{"id":8428,"date":"2017-07-24T10:10:41","date_gmt":"2017-07-24T18:10:41","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2017\/07\/24\/news-2202\/"},"modified":"2017-07-24T10:10:41","modified_gmt":"2017-07-24T18:10:41","slug":"news-2202","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2017\/07\/24\/news-2202\/","title":{"rendered":"Bye, bye Petya! Decryptor for old versions released."},"content":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Mon, 24 Jul 2017 17:17:38 +0000<\/strong><\/p>\n<p>Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/the-key-to-the-old-petya-has-been-published-by-the-malware-author\/\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p>Based on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya (<a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/keeping-up-with-the-petyas-demystifying-the-malware-family\/\" target=\"_blank\" rel=\"noopener noreferrer\">read more about identifying Petyas<\/a>):<\/p>\n<ul>\n<li>Red Petya<\/li>\n<li>Green Petya (both versions) + Mischa<\/li>\n<li>Goldeneye (bootlocker + files)<\/li>\n<\/ul>\n<p>In case if you have a backup of Petya-encrypted disk, this is the time to take it out from the shelf and kiss your Petya goodbye <img decoding=\"async\" src=\"https:\/\/s.w.org\/images\/core\/emoji\/2.2.1\/72x72\/1f609.png\" alt=\"\ud83d\ude09\" class=\"wp-smiley\" style=\"height: 1em; max-height: 1em;\" \/><\/p>\n<p>WARNING: During our tests we found that in some cases Petya may hang during decryption, or cause some other problems potentially damaging to your data. That&#8217;s why, before any decryption attempts, we recommend you to make an additional backup.<\/p>\n<p><em>\/\/ Special thanks to <a href=\"https:\/\/twitter.com\/Th3PeKo\" target=\"_blank\" rel=\"noopener noreferrer\">@Th3PeKo<\/a> , <a href=\"https:\/\/twitter.com\/vallejocc\">@vallejocc<\/a> and Michael Meyer for all the help in testing!<\/em><\/p>\n<h3>Variants of the attack<\/h3>\n<p>As we know, depending on version Petya may attack your data by two ways:<\/p>\n<p>1 &#8211; at a low level, encrypting your Master File Table. For example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12654\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa2.png\" alt=\"\" width=\"722\" height=\"408\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa2.png 722w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa2-300x170.png 300w\" sizes=\"auto, (max-width: 722px) 100vw, 722px\" \/><\/p>\n<p>2 &#8211; at a high level, encrypting your files one\u00a0 by one (like a typical ransomware). For example:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-12662\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa_encrypted.png\" alt=\"\" width=\"590\" height=\"142\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa_encrypted.png 590w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2016\/05\/mischa_encrypted-300x72.png 300w\" sizes=\"auto, (max-width: 590px) 100vw, 590px\" \/><\/p>\n<p>Fortunately, the released key allows for recovery in both cases. However the process of decryption will look a bit different.<\/p>\n<h3>Decryptors<\/h3>\n<p>We prepared two different builds of the recovery tool, to support the specific needs:<\/p>\n<ol>\n<li>a <a href=\"https:\/\/github.com\/hasherezade\/petya_key\/releases\/download\/0.1\/antipetya_ultimate.iso\" target=\"_blank\" rel=\"noopener noreferrer\">Live CD<\/a><\/li>\n<li>a <a href=\"https:\/\/github.com\/hasherezade\/petya_key\/releases\/download\/0.1\/petya_key_v0.1_win32.zip\" target=\"_blank\" rel=\"noopener noreferrer\">Windows executable<\/a><\/li>\n<\/ol>\n<p>In both cases, the tool decrypts the individual key from the victim ID.<\/p>\n<p>After obtaining the key, you can use the original decryptors in order to recover your files. You can find the links here:<\/p>\n<p>For <b>Mischa<\/b>: <a href=\"https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE\">https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE<\/a><br \/> For <b>Goldeneye<\/b>: <a href=\"https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg\">https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg<\/a><\/p>\n<p><strong>DISCLAIMER: Those tools are provided as is and you are using them at your own risk. We are not responsible for any damage or lost data.<\/strong><\/p>\n<h3>Defeating the bootlocker<\/h3>\n<p>In both cases, you can obtain the key to your Petya by using a Windows Executable and supplying it your victim ID. Detailed instructions has been given <a href=\"https:\/\/github.com\/hasherezade\/petya_key\" target=\"_blank\" rel=\"noopener noreferrer\">here<\/a>.<\/p>\n<p>However, victim IDs are very long, and retyping them may be painful and prone to mistakes. That&#8217;s why, we prepared a LiveCD that will automatically read it from the encrypted disk. In order to use it, you need to download the ISO and boot from it your infected machine. Then, follow the displayed instructions:<\/p>\n<p><iframe  src='https:\/\/www.youtube.com\/embed\/wwsQropG2JA?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<p>After obtaining the key, you can use it to decrypt your Master File Table:<\/p>\n<p><iframe  src='https:\/\/www.youtube.com\/embed\/7VWNQasU1VQ?version=3&#038;rel=1&#038;fs=1&#038;autohide=2&#038;showsearch=0&#038;showinfo=1&#038;iv_load_policy=1&#038;wmode=transparent' width=\"100%\" height=\"420\" frameborder=\"0\" ><\/iframe> <\/p>\n<h3>Decrypting files<\/h3>\n<p>In case if your files has been encrypted, i.e. by Goldeneye or Mischa, you can use the key decryptor released in form of a\u00a0 <a href=\"https:\/\/github.com\/hasherezade\/petya_key\/releases\/download\/0.1\/petya_key_v0.1_win32.zip\" target=\"_blank\" rel=\"noopener noreferrer\">Windows executable<\/a>.<\/p>\n<ol>\n<li>Find your victim ID (&#8220;personal decryption code&#8221;). It will be in your ransom note:<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18953\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/ransom_note.png\" alt=\"\" width=\"916\" height=\"302\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/ransom_note.png 916w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/ransom_note-300x99.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/ransom_note-600x198.png 600w\" sizes=\"auto, (max-width: 916px) 100vw, 916px\" \/><\/p>\n<p>In case if you don&#8217;t have the note, you can find the ID appended at the end of any of your encrypted files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18954\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/my_file1.png\" alt=\"\" width=\"632\" height=\"251\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/my_file1.png 632w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/my_file1-300x119.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/my_file1-600x238.png 600w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/my_file1-630x251.png 630w\" sizes=\"auto, (max-width: 632px) 100vw, 632px\" \/><\/p>\n<p>2. Save the ID in a file:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18952\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/victim_id.png\" alt=\"\" width=\"784\" height=\"87\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/victim_id.png 784w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/victim_id-300x33.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/victim_id-600x67.png 600w\" sizes=\"auto, (max-width: 784px) 100vw, 784px\" \/><\/p>\n<p>3. Use our tool to decrypt your key:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18951\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/decoded_key.png\" alt=\"\" width=\"534\" height=\"187\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/decoded_key.png 534w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/decoded_key-300x105.png 300w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/decoded_key-470x165.png 470w\" sizes=\"auto, (max-width: 534px) 100vw, 534px\" \/><\/p>\n<p>3. Copy the obtained key. Download the original decryptor, appropriate for your version:<\/p>\n<p>For <b>Mischa<\/b>: <a href=\"https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE\">https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE<\/a><br \/> For <b>Goldeneye<\/b>: <a href=\"https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg\">https:\/\/drive.google.com\/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg<\/a><\/p>\n<p>Choose one of your encrypted files:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18957\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step1.png\" alt=\"\" width=\"543\" height=\"396\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step1.png 543w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step1-300x219.png 300w\" sizes=\"auto, (max-width: 543px) 100vw, 543px\" \/><\/p>\n<p>Supply the key obtained from the key decoder:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18958\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step2.png\" alt=\"\" width=\"547\" height=\"400\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step2.png 547w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/step2-300x219.png 300w\" sizes=\"auto, (max-width: 547px) 100vw, 547px\" \/><\/p>\n<p>Decrypt the file and check if the output is valid. If everything is fine, you can use the same key to decrypt rest of your files. Supply the extension to the decryptor, and it will find them automatically:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18959\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/search.png\" alt=\"\" width=\"546\" height=\"397\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/search.png 546w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/search-300x218.png 300w\" sizes=\"auto, (max-width: 546px) 100vw, 546px\" \/><\/p>\n<h3>Conclusion<\/h3>\n<p>The presented tools allow you to unlock all the legitimate versions of Petya that are released up to now by Janus Cybercrime Solutions. It cannot help the victims of pirated Petyas, <a href=\"https:\/\/blog.malwarebytes.com\/cybercrime\/2017\/07\/keeping-up-with-the-petyas-demystifying-the-malware-family\/\" target=\"_blank\" rel=\"noopener noreferrer\">like PetrWrap or EternalPetya<\/a> (aka NotPetya). It matches the announcement made by Janus on twitter:<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-18961\" src=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/versions.png\" alt=\"\" width=\"541\" height=\"143\" srcset=\"https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/versions.png 541w, https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2017\/07\/versions-300x79.png 300w\" sizes=\"auto, (max-width: 541px) 100vw, 541px\" \/><\/p>\n<p>Is it the end of Petya&#8217;s story? Probably yes, however, the future will learn.<\/p>\n<hr \/>\n<p><em><span class=\"s1\">This was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest in InfoSec.\u00a0<\/span><span class=\"s1\">She loves going in details about malware and sharing threat information with the community.\u00a0<\/span><span class=\"s2\">Check her out on Twitter @<a href=\"https:\/\/twitter.com\/hasherezade\" target=\"_blank\" rel=\"noopener noreferrer\">hasherezade<\/a>\u00a0and her personal blog:\u00a0<span class=\"s3\"><a href=\"https:\/\/hshrzd.wordpress.com\/\" target=\"_blank\" rel=\"noopener noreferrer\">https:\/\/hshrzd.wordpress.com<\/a>.<\/span><\/span><\/em><\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2017\/07\/bye-bye-petya-decryptor-old-versions-released\/\">Bye, bye Petya! Decryptor for old versions released.<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n<p><a href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2017\/07\/bye-bye-petya-decryptor-old-versions-released\/\" target=\"bwo\" >https:\/\/blog.malwarebytes.com\/feed\/<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p><strong>Credit to Author: Malwarebytes Labs| Date: Mon, 24 Jul 2017 17:17:38 +0000<\/strong><\/p>\n<table cellpadding='10'>\n<tr>\n<td valign='top' align='center'><a href='https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2017\/07\/bye-bye-petya-decryptor-old-versions-released\/' title='Bye, bye Petya! Decryptor for old versions released.'><img src='https:\/\/blog.malwarebytes.com\/wp-content\/uploads\/2014\/10\/password-key.jpg' border='0'  width='300px'  \/><\/a><\/td>\n<\/tr>\n<tr>\n<td valign='top' align='left'>This post shows you how to use the special decryptor for the petya family: Petya, Msicha, and Goldeneye. Not suitable for copycats of these.<\/p>\n<p>Categories: <\/p>\n<ul class=\"post-categories\">\n<li><a href=\"https:\/\/blog.malwarebytes.com\/category\/malwarebytes-news\/\" rel=\"category tag\">Malwarebytes news<\/a><\/li>\n<\/ul>\n<p>Tags: <a href=\"https:\/\/blog.malwarebytes.com\/tag\/decryptor\/\" rel=\"tag\">decryptor<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/goldeneye\/\" rel=\"tag\">goldeneye<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mft\/\" rel=\"tag\">mft<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/mischa\/\" rel=\"tag\">Mischa<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/petya\/\" rel=\"tag\">petya<\/a><a href=\"https:\/\/blog.malwarebytes.com\/tag\/toos\/\" rel=\"tag\">toos<\/a><\/p>\n<table width='100%'>\n<tr>\n<td align=right>\n<p><b>(<a href='https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2017\/07\/bye-bye-petya-decryptor-old-versions-released\/' title='Bye, bye Petya! Decryptor for old versions released.'>Read more&#8230;<\/a>)<\/b><\/p>\n<\/td>\n<\/tr>\n<\/table>\n<\/td>\n<\/tr>\n<\/table>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\/malwarebytes-news\/2017\/07\/bye-bye-petya-decryptor-old-versions-released\/\">Bye, bye Petya! Decryptor for old versions released.<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/blog.malwarebytes.com\">Malwarebytes Labs<\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10488,10378],"tags":[10491,10576,10546,13142,13143,12823,13144],"class_list":["post-8428","post","type-post","status-publish","format-standard","hentry","category-malwarebytes","category-security","tag-decryptor","tag-goldeneye","tag-malwarebytes-news","tag-mft","tag-mischa","tag-petya","tag-toos"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8428","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=8428"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/8428\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=8428"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=8428"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=8428"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}