool should not be considered an official solution to the Petya problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk. You can download the decoder’s binary Hidden Content Give reaction to this post to see the hidden content. (it is 64bit ELF). Sourcecode is available Hidden Content Give reaction to this post to see the hidden content. . Few tips If you opened some executable downloaded from the Internet and your system crashed, it can be attack of PETYA RANSOMWARE. Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data. What to do: 1) From another computer download i.e. Kali Linux ISO 64 bit (kali.org/downloads/) and record on a DVD 2) Boot the computer that crashed from this DVD, choose forensic mode. 3) Now your original hard disk should be mounted. Find it’s identificator, i.e using: Hidden Content Give reaction to this post to see the hidden content. Sample output: Hidden Content Give reaction to this post to see the hidden content. it means your disk is sda 4) Download the decoder and make it executable (chmod +x decoder). Run it: Hidden Content Give reaction to this post to see the hidden content. If you managed to catch Petya at Stage1, this decoder will give you a key directly: Hidden Content Give reaction to this post to see the hidden content. In other case, we need to recover from the Stage2. The decoder will give you a data that you need to supply on the Hidden Content Give reaction to this post to see the hidden content. (if the page is not available use Hidden Content Give reaction to this post to see the hidden content. ). Sample output: Spoiler Invalid Stage1 key length! Try to recover from Stage2 by third-party decoder! Paste this data to: h**ps://petya-pay-no-ransom.herokuapp.com/ verification data: /Mc3N7nDNzeXYjc3q+Y3N+//Nzfs/zc3FcQ3N7UxNzc3NTc3t3Q3N1RtNzdvPTc3cZ83N69yNze1bDc33/03N/3HNzc5wjc3l3g3N6vmNzdv/zc37P83NxVENze1MTc3NTU3N7d0NzdSbTc37z43N3FfNzevcjc3tWo3N9/9Nzf7xzc3OcM3N5dsNzer5jc37/43N+z/NzcVhDc3tTE3NzMxNze39Dc3VW03N289NzdxXzc3r3I3N7VsNzff/Tc3+8c3N7nDNzeXbjc3qyY3N+/xNzfs/zc3FYQ3N7UxNzcxNzc3t/Q3N1VtNzfvPjc3cd83N69yNze1aTc33/03N/7HNze5wjc3l2A3N6vmNzfv/zc37P83NxWENze1MTc3PzM3N7d0NzdUbTc37z83N3EfNzevcjc3NWs3N9/9Nzf8xzc3OcI3N5duNzerJjc3b/A3N+z/NzcVhDc3tTE3Nz0xNze3dDc3U203N+8+NzdxHzc3r3I3NzVrNzff/Tc3+8c3NznCNzeXZjc3q2Y3N+/+Nzfs/zc3FQQ3N7UxNzc7Nzc3t/Q3N1VtNzfvPzc3cV83N69yNzc1azc33/03N/zHNze5wjc3l3o3N6tmNzfv/jc37P83NxVENze1MTc3OTU3N7d0NzdSbTc3bz43N3GfNzevcjc3tWk3N9/9Nzc= nonce: kRl080HvgUU= Paste the data you got to appropriate places on the website: Submit and wait, till your key appears: 5) Copy or write down the resulting key. It is very important for recovery! 6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you! I strongly recommend you to make a dump of full disk. First mount an external disk of appropriate capacity and then dump there the full disk: Hidden Content Give reaction to this post to see the hidden content. example: Hidden Content Give reaction to this post to see the hidden content. After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder: Now the system should boot normally. Thanks WZT for link Edited April 11, 2016 by CRaZyKeL 3
Recommended Posts