It is now possible to recover the encrypted data with Petya, the ransomware that is causing more headaches in recent weeks.
Ransomware is the most harmful type of malware that we can find right now, since its objective is not only to annoy us, but also to make money from it.
When a ransomware enters our system, the first thing it does is access our data and encrypt it; Then it shows a message that warns us that if we want to recover our data, we will have to pay its creator to give us the password, usually with Bitcoin so that it is impossible to trace the transfer.
Ransomware, the fashionable malware
There are many varieties of ransomware out there, and at Omicrono we’ve talked about them more than once.
In all cases, the tips are the same: be careful what you execute, and if your computer is infected, never make the payment, because normally the password never comes and the creator of the ransomware runs away with our money. If you are lucky, it is possible that someone has found a bug that allows you to decrypt your files.
Petya, the nightmare that encrypts our hard drive
But then Petya arrived, the most fearsome malware of recent times. This ransomware is not content with encrypting our files, but rather blocks access to the entire hard drive, installing itself in the boot section in such a way that it is impossible to remove it without loading the system boot.
Specific, Petya encrypts the master file table, or MFT, used on partitions formatted in NTFS (the default file system in Windows). In the MFT a list is stored with all the files that are in the partition, which the operating system consults when we ask it to open or search for a file, for example.
So by encrypting the MFT, Petya effectively encrypts the entire hard drive, rendering it useless; of course, it asks us to pay a certain amount to retrieve our files (approximately 300-400 in Bitcoin). Quite a nightmare for many users, which has finally come to an end, thanks to two tools that have been released.
Recover encrypted data with Petya
As Bleeping Computer explains, it is already possible to recover the data encrypted with Petya, thanks to a bug that has been discovered and that allows us to reveal the password that we need to enter to decrypt the MFT. The recovery process is very complicated, and involves obtaining specific bytes from the hard disk, where the password is stored.
Fortunately with these two tools we will not have to do the process manually, although before using them we will have to follow some steps:
1- Prepare the infected hard drive
First of all, you will need another computer to connect the infected hard drive (or SSD). This means that you will have to open the computer, disconnect the hard drive (if you have several, only the one corresponding to C: ) and connect it to another computer that is not infected.
You can do this by opening the other computer, or using a SATA connection base that will allow us to connect the hard drive by USB.
2- Get the encrypted sector of your hard drive
Download the Petya Sector Extractor program, which will allow you to extract the sector in which the password you need is stored. It is very possible that your antivirus block the download of Petya Sector Extractor by the name Petya, but that doesn’t mean she has a virus.
Once you have downloaded the program, run it and scan all hard drives for ransomware. When it finds it, it will show you a screen like this:
3-Decipher the password
Now access this web page that will allow us to decipher the password. You will see that there are two text boxes.
To use the web, first you have to change Petya Sector Extractor and click on the Copy Sector button; then go to the web page and in the first box, Base64 encoded 512 bytes verification data, paste the contents of the clipboard, with Ctrl + V or with the right mouse button and paste.
Now switch to Petya Sector Extractor and click on the Copy Nonce button; go to the webpage and in the second box, Base64 encoded 8 bytes nonce, paste the clipboard contents in the same way.
Finally, click Submit.
4- Get and use the password
The web may take a while to decipher the code, but when it finishes it will show you the password. Make sure to copy it to paper, smartphone or tablet (not the computer you are using, of course).
Turn off the computer, take out your hard drive, and reinstall it on your computer. Turn it on and the Peyta screen will appear again asking you to pay to decrypt your files; You will see that below you can enter the password.
Enter the password you copied, and press Enter; the program will start decrypting your files, a process that may take a while. When done, restart your computer and everything will be back to normal.
5- Make sure it doesn’t happen again
All this is useless if your computer becomes infected again. First of all, get a good antivirus and scan your computer; In addition, from now on you should be more careful and never execute suspicious or unknown files.