204
48
My computer got encrypted by the Petya ransomware. After a long search I could not find a solution other than using file recovery software.
This helps a bit, but I am wondering if there is a way to completely restore my disk. I am not going to pay.
leostone
Posted 2016-04-10T13:44:03.223
Reputation: 1 759
312
Fortunately, yes, there is a solution - I've written an application that would help with this.
Petya encryption has been reversed, analyzed and there is a solution to get the decryption key, just from the data on the encrypted disk.
The program code for key recovery is hosted on github: https://github.com/leo-stone/hack-petya.
If you can't or don't want to compile the program yourself,
there is an online service available:
https://petya-pay-no-ransom.herokuapp.com/
https://petya-pay-no-ransom-mirror1.herokuapp.com/ (if the first link is erroring for you)
You will still need to have a little computer experience though, to get the necessary data off your disk.
Update: Service has been taken down, it wasn't used anymore.
leostone
Posted 2016-04-10T13:44:03.223
Reputation: 1 759
78This is why you should never write your own encryption.. though I suppose in this case it's fortunate that they did. If they had used AES, there'd be no way to brute-force the key like this. – BlueRaja - Danny Pflughoeft – 2016-04-10T19:43:56.237
9@vsz The authors of this malware encrypt the hard-drive at a hardware level, and wrote their own bootloader (!?!). I'm sure they've heard of AES. It's like as oakad says, they probably did this intentionally for maximum speed. – BlueRaja - Danny Pflughoeft – 2016-04-11T05:12:34.023
That Heroku app is throwing errors. Has it been taken down? – Michael Hampton – 2016-04-11T07:40:17.487
2@MichaelHampton its possible its being overloaded with traffic, this question has managed to hit the featured list probably bringing in a lot of clickers. – Trotski94 – 2016-04-11T07:45:52.247
34Oh, the disclosure rule. I do strongly recommend you do so, if only cause I'm getting a ton of spam flags for a useful tool ;) – Journeyman Geek – 2016-04-11T12:04:23.067
4@leostone otherwise this question and answer may be considered spam, I.e. Unwanted advertisement. – Bakuriu – 2016-04-11T12:28:30.950
4The weakness is not the encryption, it is that the key must be stored somewhere and the criminals can't hope to keep a remote server that is under their control accessible for the life time of the virus, for the virus to store new keys on. – Ian Ringrose – 2016-04-11T13:03:25.703
14Could you add a basic explanation of what your code does? The answer is complete; I'm just curious and my school WiFi doesn't let me load GitHub repos that don't belong to me. – Fund Monica's Lawsuit – 2016-04-11T13:14:25.807
5
@QPayTaxes The author goes about it in an intentionally roundabout way -- You can plug the decryption routine into just about any constraint solver and have an answer in seconds ( http://pastebin.com/Zc16DfL1 )
– ŹV - – 2016-04-12T08:07:19.8332@BlueRaja-DannyPflughoeft Avoiding standard crypto for performance reasons is rather silly. Unless you have very fast IO, the process will be IO bound. A single core should be able to handle between 1 and 3 GB/s on a modern desktop. More if you reduce the number of rounds. – CodesInChaos – 2016-04-12T10:31:52.987
4Comments are not designed to have a conversation. If you don't have a comment with regards to the answer itself, take your statements, to chat. – Ramhound – 2016-04-13T14:19:13.087
@SargeBorsch: You should ask that as a different question, but in short: Yes, that is very common for schools and businesses. They control all the machines so they can install their own root certs. – BlueRaja - Danny Pflughoeft – 2016-04-14T07:22:25.937
@IanRingrose Why not just encrypt that key using a public key and have the victim email the encrypted key along with payment? – Aron – 2016-04-15T05:29:23.793
@CodesInChaos Especially since standard algos are implemented in hardware these days... – Aron – 2016-04-15T05:30:44.533
Thank you! It might be an idea/suggestion to include the accompanying Fabian Wosar's Petya Sector Extractor (for windows, linked on bleepingcomputer.com) in this answer. PS: Hopefully someone will combine and share these 2 sources into a .com executable that can be added to a syslinux usb boot-stick (alleviating need to take out HD).
– GitaarLAB – 2016-04-15T15:20:25.313So is this of any use to anyone in 2017 with a new Petya infection happening?
– JakeGould – 2017-06-27T18:05:10.503
43To improve this question you might want to add some telltale signs that a ransomware infection is from this particular malware. Most users have no way to tell the name of the particular malware which hit them which means they won't find this question. – Philipp – 2016-04-10T16:32:50.230
3I don't think there is a real infection, they are just collecting reps, which is ok here on SU if it is a good question that has not been asked before. – Moab – 2016-04-10T18:20:12.890
30Looks like it's not a rep grab but publicity for the exploit, which is by the OP himself. I wouldn't begrudge it, it looks non-trivial and potentially useful :-) – alexis – 2016-04-10T20:25:38.517
2
It looks like this is a way to Remove the Decrypt the disk. Check it out Petya Ransomeware Defeated Looks Promising.
– NetworkKingPin – 2016-04-11T05:09:48.69714I know it's not terribly relevant, but would you mind sharing how it happened? Perhaps it might help other users avoid this problem. – Nobilis – 2016-04-11T07:21:25.370
4Can I have a picture of the message – Suici Doga – 2016-04-11T13:38:02.687
1
@SuiciDoga http://nabzsoftware.com/types-of-threats/petya-ransomware
– MCMastery – 2016-04-12T01:14:24.0002
This is yet another reason why you should be backing up your data often. If you had a reliable backup, you could simply wipe the computer and restore. If you don't care about your data enough to back it up, then why worry about recovering it from ransomware?
– BryanH – 2016-04-14T21:14:49.6001@BryanH You can care about your data (and even back it up) and still also care about recovering a system from ransomware. – TylerH – 2016-04-15T13:25:32.080
@TylerH true, if we were perfect we wouldn't be vulnerable to malware in the first place. If you can't be perfect it's nice to have options. – candied_orange – 2016-04-16T19:02:53.063
So is this thread still of use considering the new Petya wave that has hit as of July 27, 2017?
– JakeGould – 2017-06-27T17:29:07.447