How to Decrypt and defeat Petya Ransomware

[Deleted member 178]

Good news, Petya has been decrypted:

Procedure here : Petya Ransomware's Encryption Defeated and Password Generator Released

here the tool from @Fabian Wosar to extract the bootcode of Petya : http://download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip

then once done, here the tool to retrieve your key: PETYA-PAY-NO-RANSOM (better read the procedure above first)

Read more here: GitHub - leo-stone/hack-petya: search key to restore petya encrypted mft

 

[LabZero]

Yeah good news!

I was trying to figure out how, from the table obtained with the 512 key xor, we can decrypt only the first sector of the MFT encrypted by Petya, in fact, to decrypt the encrypted sectors from following sectors of the MFT it is necessary to know all the other keys.
Having available, however, only a value of 0 table, for me, it was not possible to go back to the Master Table, and consequently to the 32 bytes key.

 

[Deleted member 178]

Just use the extractor , make it easier.

 

[Daniel Hidalgo]

Great News, will be an indispensable article to save for my

 

[_CyberGhosT_]

Congrats to this guy, good work, but as with sharing any great news public, Petra fans will also get wind of this and I bet it wont be long before the "battle of patches" starts.
Great share Umbra.
PeAcE

 

[Der.Reisende]

Great news
As usual, very well done @Fabian Wosar
Thx for sharing @Umbra

 

[Morvotron]

Wow, actually good news! Congratulations to the creator. Hopefully all ransomware samples will get decrypted.

 

[done]

Good news
thanx

 

[Duotone]

Good news indeed... Thankfully no one in this forum has ever been hit by Petya!

 

[jamescv7]

@Morvotron: Well with fast pacing technological tools, ransomware is just one of the sophisticated threats that can provide solution on the other hand because of encryption. Its just a matter how high is thrashing the system could occur to mess it out and make it unusable.

 

[Dirk41]

hi guys,anyway i am curious about one thing i didn't think about before.
w10 secure boot didn't prevent petya to install its loader?
thank you

 

[LabZero]

hi guys,anyway i am curious about one thing i didn't think about before.
w10 secure boot didn't prevent petya to install its loader?
thank you

Good question!

Windows 10 uses GPT instead of MBR which contains the boot code and the partition table that Petya uses in its steps to store the malcode.
But even GPT has a master boot record and a partition table, and probably, for how it works, Petya overwrites this GPT data, but without creating a backup copy of it because of the sectors flagged as unused, and in this case it may be impossible to decrypt the HDD.

 

[snakeaj]

Hello!

i allready tried all guides i found (yours too) but when i feed hack-petya.exe with the .txt files it starts working from 117 down, down, down but never below 91 - then it starts somwhere at 110 again.
i never get a final key.
same problem on key website (its down atm)

please help me!
thank you