Anti-Petya live CD (the fastest Stage1 key decoder)


newUPDATE: 17-th July a new version of Petya has been released. At the moment, there is no way to decrypt the disk. Don’t let the infection reach the Stage 2!

Please read first Petya key decoder for more background information.


If you opened some executable downloaded from the Internet and your system crashed, it can be attack of PETYA RANSOMWARE.

Please do not let the system reboot from the hard disk! I will cause infection to progress.

Run your computer from a live CD (i.e. Kali linux)  and make a backup of the full disk. Example:

dd if=/dev/sda of=dump.bin bs=512

If you caught Petya at Stage 1 your files are still untouched and there is a chance to save them.

Petya detector in form of a bootloader:

With the help of this small tool you can easily check if Petya has been detected on your disk. In case of Petya versions 1 and 2 it can also recover the Stage 1 key.

ISO: antipetya.iso
BIN: antipetya.bin

Source code :  https://github.com/hasherezade/petya_recovery/tree/master/stage1_asm

In order to use it,  just (from a different computer) download the antipetya.iso, burn on a CD and boot your machine from the CD.


Alternatively, instead of CD you can use a flash disk. In this case you need to dump antipetya.bin on to your disk. Example (using Linux):
1. Log in as root.
2. Check how your flash disk is represented in the system.
If the flash disk is /dev/sdb:

dd if=antipetya.bin of=/dev/sdb bs=512 count=1

The tool will give you a quick info, whether your bootloader has been substituted by the bootloader of Petya.
In case of versions 1 and 2 of Petya -it will give you the Stage 1 key automatically:

Output of Antpetya Live CD (Stage1):

stage1

Write down this key. This is the same key, that Petya uses to encrypt/decrypt your data:

decoding

If the Petya already erased the key, the bootloader will inform you about this fact. In case of the Red Petya, your disk still can be decrypted at the Stage 2 – you can read about it here: Stage2 decoder. Unfortunately, such recovery procedure does not work for the current Green version.

About hasherezade

Programmer and researcher, interested in InfoSec.
This entry was posted in Malware, Malware Decryptor, Tools. Bookmark the permalink.

5 Responses to Anti-Petya live CD (the fastest Stage1 key decoder)

  1. Udo says:

    Do you have maybe a solution for the green petya if the encryption has already been done?

  2. Noah says:

    how to i make a iso out of this files for random attack (green one)?

    • hasherezade says:

      In brief: first you need to compile the code to a Linux binary and then you can run i.e using Kali Linux Live CD. But I know it can be troublesome for some people. Soon I will prepare a Live CD and post about it.

  3. Pingback: Da li nam uskoro stiže SATANA RANSOMVER virus

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s