❗❗❗ATTENTION❗❗❗
Please use the LATEST version of the decoder, available here:
CODE
Sourcecodes of my applications related to recovery from Petya attacks
NEWS
[05 July 2017]
The author of the original Petya malware released his master key. Read more details here: https://blog.malwarebytes.com/cybercrime/2017/07/the-key-to-the-old-petya-has-been-published-by-the-malware-author/. WARNING: the key works only for the original Petya, not for the Petya-based malware known from the recent attacks on Ukraine (since, in this particular case, the individual key is destroyed after use and cannot be recovered).
My tool for decryption of individual keys, using the published master key is available here: https://github.com/hasherezade/petya_key
[17 July 2016]
A new (3-rd) version of Petya has been released – the current solutions no longer work. It looks exactly like the previous (green) Petya, but contains fixes in cryptography implementation and different Stage 1 keys. More info here.
[02 June 2016]
Procrash prepared a brutforcer for Green Petya key (using multi-threading and GPU for the high performance). Sourcecode available here: https://github.com/procrash/petya-green-multicore. Cracking the key takes about 3 days.
[20 May 2016]
I found a weakness in Green Petya’s Salsa20 implementation (only 8 out of 16 characters of the key matters – read more here). I made a prototype decoder performing random attack on the key.
[ 14 May 2016 ]
I added support for the new (green) version of Petya to the antipetya live CD – again the key can be recovered from Stage 1 – unfortunately, there is no solution for Sage 2 so far.
[ 12 May 2016 ]
A new (green) version of Petya has been released – the current solutions no longer work.
[ 21 April 2016 ]
m0rb packaged my tools into antipetya_multi.iso – now recovering Stage 2 key is simpler and faster (no Kali Linux required). You can see it in action on the video:
[ 18 April 2016 ]
I made much faster way to recover the key from Stage 1. Read more: https://hshrzd.wordpress.com/2016/04/20/anti-petya-live-cd-the-fastest-stage1-key-decoder/
[ 17 April 2016 ]
AlexWMF reimplemented leo-stone‘s idea in C++ and integrated with my code. (Thanks!) You can find new version here: petya_recovery (64 bit ELF) – I updated the tutorial to describe the new feature.
[ 8 April 2016 ]
Petya at Stage 2 has been cracked by leo-stone. Read more: https://petya-pay-no-ransom.herokuapp.com/ and https://github.com/leo-stone/hack-petya. Congratulations to the author! I updated my decoder – now if it cannot give you the Stage1 key, it will give you the data necessary to supply to the Leo’s web application: [1] or [2]
[ 31 March 2016 ]
I made a decoder for key of Petya ransomware . It works for Stage 1 of encryption – if the system was not rebooted after the infection. Research about a possibility to decrypt Stage 2 is in progress.
My research is possible thanks to Malwarebytes.
Disclaimer: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will help in your particular case. This tool should not be considered an official solution to the Petya problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.
TUTORIAL
WARNING: The Stage 2 decoder works only for the Red Petya!
You can download the decoder’s binary here (it is 64bit ELF). Sourcecode is available here.
Few tips
If you opened some executable downloaded from the Internet and your system crashed,
it can be attack of PETYA RANSOMWARE.
Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data.
What to do:
1) From another computer download i.e. Kali Linux ISO 64 bit (https://www.kali.org/downloads/) and record on a DVD
2) Boot the computer that crashed from this DVD, choose forensic mode.
3) Now your original hard disk should be mounted. Find it’s identificator, i.e using:
fdisk -l
Sample output:
Device Boot Start End Sectors Size Id Type /dev/sda1 * [....]
it means your disk is sda
4) Download the decoder and make it executable (chmod +x decoder). Run it:
./decoder /dev/sda
It will tell you if known symptoms of Petya have been detected on your disk:
[+] Petya bootloader detected! [+] Petya http address detected! [+] Petya FOUND on the disk! ---
If you managed to catch Petya at Stage1, this decoder will give you a key directly:
Key: 8fb9GLT7qkQJ5hBu [OK] Stage 1 key recovered!!
In other case, we need to recover from the Stage2. It may take up to few minutes. Wait till your key appears:
[+] Trying to decrypt... Please be patient... ugxwErH4 89 hiSwhrau 77 ugdwErH4 74 hiSwhra4 69 ugdPErH4 67 hiSw1ra4 62 hgSPErH4 59 hiSw1raB 56 gAf31aib 51 hcfw1raB 48 hAf31aib 42 XqfJ115b 38 XPgK115b 37 Xac4115b 35 XaFF1A5e 32 AaFD1Q5B 28 xa8D1Q5B 26 xaM51Q5B 25 x4Gu1Q5B 24 xbGu1Q5F 22 xbG41Q1r 21 xbGt1QuB 18 8bGTqQ5B 0 [+] Key generation finished [+] Validation passed [+] YOUR KEY: 8xbxGxTxqxQx5xBx
5) Copy or write down the resulting key. It is very important for recovery!
6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you!
I strongly recommend you to make a dump of full disk.
First mount an external disk of appropriate capacity and then dump there the full disk:
dd if=[input] of=[output]
example (dump an image of the infected disk into a file stored on external disk – in my case the external disk was mounted as kingston):
dd if=/dev/sda of=/media/root/kingston/disk_dump.bin
You can also clone one disk on another – read more here.
After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder:
After entering the key, Petya will inform you about the progress of decrypting your system. Wait for your system to decrypt. It will inform you when you can reboot the computer. After that, your system should boot normally.
hasherezade's 1001 nights 
Well its use is limited to ‘on purpose testing’ by default windows will reboot after bsod ( unless you disabled it) caused by petya NtRaiseHardError call, and encryption process will start.
At stage1 you can restore boot loader and bootmgr aswell instead of letting malware execute and providing it with a key.
Also you could use search method used by malware to find the structure where key resides
Anyway good work! Keep it up 😉
Sure, I am not claiming that this is the ultimate solution for Petya problem. Just one of the possible ways to recover from the stage 1. Anyways, turning off automatic restart after a system failure is recommend.
Pingback: Decrypt Petya Ransomware Encrypted HDD for Free
Pingback: Petya key decoder #ransomware – Security Lock – Segurança da Informação Belo Horizonte MG / Atendemos todo o Brasil
Pingback: Petya:将勒索软件带向底层 | 邪恶十六进制
Have you seen https://github.com/leo-stone/hack-petya ?
yes, sure. it is great
Pingback: Veille Cyber N72 – 11 avril 2016 |
Good work dude! Keep going 😉
I have built up on leo-stone’s code with a propper cryptanalisys, you can see the results at http://klondike.es/klog/2016/04/12/cryptanalyzing-petya/
Maybe that can help you recovering the keys from your own tool 🙂
Pingback: Otra herramienta de ayuda para romper Ransomware Petya – Cuidando Tu Negocio
Pingback: Decoder della chiave di Petya – Leonardo Musumeci
Pingback: Decrypt Petya Encrypted PC via Bootable Disk | SME IT guy
Pingback: Tour d’horizon des ransomwares 2016 – CONIX Cybersécurité
Pingback: Recovery from Petya ransomware - spyware virus removal
Just for your information:
seems there is a new version of petya. Encryption stops with the tool, if you try it online it starts again and again and again!
I can confirm, there is an other version of petya – the green version and nothings seems to work for it.
Will there be a live cd for the green petya for brute-force cracking the key? You posted it earlier here on your site, but now this text can’t be found anymore
if u provide me the green one sample ill help u decrypt the key
I am not sure if he need it anymore. But from quite a some time, there is a new decoder available for all versions of Petya (and Live CD included): https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/
Pingback: Cybercriminals Piggyback on Petya Ransomware | Antivirus and Security news