❗❗❗ATTENTION❗❗❗
Please use the LATEST version of the decoder, available here:
UPDATE: 17-th July a new version of Petya has been released. At the moment, there is no way to decrypt the disk. Don’t let the infection reach the Stage 2!
Please read first Petya key decoder for more background information.
If you opened some executable downloaded from the Internet and your system crashed, it can be attack of PETYA RANSOMWARE.
Please do not let the system reboot from the hard disk! I will cause infection to progress.
Run your computer from a live CD (i.e. Kali linux) and make a backup of the full disk. Example:
dd if=/dev/sda of=dump.bin bs=512
If you caught Petya at Stage 1 your files are still untouched and there is a chance to save them.
Petya detector in form of a bootloader:
With the help of this small tool you can easily check if Petya has been detected on your disk. In case of Petya versions 1 and 2 it can also recover the Stage 1 key.
ISO: antipetya.iso
BIN: antipetya.bin
Source code : https://github.com/hasherezade/petya_recovery/tree/master/stage1_asm
In order to use it, just (from a different computer) download the antipetya.iso, burn on a CD and boot your machine from the CD.
Alternatively, instead of CD you can use a flash disk. In this case you need to dump antipetya.bin on to your disk. Example (using Linux):
1. Log in as root.
2. Check how your flash disk is represented in the system.
If the flash disk is /dev/sdb:
dd if=antipetya.bin of=/dev/sdb bs=512 count=1
The tool will give you a quick info, whether your bootloader has been substituted by the bootloader of Petya.
In case of versions 1 and 2 of Petya -it will give you the Stage 1 key automatically:
Output of Antpetya Live CD (Stage1):
Write down this key. This is the same key, that Petya uses to encrypt/decrypt your data:
If the Petya already erased the key, the bootloader will inform you about this fact. In case of the Red Petya, your disk still can be decrypted at the Stage 2 – you can read about it here: Stage2 decoder. Unfortunately, such recovery procedure does not work for the current Green version.
hasherezade's 1001 nights 
Do you have maybe a solution for the green petya if the encryption has already been done?
Hi. So far the only solution for Green Petya known to me is a brutforce, eventually random attack. Recently I wrote it’s an analysis for Malwarebytes, you can read it here: https://blog.malwarebytes.org/threat-analysis/2016/05/petya-and-mischa-ransomware-duet-p1/ Also, I made a tool for random attack – but it is way too slow (it can take weeks/months to crack it): https://github.com/hasherezade/petya_green. I hope some better idea can pop up in the future.
how to i make a iso out of this files for random attack (green one)?
In brief: first you need to compile the code to a Linux binary and then you can run i.e using Kali Linux Live CD. But I know it can be troublesome for some people. Soon I will prepare a Live CD and post about it.
Pingback: Da li nam uskoro stiže SATANA RANSOMVER virus