Dear Visitor,

Our system has found that you are using an ad-blocking browser add-on.

We just wanted to let you know that our site content is, of course, available to you absolutely free of charge.

Our ads are the only way we have to be able to bring you the latest high-quality content, which is written by professional journalists, with the help of editors, graphic designers, and our site production and I.T. staff, as well as many other talented people who work around the clock for this site.

So, we ask you to add this site to your Ad Blocker’s "white list" or to simply disable your Ad Blocker while visiting this site.

Continue on this site freely
  HOME     MENU     SEARCH     NEWSLETTER    
CUSTOMER RELATIONSHIP MANAGEMENT NEWS. UPDATED ABOUT A MINUTE AGO.
You are here: Home / Data Security / Expert Cracks Petya Ransomware
Researcher Cracks Petya Ransomware Encryption System
Researcher Cracks Petya Ransomware Encryption System
By Dan Heilman / CRM Daily Like this on Facebook Tweet this Link thison Linkedin Link this on Google Plus
PUBLISHED:
APRIL
12
2016
A notorious ransomware program has been vanquished by a resourceful researcher who found a crucial weak spot in the Petya crypto-extortion virus. A person known only by his or her Twitter handle, @leostone, devised a tool that generates the password demanded by Petya to decrypt the master boot file it has infected.

Petya has stood out among ransomware since it was uncovered in March because of how it targeted victims' entire startup drives by making their master boot records (a special type of boot sector at the very beginning of partitioned hard drive) inoperable. The victims who were directed to a downloadable file containing Petya via spam e-mail got hit with the blue screen of death in seconds.

After rebooting, their computers ran a phony check disk file while the virus was encrypting the computers' master file tables. The computers then showed a ransom note, and since the users didn’t have the decryption passwords, their computers weren't able to boot up and none of the files on their computers' startup disks were accessible.

Two Methods

The tool invented by @leostone works like this: The user removes the startup drive from the infected computer and connects it to a separate, uninfected Windows computer. Then the user extracts specific data from the hard drive: the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0; and the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21). Once that data is put into the Web app created by @leostone (available at https://petya-pay-no-ransom.herokuapp.com), the user can retrieve the password Petya used to decrypt the crucial file.

For users who are nervous about undertaking what for many is a technical series of instructions, another researcher devised a free tool that gets the necessary data in just seconds, but the difference is that it must be run on the computer containing the infected hard drive. That alternative tool, Petya Sector Extractor, is available at http://download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip.

Stay Vigilant

While the ingenuity of the "white hat" hackers who foiled Petya is admirable, individual and enterprise users shouldn’t take that victory as a sign that the war on ransomware is close to being over.

Nicholas Merker, a partner at Chicago law firm Ice Miller and co-chair of its Data Security and Privacy practice, told us that the discovery of an anti-Petya password only serves to remind us that computer cryptography is difficult for both good guys and bad guys. And he said the developers of Petya will almost certainly refine the ransomware program to override the new fixes.

"A company that relies on exploitation of a vulnerability in crypto-extortion to recover its data is missing the boat," said Merker. "Companies can decrease the likelihood of being victim to these attacks through strong security awareness. You can also minimize exposure by limiting what network file shares are available to employees and removing employee reliance on local storage."

Merker also suggested that rather than rely on recovering encrypted data from the malware itself, businesses should consider recovering it from a regularly scheduled backup.

Tell Us What You Think
Comment:

Name:

Like Us on FacebookFollow Us on Twitter
MORE IN DATA SECURITY
CRM DAILY
NEWSFACTOR NETWORK SITES
NEWSFACTOR SERVICES
© Copyright 2017 NewsFactor Network. All rights reserved. Member of Accuserve Ad Network.