Experts crack nasty ransomware that took crypto-extortion to new heights

April 11, 2016 – 5:29 PM

A nasty piece of ransomware that took crypto-extortion to new heights contains a fatal weakness that allows victims to decrypt their data without paying the hefty ransom.

When it came to light two weeks ago, Petya was notable because it targeted a victim’s entire startup drive by rendering its master boot record inoperable. It accomplished this by encrypting the master boot file and displaying a ransom note. As a result, without the decryption password, the infected computer wouldn’t boot up, and all files on the startup disk were inaccessible. A master boot record is a special type of boot sector at the very beginning of partitioned hard drive, while a master boot file is a file on NTFS volumes that contains the name, size and location of all other files.Petya performs fake CHKDSK, and instead encrypts the master file table on disk.

Now, someone who goes by the Twitter handle @leostone has devised a tool that generates the password Petya requires to decrypt the master boot file. To use the password generator, victims must remove the startup drive from the infected computer and connect it to a separate Windows computer that’s not infected. The victim then extracts data from the hard drive, specifically (1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and (2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21). By inputting the data into this Web app created by @leostone, the victim can retrieve the password Petya used to decrypt the crucial file.

Obtaining the hard drive data the Web app needs to derive the password isn’t a straight-forward undertaking for many. Fortunately, a separate researcher has developed a free tool called the Petya Sector Extractor that obtains the data in seconds. The app must be run on the computer that’s connected to the infected hard drive.


You must be logged in to post a comment.