Keygen alert: free password generator released for PETYA ransomware
April 11, 2016
Shah Sheikh (1294 articles)

Keygen alert: free password generator released for PETYA ransomware

The PETYA ransomware is just one of the recent examples of malware that encrypts victims’ hard drives until a fee is paid. The advice from the government is not to pay the ransom — or at least not expect to get a decryption key if you do — but a password generator has been created that means you can decrypt your hard drive for free.

While TeslaCrypt 4 boasts ‘unbreakable encryption’, the same cannot be said of PETYA, although the PETYA ransomware does have the irritating habit of overwriting MBRs. This does mean that there is no way to interact with the drive on the infected computer, but with access to a spare machine to read the drive and access to the online tool created by Leostone, you could have your data back in seconds. As the tool’s website proudly proclaims, you can “Get your petya encrypted disk back, WITHOUT paying ransom!!!” — here’s what you need to do.

The process is not something that everyone will be able to follow — it is a little technical — but it’s worth persevering (hat tip to Bleeping Computer for the heads up!) to avoid coughing up any Bitcoin. You’ll need to connect the infected drive to another computer and extract a couple of pieces of data from it, specifically:
  • 512 bytes of verification data from sector 55 (0x37) offset 0(0x0) of the disk, converted to Base64
  • 8 byte nonce from sector 54 (0x36) offset 33(0x21), also converted to Base64

To help with this, you can use the specially-written Petya Sector Extractor as this will provide you with the data you need.

Fire up your web browser and pay a visit to Leostone’s decryption website at where you’ll find two fields into which you can paste the requested data from the infected drive.

With this done, hit Submit and wait for a few seconds while your key is generated. Return the infected drive to its original computer, fire it up, enter the key when prompted, and the drive should be decrypted. For free!

Source | BetaNews