Ransomware is on the rise. Cybercriminals have upped the stakes in the battle for your data, introducing swathes of advanced malware designed to encrypt your personal data. Their ultimate goal is to extort money from you. Unless their demands are met, your encrypted files will remain out of reach.
Attacks on individuals are not ground-breaking. Nor are they hogging the headlines. But 2015 saw the FBI receive just under 2,500 complaints relating directly to ransomware related attacks, amounting to some $24 million in losses for victims.
Just over two weeks ago, a new ransomware variant, Petya, emerged. However, just as soon as security researchers had begun to administer warnings concerning the ransomware’s capabilities and specific modes of attack, an irritated individual cracked the Petya encryption. This means thousands of potential victims can safely decrypt their files, saving time, money, and mountains of frustration.
Why Petya Is Different
Ransomware infections usually follow a linear path. Once a system is compromised, the ransomware scans the entire computer and begins the encryption process. Depending on the ransomware variant, network locations may also be encrypted. Once the encryption process is complete, the ransomware delivers a message to the user informing them as to their options: pay up, or lose out.
Recent variations in ransomware have seen personal user files ignored, choosing to instead to encrypt the Master File Table (MFT) of the C: drive, effectively rendering a computer useless.
Master File Table
Petya has been largely distributed through a malicious email campaign.
“Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV).”
Once installed, Petya begins replacing the Master Boot Record (MBR). The MBR is the information stored in the first sector of the hard disk, containing the code which locates the active primary partition. The overwrite process prevents Windows from loading normally, as well as preventing access to Safe Mode.
Once Petya has overwritten the MBR, it encrypts the MFT, a file found on NTFS partitions containing critical information about every other file on the drive. Petya then forces a system restart. On reboot, the user encounters a fake CHKDSK scan. While the scan appears to be ensuring volume integrity, the opposite is true. When the CHKDSK completes and Windows attempts to load, the modified MBR will display an ASCII skull with an ultimatum to pay a ransom, usually in Bitcoin.
Recovery price stands at roughly $385, though this can change based upon the Bitcoin exchange rate. If the user decides to ignore the warning, the Bitcoin ransom doubles. If the user continues to resist the extortion attempt, the Petya ransomware author will delete the encryption key.
Where ransomware designers are usually extremely careful in their choice of encryption, Petya’s author “slipped up.” An unidentified programmer figured out how to crack Petya’s encryption after an “Easter visit to my father-in-law got me [him] into this mess.”
The crack is capable of revealing the encryption key needed to unlock the encrypted master boot record, releasing the captive system files. To regain control of the files, users will first have to remove the infected hard drive from the computer and attach it to another working computer. They can then extract a number of data strings to enter into the tool.
Extracting the data is difficult, requiring specialist tools and knowledge. Luckily, Emsisoft employee Fabian Wosar created a special tool to alleviate this problem, making “the actual decryption more user friendly.” You can find the Petya Sector Extractor here. Download and save it to the desktop of the computer being used for the fix.
Could "journalists" please start doing their homework? I am not responsible for Petya being decryptable. Credit @leo_and_stone.
— Fabian Wosar (@fwosar) April 15, 2016
Wosar’s tool extracts the 512-bytes required for the Petya crack, “starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21).” Once the data is extracted, the tool will convert it to the necessary Base64 encoding. It can then be entered into the petya-no-pay-ransom website.
I merely provided a small ~50 line tool that makes the actual decryption more user friendly.
— Fabian Wosar (@fwosar) April 15, 2016
Once you have generated the decryption password, write it down. You’ll now need to replace the hard drive, then boot the infected system. When the Petya lock screen appears you can enter your decryption key.
A detailed tutorial on data string extraction, entering the converted data into the website, and generating the decryption password can be found here.
Decryption For Everyone?
The combination of leo-stone’s encryption crack and Fabian Wosar’s Petya Sector Extractor make for happy reading. Anyone with the technical knowledge to be seeking a solution for their encrypted files might be in with a fighting chance of regaining control of their data.
Now the solution has been simplified, those users without reams of technical knowledge could feasibly take their infected system to a local repair shop and inform the technicians of what needs doing, or at least what they believe needs doing.
However, even as the pathway to fixing this particular ransomware variant has become that much easier, ransomware is still a massive, ever-developing problem facing each of us. And, despite that pathway being easier to find and easier to follow, the ransomware authors know there is a vast majority of users who will simply have no hope of decrypting the files, their only chance of recovery through cold, hard, untraceable Bitcoin.
Despite their initial coding faux pas, I’m sure the Petya ransomware authors are not sitting around, feeling sorry for themselves. Now that this crack and decryption method are gaining traction they are likely working on updating their code to disable the solution, closing the door on data recovery once again.
Have you been a ransomware victim? Did you manage to recover your files, or did you pay the ransom? Let us know below!