Big Win for Cybersecurity as Petya’s Code Gets Cracked
In a cybersecurity climate dominated by clever bits of ransomware locking up critical data across the globe, those that have held out on ransom demands can finally breathe a sigh of relief — assuming one of Petya’s three main variants were to blame.
According to Forbes, an independent malware analyst known only as Hasherezade has officially cracked the code — oddly enough, with a little help from the malware’s original author.
Hasherezade, who protects her real identity, managed to leverage the master key for Petya, released earlier in July by Petya’s author, Janus, to unlock encrypted drives. The tool uses the master key and an extracted user ID key unique to each victim to recover the actual keys used to encrypt the data.
Decryption Tools Unlock Petya
With decryption keys in hand, users can download the tool specific to their variant of Petya and reunite with their data. The original Petya comes in three flavors: Red Petya, Green Petya and Goldeneye. Each has its own distinct strategy for encrypting data and thus requires its own removal program.
That said, all three generally operate by creating a new master boot record (MBR) that contains a table of contents of the disk’s layout. Malicious code within the new MBR then executes as the system reboots and encrypts the master file table (MFT). Without access to the MFT, the operating system doesn’t know where to find its own files.
Hasherezade’s tools effectively allow users to restore these tables. It’s worth noting that offshoots of the original Petya — such as NotPetya and PetrWrap — aren’t affected by Hasherezade’s work. Because data could be destroyed in the process, Hasherezade recommends backing up your locked drive before attempting to unlock.
As great as this news is for those affected by ransomware, it’s important to understand that countermeasures are never the ideal solution. If anything, the emergence of Petya decryption tools highlights the need for comprehensive cybersecurity and resiliency services that take the sting out of malware before lasting damage is done.