UPDATE: 8-th April 2016 Petya at Stage 2 has been cracked by leo-stone. Read more: https://petya-pay-no-ransom.herokuapp.com/ and https://github.com/leo-stone/hack-petya. Congratulations to the author!
I updated my decoder – now if if cannot give you the Stage1 key, it will give you the data necessary to suply on the website: https://petya-pay-no-ransom.herokuapp.com/ or https://petya-pay-no-ransom-mirror1.herokuapp.com/
I noted down some tips for the users.
My research is possible thanks to Malwarebytes.
Disclaimer: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will help in your particular case. This tool should not be considered an official solution to the Petya problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.
If you opened some executable downloaded from the Internet and your system crashed,
it can be attack of PETYA RANSOMWARE.
Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data.
What to do:
1) From another computer download i.e. Kali Linux ISO 64 bit (https://www.kali.org/downloads/) and record on a DVD
2) Boot the computer that crashed from this DVD, choose forensic mode.
3) Now your original hard disk should be mounted. Find it’s identificator, i.e using:
Device Boot Start End Sectors Size Id Type /dev/sda1 * [....]
it means your disk is sda
4) Download the decoder and make it executable (chmod +x decoder). Run it:
If you managed to catch Petya at Stage1, this decoder will give you a key directly:
Key: MbVNTr2C2JicRsG8 [OK] Stage 1 key recovered!
Invalid Stage1 key length! Try to recover from Stage2 by third-party decoder! Paste this data to: https://petya-pay-no-ransom.herokuapp.com/ verification data: /Mc3N7nDNzeXYjc3q+Y3N+//Nzfs/zc3FcQ3N7UxNzc3NTc3t3Q3N1RtNzdvPTc3cZ83N69yNze1bDc33/03N/3HNzc5wjc3l3g3N6vmNzdv/zc37P83NxVENze1MTc3NTU3N7d0NzdSbTc37z43N3FfNzevcjc3tWo3N9/9Nzf7xzc3OcM3N5dsNzer5jc37/43N+z/NzcVhDc3tTE3NzMxNze39Dc3VW03N289NzdxXzc3r3I3N7VsNzff/Tc3+8c3N7nDNzeXbjc3qyY3N+/xNzfs/zc3FYQ3N7UxNzcxNzc3t/Q3N1VtNzfvPjc3cd83N69yNze1aTc33/03N/7HNze5wjc3l2A3N6vmNzfv/zc37P83NxWENze1MTc3PzM3N7d0NzdUbTc37z83N3EfNzevcjc3NWs3N9/9Nzf8xzc3OcI3N5duNzerJjc3b/A3N+z/NzcVhDc3tTE3Nz0xNze3dDc3U203N+8+NzdxHzc3r3I3NzVrNzff/Tc3+8c3NznCNzeXZjc3q2Y3N+/+Nzfs/zc3FQQ3N7UxNzc7Nzc3t/Q3N1VtNzfvPzc3cV83N69yNzc1azc33/03N/zHNze5wjc3l3o3N6tmNzfv/jc37P83NxVENze1MTc3OTU3N7d0NzdSbTc3bz43N3GfNzevcjc3tWk3N9/9Nzc= nonce: kRl080HvgUU=
Paste the data you got to appropriate places on the website:
Submit and wait, till your key appears:
5) Copy or write down the resulting key. It is very important for recovery!
6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you!
I strongly recommend you to make a dump of full disk.
First mount an external disk of appropriate capacity and then dump there the full disk:
dd if=<path_to_infected_disk> of=<path_to_external_disk>
dd if=/dev/sda of=/media/root/kingston
After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder:
Now the system should boot normally.
( The post has been translated with explicit permission of hasherezade’s 1001 nights )
Source: Petya key decoder