Online Tool Reportedly Rescues Victims of Petya Ransomware
Petya, like KeRanger and TelsaCrypt 4, targets enterprise users. But in addition, it encrypts complete hard drives instead of just a selection of files. Also known as Ransom_Peyta.A, Peyta ensures that victims are aware that their computers are infected. It overwrites the master boot record (MBR) to display a ransom note during reboot. It uses an encryption algorithm of military grade to lock users out of files. Then it directs users to the dark web using Tor browser to make a bitcoin ransom payment.
Petya Overwrites MBRs
While Petya, unlike TeslaCrypt 4, does not boast of having unbreakable encryption, it also overwrites MBRs. There is no way to interact with the drive on the infected computer.
However, thanks to an online tool created by Leostone, the user can have the data back in seconds. The tool’s website, https://petya-pay-no-ransom.herokuapp.com/, states, “Get your petya encrypted disk back, without paying ransom!”
The user has to connect the infected drive to another computer, then extract some data from it:
• 512 bytes of verification data from sector 55 (0x37) offset 0(0x0) of the disk, converted to Base64
• 8 byte nonce from sector 54 (0x36) offset 33(0x21), also converted to Base64
The Petya Sector Extract will provide the data needed. The website has two fields that the user can paste the requested data to from the infected drive. Once this has been done, the user hits “submit” and waits a few seconds while the key generates. After this, the user returns the infected drive to the original computer, restarts it, enters the key as promoted, and the drive is decrypted.
How Petya Spreads
Petya spreads with a combination of the cloud and email, according to Trend Micro. It targets users by emailing phony job applications and encourages them to click to download a Dropbox file. This installs Petya and causes blue screen of death (BSoD).
In one of the samples Micro Trend examined, the Dropbox folder contained two files, the applicant’s photo and the extracting executable file that appears to be the CV. Investigation revealed the photo is a stock image likely used without the photographer’s permission.
If the user tries rebooting the PC, the modified MBR prevents him from normally loading Windows and presents an ASCII skull and an order to pay a certain amount of bitcoins or lose computer and file access. The edited MBR also prevents restarting in safe mode.
Users face a choice of either paying the ransom or losing access to their files unless there are backups.
Users are advised to be careful when following links or opening attachments when there is no removal tool available.
Featured image from Shutterstock.