Will The Petya Ransomware Crack Bring Back Your Files?

Gavin Phillips 28-04-2016

Ransomware is on the rise. Cybercriminals have upped the stakes Beyond Your Computer: 5 Ways Ransomware Will Take You Captive in the Future Ransomware is probably the nastiest malware out there, and the criminals using it are becoming more advanced, Here are five worrying things that could be taken hostage soon, including smart homes and smart cars. Read More in the battle for your data, introducing swathes of advanced malware designed to encrypt your personal data. Their ultimate goal is to extort money from you. Unless their demands are met, your encrypted files will remain out of reach.


Unavailable. Lost.

Attacks on individuals are not ground-breaking. Nor are they hogging the headlines. But 2015 saw the FBI receive just under 2,500 complaints relating directly to ransomware related attacks, amounting to some $24 million in losses for victims.

Just over two weeks ago, a new ransomware variant, Petya, emerged. However, just as soon as security researchers had begun to administer warnings concerning the ransomware’s capabilities and specific modes of attack, an irritated individual cracked the Petya encryption. This means thousands of potential victims can safely decrypt their files, saving time, money, and mountains of frustration.

Why Petya Is Different

Ransomware infections usually follow a linear path What Is a Bootkit, and Is Nemesis a Genuine Threat? Hackers continue to find ways to disrupt your system, such as the bootkit. Let's look at what a bootkit is, how the Nemesis variant works, and consider what you can do to stay clear. Read More . Once a system is compromised, the ransomware scans the entire computer Don't Fall Foul of the Scammers: A Guide To Ransomware & Other Threats Read More and begins the encryption process. Depending on the ransomware variant Avoid Falling Victim To These Three Ransomware Scams Several prominent ransomware scams are in circulation at the moment; let's go over three of the most devastating, so you can recognise them. Read More , network locations may also be encrypted. Once the encryption process is complete, the ransomware delivers a message to the user informing them as to their options: pay up, or lose out Don't Pay Up - How To Beat Ransomware! Just imagine if someone showed up on your doorstep and said, "Hey, there's mice in your house that you didn't know about. Give us $100 and we'll get rid of them." This is the Ransomware... Read More .

Recent variations in ransomware have seen personal user files ignored, choosing to instead to encrypt the Master File Table (MFT) of the C: drive, effectively rendering a computer useless.


Master File Table

Petya has been largely distributed through a malicious email campaign.

“Victims would receive an email tailored to look and read like a business-related missive from an “applicant” seeking a position in a company. It would present users with a hyperlink to a Dropbox storage location, which supposedly would let the user download said applicant’s curriculum vitae (CV).”

Once installed, Petya begins replacing the Master Boot Record (MBR). The MBR is the information stored in the first sector of the hard disk, containing the code which locates the active primary partition. The overwrite process prevents Windows from loading normally, as well as preventing access to Safe Mode.

Petya Ransomware Lock Screen

Once Petya has overwritten the MBR, it encrypts the MFT, a file found on NTFS partitions containing critical information about every other file on the drive. Petya then forces a system restart. On reboot, the user encounters a fake CHKDSK scan. While the scan appears to be ensuring volume integrity, the opposite is true. When the CHKDSK completes and Windows attempts to load, the modified MBR will display an ASCII skull with an ultimatum to pay a ransom, usually in Bitcoin.


Recovery price stands at roughly $385, though this can change based upon the Bitcoin exchange rate. If the user decides to ignore the warning, the Bitcoin ransom doubles. If the user continues to resist the extortion attempt, the Petya ransomware author will delete the encryption key.

Hack-Petya Mission

Where ransomware designers are usually extremely careful in their choice of encryption, Petya’s author “slipped up.” An unidentified programmer figured out how to crack Petya’s encryption after an “Easter visit to my father-in-law got me [him] into this mess.”

The crack is capable of revealing the encryption key needed to unlock the encrypted master boot record, releasing the captive system files. To regain control of the files, users will first have to remove the infected hard drive from the computer and attach it to another working computer. They can then extract a number of data strings to enter into the tool.

Chrome Petya Decryption Site


Extracting the data is difficult, requiring specialist tools and knowledge. Luckily, Emsisoft employee Fabian Wosar created a special tool to alleviate this problem, making “the actual decryption more user friendly.” You can find the Petya Sector Extractor here. Download and save it to the desktop of the computer being used for the fix.

Wosar’s tool extracts the 512-bytes required for the Petya crack, “starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21).” Once the data is extracted, the tool will convert it to the necessary Base64 encoding. It can then be entered into the petya-no-pay-ransom website [Broken URL Removed].


Once you have generated the decryption password, write it down. You’ll now need to replace the hard drive, then boot the infected system. When the Petya lock screen appears you can enter your decryption key.

Petya Ransomware You Became A Victim

A detailed tutorial on data string extraction, entering the converted data into the website, and generating the decryption password can be found here.

Decryption For Everyone?

The combination of leo-stone’s encryption crack and Fabian Wosar’s Petya Sector Extractor make for happy reading. Anyone with the technical knowledge to be seeking a solution for their encrypted files might be in with a fighting chance of regaining control of their data.

Now the solution has been simplified, those users without reams of technical knowledge could feasibly take their infected system to a local repair shop and inform the technicians of what needs doing, or at least what they believe needs doing.

However, even as the pathway to fixing this particular ransomware variant has become that much easier, ransomware is still a massive, ever-developing problem facing each of us Ransomware Keeps Growing - How Can You Protect Yourself? Read More . And, despite that pathway being easier to find and easier to follow, the ransomware authors know there is a vast majority of users who will simply have no hope of decrypting the files, their only chance of recovery through cold, hard, untraceable Bitcoin.

Despite their initial coding faux pas, I’m sure the Petya ransomware authors are not sitting around, feeling sorry for themselves. Now that this crack and decryption method are gaining traction they are likely working on updating their code to disable the solution, closing the door on data recovery once again.

Have you been a ransomware victim? Did you manage to recover your files, or did you pay the ransom? Let us know below!

Affiliate Disclosure: By buying the products we recommend, you help keep the site alive. Read more.

Whatsapp Pinterest

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Steve Klemetti
    May 4, 2016 at 1:17 pm

    If you are paying someone, that that be traced to catch them?

  2. Anonymous
    April 29, 2016 at 1:08 am

    Maybe connect it a linux PC?

    • Anonymous
      April 29, 2016 at 1:22 pm

      Might work but if the ransomware is designed to re-write the MBR, it could re-write the MBR of Linux system.

      If I were to use Linux to dispose of the ransomware, I would boot from a LiveCD/DVD residing on read-only disk.

  3. Anonymous
    April 28, 2016 at 5:39 pm

    "users will first have to remove the infected hard drive from the computer and attach it to another working computer."
    Wouldn't that just infect the working computer and spread the ransomware???

    • Anonymous
      April 29, 2016 at 3:13 am

      I should imagine that because you aren't booting from the infected hdd the processes required for the malware to run wont be active.

      I was recently hit by the Cerber Ransomware and as soon as I ended the malicious process all encrypting stopped, lucky for me I didn’t loose any important files.

      • Anonymous
        April 29, 2016 at 1:17 pm

        @Shane Harris:
        As soon as infected Floppies, USB sticks or CD/DVDs are inserted, the infecting malware is activated to do its damage. One does not have to boot from them for the malware to be activated. Why would plugging in an infected hard drive be any different?