Hacked: Hacking Finance

Online Tool Reportedly Rescues Victims of Petya Ransomware

Introduction

Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.


LATEST POSTS

Top 5 REIT ETFs Allow Investors To Gain Expsoure To Real Estate With Limited Risks 23rd July, 2017

Biotech Dominates July Penny Stock Picks 17th July, 2017

Technology

Online Tool Reportedly Rescues Victims of Petya Ransomware

Posted on .
This article was posted on Monday, 05:03, UTC.

An online tool claims to enable computers infected by Petya, a new ransomware, to retrieve data without the user having to pay a ransom, according to betanews.

// -- Discuss and ask questions in our community on Workplace. Don't have an account? Send Jonas Borchgrevink an email -- //

Petya, like KeRanger and TelsaCrypt 4, targets enterprise users. But in addition, it encrypts complete hard drives instead of just a selection of files. Also known as Ransom_Peyta.A, Peyta ensures that victims are aware that their computers are infected. It overwrites the master boot record (MBR) to display a ransom note during reboot. It uses an encryption algorithm of military grade to lock users out of files. Then it directs users to the dark web using Tor browser to make a bitcoin ransom payment.

Petya Overwrites MBRs

While Petya, unlike TeslaCrypt 4, does not boast of having unbreakable encryption, it also overwrites MBRs. There is no way to interact with the drive on the infected computer.

However, thanks to an online tool created by Leostone, the user can have the data back in seconds. The tool’s website, https://petya-pay-no-ransom.herokuapp.com/, states, “Get your petya encrypted disk back, without paying ransom!”

// -- Become a yearly Platinum Member and save 69 USD and get access to our secret group on Workplace. Click here to change your current membership -- //

The user has to connect the infected drive to another computer, then extract some data from it:
• 512 bytes of verification data from sector 55 (0x37) offset 0(0x0) of the disk, converted to Base64
• 8 byte nonce from sector 54 (0x36) offset 33(0x21), also converted to Base64

The Petya Sector Extract will provide the data needed. The website has two fields that the user can paste the requested data to from the infected drive. Once this has been done, the user hits “submit” and waits a few seconds while the key generates. After this, the user returns the infected drive to the original computer, restarts it, enters the key as promoted, and the drive is decrypted.

How Petya Spreads

Petya spreads with a combination of the cloud and email, according to Trend Micro. It targets users by emailing phony job applications and encourages them to click to download a Dropbox file. This installs Petya and causes blue screen of death (BSoD).

In one of the samples Micro Trend examined, the Dropbox folder contained two files, the applicant’s photo and the extracting executable file that appears to be the CV. Investigation revealed the photo is a stock image likely used without the photographer’s permission.

If the user tries rebooting the PC, the modified MBR prevents him from normally loading Windows and presents an ASCII skull and an order to pay a certain amount of bitcoins or lose computer and file access. The edited MBR also prevents restarting in safe mode.

Users face a choice of either paying the ransom or losing access to their files unless there are backups.

Users are advised to be careful when following links or opening attachments when there is no removal tool available.

Featured image from Shutterstock.

Important: Never invest money you can't afford to lose. Always do your own research and due diligence before placing a trade. Read our Terms & Conditions here.



Feedback or Requests?

Receive New Posts on Email:



Lester Coleman

Lester Coleman

Lester Coleman is a veteran business journalist based in the United States. He has covered the payments industry for several years and is available for writing assignments.

There are no comments.

View Comments (0) ...
Navigation
The Apple/U.S. government legal fight over encryption has resumed. A…