A notorious ransomware program has been vanquished by a resourceful researcher who found a crucial weak spot in the Petya crypto-extortion virus. A person known only by his or her Twitter handle, @leostone, devised a tool that generates the password demanded by Petya to decrypt the master boot file it has infected.
Petya has stood out among ransomware since it was uncovered in March because of how it targeted victims' entire startup drives by making their master boot records (a special type of boot sector at the very beginning of partitioned hard drive) inoperable. The victims who were directed to a downloadable file containing Petya via spam e-mail got hit with the blue screen of death in seconds.
After rebooting, their computers ran a phony check disk file while the virus was encrypting the computers' master file tables. The computers then showed a ransom note, and since the users didn’t have the decryption passwords, their computers weren't able to boot up and none of the files on their computers' startup disks were accessible.
The tool invented by @leostone works like this: The user removes the startup drive from the infected computer and connects it to a separate, uninfected Windows computer. Then the user extracts specific data from the hard drive: the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0; and the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21). Once that data is put into the Web app created by @leostone (available at https://petya-pay-no-ransom.herokuapp.com), the user can retrieve the password Petya used to decrypt the crucial file.
For users who are nervous about undertaking what for many is a technical series of instructions, another researcher devised a free tool that gets the necessary data in just seconds, but the difference is that it must be run on the computer containing the infected hard drive. That alternative tool, Petya Sector Extractor, is available at http://download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip.
While the ingenuity of the "white hat" hackers who foiled Petya is admirable, individual and enterprise users shouldn’t take that victory as a sign that the war on ransomware is close to being over.
Nicholas Merker, a partner at Chicago law firm Ice Miller and co-chair of its Data Security and Privacy practice, told us that the discovery of an anti-Petya password only serves to remind us that computer cryptography is difficult for both good guys and bad guys. And he said the developers of Petya will almost certainly refine the ransomware program to override the new fixes.
"A company that relies on exploitation of a vulnerability in crypto-extortion to recover its data is missing the boat," said Merker. "Companies can decrease the likelihood of being victim to these attacks through strong security awareness. You can also minimize exposure by limiting what network file shares are available to employees and removing employee reliance on local storage."
Merker also suggested that rather than rely on recovering encrypted data from the malware itself, businesses should consider recovering it from a regularly scheduled backup.