14 DAY TRIAL // Good news for victims infected by the Petya ransomware. Two security researchers created an online service and a desktop tool that can help them generate the password needed to unlock their computer.
The Petya ransomware appeared around March 25 and worked very differently from any other ransomware. Instead of encrypting each file in turn and leaving the PC in a functional state, the ransomware crashed the computer, and when it rebooted, it moved on to alter the hard drive's boot record and encrypt the entire hard drive.
The computer would be stuck in this pre-boot medium, and to recover their files, the user would have to pay the ransom and enter the password they received inside the pre-boot command-line.
Since researchers noticed that the ransomware does not communicate with a server in any way, they understood that the encryption process is all self-contained locally and moved on to inspect the virus in order to find a way around its encryption system.
Petya ransomware can be decrypted
A researcher who did not want to reveal his name, going only by the moniker of Leo Stone on Twitter, discovered a way to employ genetic algorithms to crack the ransomware. He even created two websites where victims can go and obtain the decryption password.
The problem is that, to crack Petya, users need to extract some information from their hard drive, which is extremely difficult, even for professionals. But there's good news for this problem as well thanks to a tool created by Emsisoft's Fabian Wosar.
The first thing you need to do is to get the infected hard drive and attach it to another computer. You'll need a working Windows computer to be able to run Mr. Wosar's tool. This application scans hard drives for Petya infections and automates the process of extracting the information needed to crack the ransomware.
Once Mr. Wosar's Petya Sector Extractor has discovered Petya-infected hard drives, press the first button that says "Copy Sector." This will copy a special section of your hard drive to the clipboard. Now go on any of Leo Stone's websites and press CTRL+V to paste the hard drive sector inside the big textarea that says "Base64 encoded 512 bytes verification data."
Now go back to Mr. Wosar's Petya Sector Extractor and press the second button that says "Copy Nonce." Go back to the website and paste this information in the smaller field that reads "Base64 encoded 8 bytes nonce," below the first.
Once you have both fields filled with the proper data, press "Submit" and wait for the algorithm to do its work.
After you get the decryption password, put the Petya infected hard drive back in its original computer and boot up the PC. Once it reaches the ransom screen, just enter the password in the appropriate section and press Enter.
The hard drive's MBR will be unlocked, the data decrypted, and you'll be able to use your computer once again. Victims who need extra help can ask it via Bleeping Computer and its tech support forums.
