Password Generator Comes as Welcome Cure for PETYA Ransomware Victims

The PETYA ransomware, one of several prominent malware strains as ransomware that has gained prominence in recent times, could soon be rendered ineffective, with the release of a new password generator tool that provides free keys for decryption.

While ransomware typically encrypts files and media on a target’s computer to then demand a ransom in exchange for the decryption key, a new tool comes as welcome respite for victims affected by the PETYA ransomware.

Unlike other strains of ransomware, PETYA has an overreaching means to overwriting the Master Boot Record (MBR) of a Windows computer. This essentially leaves the user helpless in any attempt to access the operating system of the computer.

When the user attempts to boot the machine, a bright red screen, similar to Windows’ infamous blue screen turns up stating that the operating system is infected with a “military-grade encryption algorithm.” With the message, comes a ransom demand seeking 1 bitcoin in payment, approximately $420.

The tweaked MBR also stops any attempt from the user in trying to restart into Windows’ Safe Mode.

A Cure From Ransomware?

A newly developed algorithm has been speculated to generate the password required to decrypt a computer infected by the PETYA strain.

The website, which can be found here, boldly proclaims “Get your petya encrypted disk back, WITHOUT paying ransom!!!”

Although the process can be a tad technical for the average user, the decryption password generator requires the user to extract a few small stands of data from the infected machine.

They are:

  • 512 bytes of verification data from sector 55 (0x37) offset 0(0x0) of the disk, to be converted to Base64 before input
  • 8 byte nonce from sector 54 (0x36) offset 33(0x21), also converted to Base64 before input

Bleeping Computer has a well-informed write-up in assisting victims with the process through which the data can be extracted. The tool, developed as the PETYA Sector Extractor can be downloaded here.

Once the data is obtained, users can visit the decryption website which will seek the extracted data from the infected drive. Once the data is fed, a key will be generated which can then be used to decrypt the PETYA-infected computer.

Once decrypted, the ransomware will then prompt the user to reboot the computer at which point, the computer will then proceed to reboot normally.

 Image credit: Trend Micro.