Petya key decoder

I made a decoder for key of Petya ransomware. It works for Stage 1 of encryption – if the system was not rebooted after the infection. Research about a possibility to decrypt Stage 2 is in progress.

UPDATE: 8-th April 2016 Petya at Stage 2 has been cracked by leo-stone. Read more: https://petya-pay-no-ransom.herokuapp.com/ and https://github.com/leo-stone/hack-petya. Congratulations to the author!

I updated my decoder – now if if cannot give you the Stage1 key, it will give you the data necessary to suply on the website: https://petya-pay-no-ransom.herokuapp.com/ or https://petya-pay-no-ransom-mirror1.herokuapp.com/
I noted down some tips for the users.

My research is possible thanks to Malwarebytes.
Disclaimer: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will help in your particular case. This tool should not be considered an official solution to the Petya problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.

You can download the decoder’s binary here (it is 64bit ELF). Sourcecode is available here.

Few tips

If you opened some executable downloaded from the Internet and your system crashed,
it can be attack of PETYA RANSOMWARE.

Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data.

What to do:
1) From another computer download i.e. Kali Linux ISO 64 bit (https://www.kali.org/downloads/) and record on a DVD
2) Boot the computer that crashed from this DVD, choose forensic mode.

kali_forensics

3) Now your original hard disk should be mounted. Find it’s identificator, i.e using:

fdisk -l

Sample output:

Device     Boot Start     End Sectors  Size Id Type
/dev/sda1  *      [....]

it means your disk is sda
4) Download the decoder and make it executable (chmod +x decoder). Run it:

./decoder /dev/sda

If you managed to catch Petya at Stage1, this decoder will give you a key directly:

Key: MbVNTr2C2JicRsG8
[OK] Stage 1 key recovered!

In other case, we need to recover from the Stage2. The decoder will give you a data that you need to supply on the third-party website (if the page is not available use mirror ). Sample output:

Invalid Stage1 key length!
Try to recover from Stage2 by third-party decoder!
Paste this data to: https://petya-pay-no-ransom.herokuapp.com/

verification data:
/Mc3N7nDNzeXYjc3q+Y3N+//Nzfs/zc3FcQ3N7UxNzc3NTc3t3Q3N1RtNzdvPTc3cZ83N69yNze1bDc33/03N/3HNzc5wjc3l3g3N6vmNzdv/zc37P83NxVENze1MTc3NTU3N7d0NzdSbTc37z43N3FfNzevcjc3tWo3N9/9Nzf7xzc3OcM3N5dsNzer5jc37/43N+z/NzcVhDc3tTE3NzMxNze39Dc3VW03N289NzdxXzc3r3I3N7VsNzff/Tc3+8c3N7nDNzeXbjc3qyY3N+/xNzfs/zc3FYQ3N7UxNzcxNzc3t/Q3N1VtNzfvPjc3cd83N69yNze1aTc33/03N/7HNze5wjc3l2A3N6vmNzfv/zc37P83NxWENze1MTc3PzM3N7d0NzdUbTc37z83N3EfNzevcjc3NWs3N9/9Nzf8xzc3OcI3N5duNzerJjc3b/A3N+z/NzcVhDc3tTE3Nz0xNze3dDc3U203N+8+NzdxHzc3r3I3NzVrNzff/Tc3+8c3NznCNzeXZjc3q2Y3N+/+Nzfs/zc3FQQ3N7UxNzc7Nzc3t/Q3N1VtNzfvPzc3cV83N69yNzc1azc33/03N/zHNze5wjc3l3o3N6tmNzfv/jc37P83NxVENze1MTc3OTU3N7d0NzdSbTc3bz43N3GfNzevcjc3tWk3N9/9Nzc=

nonce:
kRl080HvgUU=

Paste the data you got to appropriate places on the website:
paste_data
Submit and wait, till your key appears:
your_key

5) Copy or write down the resulting key. It is very important for recovery!
6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you!
I strongly recommend you to make a dump of full disk.
First mount an external disk of appropriate capacity and then dump there the full disk:

dd if=<path_to_infected_disk> of=<path_to_external_disk>

example:

dd if=/dev/sda of=/media/root/kingston

After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder:

decrypting
Now the system should boot normally.

( The post has been translated with explicit permission of hasherezade’s 1001 nights )

Source: Petya key decoder

Written by admin

Leave a Reply

Your email address will not be published. Required fields are marked *