The cybersecurity community has struck a fresh blow against ransomware with the release of a new tool which decrypts files locked through the Petya ransomware family.
The spread of ransomware through phishing campaigns, malicious links and dodgy downloads, is unfortunately becoming a more common occurrence.
This particular breed of malware can be devastating to victims as it will encrypt files, prevent access to PCs and demand a payment in return for a decryption key -- which may or may not work.
In one of the latest phishing campaigns to hit the media, the Maktub Locker ransomware has been recently distributed to victims through clever social engineering techniques. Described as "beautiful and dangerous" by Malwarebytes, the malware does not need an Internet connection to begin its work.
Petya, however, is an unusual variant of ransomware. Instead of selectively encrypting some files, the malicious code skips this step and overwrites the master boot record (MBR) on an infected system. Malicious code is introduced, which skips the usual processes and loading of an operating system's files -- instead, victims are completely locked out of hard drives as the OS does not know where the correct files are, if they even exist.
When an infected PC boots back up, users are met with a loading screen which demands a payment in Bitcoin sent through a .onion address on the Tor network.
However, there is hope.
An individual under the Twitter handle @leostone has developed a new tool which is able to decrypt files locked by the ransomware. Available on this website (mirror), the tool is not an easy click-and-watch piece of software, but could prove to be a saving grace for victims desperate to retrieve their system files.
The software was originally designed by the developer to help his father-in-law unlock a Petya-infected system. However, using the tool is not a simple click-and-watch process, and requires users to find and input information about their system to generate the right password.
In order to eradicate Petya, users must detach the infected drive and attach it to a clean Windows system to extract data, namely, 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21).
This information then needs to be converted to Base64 encoding and used on the developer's website to generate the correct key.
If this sounds beyond your expertise, you can use Fabian Wosar's Peta Sector Extractor (.ZIP file) to automatically grab this data.
When this process is complete, the hard drive can be reattached, decrypted and the system rebooted -- and it should be free of this particular strain of malware.
If Petya's author is still active, it is likely this solution will not work forever. Just as security researchers are constantly attempting to create solutions and fight against digital threats, cyberattackers are also refining their methods. If you have a system affected by Petya, don't wait to try and salvage your system.