Researchers have been combing through code related to the Petya ransomware long enough they’ve been able to cobble together a decryption tool that should allow most victims to generate keys in less than 10 seconds.
A Twitter user who goes by the handle @leostone came up with a genetic algorithm on Friday to generate passwords and subsequently put together a site to help victims generate keys.
Hurray!!! Its official, the found key is working!!!
I'll update the github with the genetic version, keys will be found in less than a min:)— leostone (@leo_and_stone) April 8, 2016
Users can generate a decryption key, providing they can supply the tool with information from their infected drive.
While this can be a fickle task for the average user, Fabian Wosar, a security researcher at Emsisoft, created an executable over the weekend designed to extract data from infected Petya drives and expedite the process.
Lawrence Abrams, a computer forensics expert who blogs at BleepingComputer.com and has been following the ransomware’s saga, put together a guide on how to use the tool Sunday.
Abrams claims the tool scans the affected drive for the Petya bootcode, automatically selects it, and gives users the option to copy both the sector, and nonce associated with it.
With that information – a Base64-encoded 512 bytes verification data and a Base64-encoded 8 bytes nonce – victims can navigate to @leostone’s site, copy and paste, and generate a password.
Users still have to physically remove the drive from the infected machine and attach it to either a Windows machine or a USB drive docking station, but instead of having to hunt around for the correct code, Wosar’s tool does the job for users.
With the password users should be able to reconnect their drive, fire up their machine, and enter the password to decrypt their drive.
Researchers have been looking into Petya, a strain of ransomware that targets infected machine’s master boot records, since it emerged late last month. Until now, the only option for users who had their MBR encrypted was to fork over roughly $400 in Bitcoin for the decryption key.
While little is known about @leostone, he did explain the impetus of his algorithm on Github, acknowledging that he was prompted to look into the ransomware after his father in law was infected.
Abrams told Threatpost on Monday that while he hasn’t heard of any success stories outside the security community, he was able to decrypt a Petya-infected test machine of his own using the steps in just seven seconds. While both the algorithm and the tool are encouraging, Abrams admits that it may only be a matter of time before the criminals behind Petya catch on to the tool and bulk up the encryption behind the ransomware.
“I feel this ransomware is too “innovative” to fall by the way side,” Abrams said via email, “My guess is that they will fix the vulnerability and push out a newer version with stronger encryption.”
