{"id":11819,"date":"2016-04-11T13:30:24","date_gmt":"2016-04-11T17:30:24","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=11819"},"modified":"2017-09-24T08:07:12","modified_gmt":"2017-09-24T12:07:12","slug":"petya-decryptor","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/petya-decryptor\/11819\/","title":{"rendered":"Ransomware bug leads to Petya decryptor"},"content":{"rendered":"<p><b>[Updated on June 28, 2017]<\/b><\/p>\n<p>Typically we don\u2019t cheer bugs. However, today we\u2019ll make an exception.<\/p>\n<p>You see a bug or flaw in the code <a href=\"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/\" target=\"_blank\" rel=\"noopener nofollow\">of Petya ransomware<\/a> has allowed a developer to create a tool to unlock a user\u2019s device without paying the ransom.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-11717\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/03\/06022553\/petya-ransomware-fb-3.png\" alt=\"Petya ransomware eats your hard drives\" width=\"1280\" height=\"1280\"><\/p>\n<p>Last month, we alerted you about Petya and its pension to destroy devices. So I\u2019d say that a cheer or Internet high-five is well deserved for the user identified as @Leostone on Twitter.<\/p>\n<blockquote class=\"twitter-tweet\" data-width=\"500\" data-dnt=\"true\">\n<p lang=\"en\" dir=\"ltr\"><a href=\"https:\/\/twitter.com\/hashtag\/petya?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#petya<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/ransomware?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#ransomware<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/defeated?src=hash&amp;ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">#defeated<\/a><br>Get your disks back here: <a href=\"https:\/\/t.co\/vXH2ny6jdk\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/t.co\/vXH2ny6jdk<\/a><\/p>\n<p>\u2014 leostone (@leo_and_stone) <a href=\"https:\/\/twitter.com\/leo_and_stone\/status\/718752407660994560?ref_src=twsrc%5Etfw\" target=\"_blank\" rel=\"noopener nofollow\">April 9, 2016<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n<p>With the avatar being an egg, one would have to wonder \u2013 does this decryptor actually work? To find out, we reached out to our research team.<\/p>\n<p>The team confirmed that the tool really works. But, there a few issues. First, @Leostone made the decryptor as a webpage that can generate keys for you to decrypt the data. And that page has certain issues with availability at the moment \u2014 it seems that it\u2019s hosting provider probably couldn\u2019t handle all the \u2018happy Petya customers\u2019 that immediately wanted to get the cure.<\/p>\n<p>Second, it requires that you remove your hard drive and insert it in into another PC. Than you have to extract some special data from its certain sectors and, using a <a href=\"https:\/\/en.wikipedia.org\/wiki\/Base64\" target=\"_blank\" rel=\"noopener nofollow\">Base64 decoder<\/a>, decode. Upload it to the site and \u2014 voila \u2014 you have the key you can now feed to Petya. And it will decrypt your hard drive back.<\/p>\n<p>As you can see, the procedure is quite complicated and requires certain skills. Another Twitter user, <a href=\"https:\/\/twitter.com\/intent\/user?screen_name=fwosar\" target=\"_blank\" rel=\"noopener nofollow\">Fabian Wosar<\/a>, made it easier for you, as he has created a special utility called Petya Sector Extractor that does the dirty part of the job. You still have to remove your hard drive and find another PC to stick it in, but then the utility will extract the required data and process it. The only thing you have to do after that to get the key is input the data that the utility gave to you into the forms on the @Leostone\u2019s webpage.<\/p>\n<p><img decoding=\"async\" class=\"aligncenter size-full wp-image-11821\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2016\/04\/06022457\/Petya-sot.png\" alt=\"Petya sot\" width=\"991\" height=\"599\"><\/p>\n<p>Our research team also notes that this tool exploits a flaw in the Petya programing. Much like companies with patches, in a week or so we will probably see a newer version of Petya that fixes the flaw that allows the data to be decrypted.<\/p>\n<p>If you\u2019ve fallen victim to Petya and don\u2019t want to pay the ransom of approximately $480, you may want to give the tool a try, you can access the site at: <a href=\"https:\/\/petya-pay-no-ransom.herokuapp.com\/\" target=\"_blank\" rel=\"noopener nofollow\">https:\/\/petya-pay-no-ransom.herokuapp.com\/<\/a>. The Petya Sector Extractor can be <a href=\"http:\/\/download.bleepingcomputer.com\/fabian-wosar\/PetyaExtractor.zip\" target=\"_blank\" rel=\"noopener nofollow\">downloaded here<\/a>. Even with these links, you will need some technical know-how. The team at Bleeping Computer <a href=\"http:\/\/www.bleepingcomputer.com\/news\/security\/petya-ransomwares-encryption-defeated-and-password-generator-released\/\" target=\"_blank\" rel=\"noopener nofollow\">walk you through all of the steps<\/a> and tech that you will need.<\/p>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-ransomware\">\n<h3>Update from June 28, 2017<\/h3>\n<p>If you\u2019re looking for information regarding the new Petya \/ NotPetya \/ ExPetr ransomware outbreak, we have a <a href=\"https:\/\/www.kaspersky.com\/blog\/new-ransomware-epidemics\/17314\/\" target=\"_blank\" rel=\"noopener nofollow\">dedicated post with advice on how to protect your files<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A bug in Petya ransomware has led to a decryptor that can help those impacted.<\/p>\n","protected":false},"author":636,"featured_media":11716,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,9],"tags":[1545,1511,420,1546],"class_list":{"0":"post-11819","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-tips","9":"tag-patya-ransomware","10":"tag-petya","11":"tag-ransomware","12":"tag-ransomware-decryptor"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/petya-decryptor\/11819\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/petya-decryptor\/5415\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/petya-decryptor\/7012\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/petya-decryptor\/7036\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/petya-decryptor\/6950\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/petya-decryptor\/8091\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/petya-decryptor\/7945\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/petya-decryptor\/11585\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/petya-decryptor\/5521\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/petya-decryptor\/6161\/"},{"hreflang":"de","url":"https:\/\/www.kaspersky.de\/blog\/petya-decryptor\/7383\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/petya-decryptor\/10990\/"},{"hreflang":"ru-kz","url":"https:\/\/blog.kaspersky.kz\/petya-decryptor\/11585\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/petya-decryptor\/11819\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/petya-decryptor\/11819\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/patya-ransomware\/","name":"Patya Ransomware"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11819","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/636"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=11819"}],"version-history":[{"count":3,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11819\/revisions"}],"predecessor-version":[{"id":19260,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/11819\/revisions\/19260"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/11716"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=11819"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=11819"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=11819"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}