Sourcecodes of my applications related to recovery from Petya attacks
[05 July 2017]
The author of the original Petya malware released his master key. Read more details here: https://blog.malwarebytes.com/cybercrime/2017/07/the-key-to-the-old-petya-has-been-published-by-the-malware-author/. WARNING: the key works only for the original Petya, not for the Petya-based malware known from the recent attacks on Ukraine (since, in this particular case, the individual key is destroyed after use and cannot be recovered).
My tool for decryption of individual keys, using the published master key is available here: https://github.com/hasherezade/petya_key
[17 July 2016]
A new (3-rd) version of Petya has been released – the current solutions no longer work. It looks exactly like the previous (green) Petya, but contains fixes in cryptography implementation and different Stage 1 keys. More info here.
[02 June 2016]
Procrash prepared a brutforcer for Green Petya key (using multi-threading and GPU for the high performance). Sourcecode available here: https://github.com/procrash/petya-green-multicore. Cracking the key takes about 3 days.
[20 May 2016]
I found a weakness in Green Petya’s Salsa20 implementation (only 8 out of 16 characters of the key matters – read more here). I made a prototype decoder performing random attack on the key.
[ 14 May 2016 ]
I added support for the new (green) version of Petya to the antipetya live CD – again the key can be recovered from Stage 1 – unfortunately, there is no solution for Sage 2 so far.
[ 12 May 2016 ]
A new (green) version of Petya has been released – the current solutions no longer work.
[ 18 April 2016 ]
I made much faster way to recover the key from Stage 1. Read more: https://hshrzd.wordpress.com/2016/04/20/anti-petya-live-cd-the-fastest-stage1-key-decoder/
[ 17 April 2016 ]
AlexWMF reimplemented leo-stone‘s idea in C++ and integrated with my code. (Thanks!) You can find new version here: petya_recovery (64 bit ELF) – I updated the tutorial to describe the new feature.
[ 8 April 2016 ]
Petya at Stage 2 has been cracked by leo-stone. Read more: https://petya-pay-no-ransom.herokuapp.com/ and https://github.com/leo-stone/hack-petya. Congratulations to the author! I updated my decoder – now if if cannot give you the Stage1 key, it will give you the data necessary to supply to the Leo’s web application:  or 
[ 31 March 2016 ]
I made a decoder for key of Petya ransomware . It works for Stage 1 of encryption – if the system was not rebooted after the infection. Research about a possibility to decrypt Stage 2 is in progress.
My research is possible thanks to Malwarebytes.
Disclaimer: This tool is an experiment in unlocking a particular kind of Ransomware, neither Malwarebytes or Hasherezade promise this tool will help in your particular case. This tool should not be considered an official solution to the Petya problem. Any files destroyed, further encrypted or otherwise tampered with against the desire of the user are not the responsibility of the developers. Please use at your own risk.
WARNING: The Stage 2 decoder works only for the Red Petya!
If you opened some executable downloaded from the Internet and your system crashed,
it can be attack of PETYA RANSOMWARE.
Best is if you don’t let the system reboot after the blue screen. However, even if you didn’t managed to catch Petya at proper time, still there is a chance to recover your data.
What to do:
1) From another computer download i.e. Kali Linux ISO 64 bit (https://www.kali.org/downloads/) and record on a DVD
2) Boot the computer that crashed from this DVD, choose forensic mode.
3) Now your original hard disk should be mounted. Find it’s identificator, i.e using:
Device Boot Start End Sectors Size Id Type /dev/sda1 * [....]
it means your disk is sda
4) Download the decoder and make it executable (chmod +x decoder). Run it:
It will tell you if known symptoms of Petya have been detected on your disk:
[+] Petya bootloader detected! [+] Petya http address detected! [+] Petya FOUND on the disk! ---
If you managed to catch Petya at Stage1, this decoder will give you a key directly:
Key: 8fb9GLT7qkQJ5hBu [OK] Stage 1 key recovered!!
In other case, we need to recover from the Stage2. It may take up to few minutes. Wait till your key appears:
[+] Trying to decrypt... Please be patient... ugxwErH4 89 hiSwhrau 77 ugdwErH4 74 hiSwhra4 69 ugdPErH4 67 hiSw1ra4 62 hgSPErH4 59 hiSw1raB 56 gAf31aib 51 hcfw1raB 48 hAf31aib 42 XqfJ115b 38 XPgK115b 37 Xac4115b 35 XaFF1A5e 32 AaFD1Q5B 28 xa8D1Q5B 26 xaM51Q5B 25 x4Gu1Q5B 24 xbGu1Q5F 22 xbG41Q1r 21 xbGt1QuB 18 8bGTqQ5B 0 [+] Key generation finished [+] Validation passed [+] YOUR KEY: 8xbxGxTxqxQx5xBx
5) Copy or write down the resulting key. It is very important for recovery!
6) Even if the decoder gave you a key, new Petya versions may come with some changes. That’s why, I cannot guarantee that this key will be valid for you!
I strongly recommend you to make a dump of full disk.
First mount an external disk of appropriate capacity and then dump there the full disk:
dd if=[input] of=[output]
example (dump an image of the infected disk into a file stored on external disk – in my case the external disk was mounted as kingston):
dd if=/dev/sda of=/media/root/kingston/disk_dump.bin
You can also clone one disk on another – read more here.
After that, you can reboot your system from the disk. If the Petya screen appear, supply the key that you got from the decoder:
After entering the key, Petya will inform you about the progress of decrypting your system. Wait for your system to decrypt. It will inform you when you can reboot the computer. After that, your system should boot normally.