The master key to the original version of the Petya ransomware – not to be confused with the latest and massive Petya/ExPetr outbreak that swept through the Ukraine and parts of Europe last month – has been released, allowing all the victims of previous Petya attacks to unscramble their encrypted files.
According to researchers, the author of the original Petya ransomware, which goes by the pseudonym Janus, made the key available on Wednesday.
“Similarly to the authors of TeslaCrypt, (Janus) released his private key, allowing all the victims of the previous Petya attacks, to get their files back,” wrote Hasherezade, a researcher for MalwareBytes that posted her finding on Thursday.
Further analysis of the master key by Kaspersky Lab research analyst Anton Ivanov confirmed the key unlocks Petya ransomware and early versions the GoldenEye ransomware.
“The published #Petya master key works for all versions including #GoldenEye,” tweeted Ivanov.
According to Hasherezade, GoldenEye ransomware was first created by Petya author Janus in 2016. It was the fourth version based on the Petya code. This year, the “compiled application” was stolen and modified by another threat actor.
That latest version of the malware, based on pirated GoldenEye code, was believed used in last month’s wiper outbreak that originated in the Ukraine. Unlike previous versions, this version lacked the ability to decrypt effected systems and was considered wiper malware. It goes by various names such as Not Petya, ExPetr, Eternal Petya, and sometimes GoldenEye, Hasherezade said.
Petya is crypto-malware that is known for targeting a victim’s Master Boot Record instead of files stored on the computer, network shares or backups that the computer may have access to. The ransomware has demanded around $400 in Bitcoin for the decryption key.
In April 2016, researchers developed a unique decryption tool that allowed most victims to generate a key to decrypt early Petya ransomware versions. A Twitter user by the name @leostone came up with the genetic algorithm to generate passwords and a security researcher at Emsisoft, created an executable designed to extract data from infected Petya drives.
Petya’s author subsequently updated the ransomware preventing those earlier decryption tools from working.
“Thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back,” Hasherezade wrote.