Jump to content

Get Petya Encrypted HDD back, WITHOUT paying ransom!


Recommended Posts

Posted (edited)

I made a decoder for key of  Petya ransomware .

It works for Stage 1 of encryption – if the system was not rebooted after the infection.

Research about a possibility to decrypt Stage 2 is in progress.

 

UPDATE: 8-th April 2016 Petya at Stage 2 has been cracked by leo-stone.

 

Read more: petya-pay-no-ransom.herokuapp.com and github.com/leo-stone/hack-petya. Congratulations to the author!

 

I updated my decoder – now if cannot give you the Stage1 key,

it will give you the data necessary to suply on the website: petya-pay-no-ransom.herokuapp.com or petya-pay-no-ransom-mirror1.herokuapp.com
I noted down some tips for the users.

My research is possible thanks to Malwarebytes.
 

Disclaimer:

This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade

promise this tool will help in your particular case.

This tool should not be considered an official solution to the Petya problem. Any files destroyed,

further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers.

Please use at your own risk.

 

You can download the decoder’s binary

Hidden Content

    Give reaction to this post to see the hidden content.
(it is 64bit ELF). Sourcecode is available

Hidden Content

    Give reaction to this post to see the hidden content.
.

Few tips

If you opened some executable downloaded from the Internet and your system crashed,
it can be attack of PETYA RANSOMWARE.

Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data.

 

What to do:
1) From another computer download i.e. Kali Linux ISO 64 bit (kali.org/downloads/) and record on a DVD
2) Boot the computer that crashed from this DVD, choose forensic mode.

 

kali_forensics

 

3) Now your original hard disk should be mounted. Find it’s identificator, i.e using:

Hidden Content

    Give reaction to this post to see the hidden content.

Sample output:

Hidden Content

    Give reaction to this post to see the hidden content.

it means your disk is sda
4) Download the decoder and make it executable (chmod +x decoder). Run it:

Hidden Content

    Give reaction to this post to see the hidden content.

If you managed to catch Petya at Stage1, this decoder will give you a key directly:

Hidden Content

    Give reaction to this post to see the hidden content.

In other case, we need to recover from the Stage2. The decoder will give you a data that you need to supply on the

Hidden Content

    Give reaction to this post to see the hidden content.
(if the page is not available use

Hidden Content

    Give reaction to this post to see the hidden content.
). Sample output:

Spoiler

Invalid Stage1 key length! Try to recover from Stage2 by third-party decoder!

Paste this data to: h**ps://petya-pay-no-ransom.herokuapp.com/

verification data: /Mc3N7nDNzeXYjc3q+Y3N+//Nzfs/zc3FcQ3N7UxNzc3NTc3t3Q3N1RtNzdvPTc3cZ83N69yNze1bDc33/03N/3HNzc5wjc3l3g3N6vmNzdv/zc37P83NxVENze1MTc3NTU3N7d0NzdSbTc37z43N3FfNzevcjc3tWo3N9/9Nzf7xzc3OcM3N5dsNzer5jc37/43N+z/NzcVhDc3tTE3NzMxNze39Dc3VW03N289NzdxXzc3r3I3N7VsNzff/Tc3+8c3N7nDNzeXbjc3qyY3N+/xNzfs/zc3FYQ3N7UxNzcxNzc3t/Q3N1VtNzfvPjc3cd83N69yNze1aTc33/03N/7HNze5wjc3l2A3N6vmNzfv/zc37P83NxWENze1MTc3PzM3N7d0NzdUbTc37z83N3EfNzevcjc3NWs3N9/9Nzf8xzc3OcI3N5duNzerJjc3b/A3N+z/NzcVhDc3tTE3Nz0xNze3dDc3U203N+8+NzdxHzc3r3I3NzVrNzff/Tc3+8c3NznCNzeXZjc3q2Y3N+/+Nzfs/zc3FQQ3N7UxNzc7Nzc3t/Q3N1VtNzfvPzc3cV83N69yNzc1azc33/03N/zHNze5wjc3l3o3N6tmNzfv/jc37P83NxVENze1MTc3OTU3N7d0NzdSbTc3bz43N3GfNzevcjc3tWk3N9/9Nzc= nonce: kRl080HvgUU=

 

Paste the data you got to appropriate places on the website:
paste_data

 

Submit and wait, till your key appears:
your_key

 

5) Copy or write down the resulting key. It is very important for recovery!
6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you!
I strongly recommend you to make a dump of full disk.
First mount an external disk of appropriate capacity and then dump there the full disk:

Hidden Content

    Give reaction to this post to see the hidden content.

example:

Hidden Content

    Give reaction to this post to see the hidden content.

After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder:

 

decrypting

 

Now the system should boot normally.

 

Thanks WZT for link

Edited by CRaZyKeL
  • Like 3
×
×
  • Create New...