{"id":880,"date":"2016-04-12T02:08:27","date_gmt":"2016-04-12T02:08:27","guid":{"rendered":"http:\/\/www.dogoodsoft.com\/blog\/?p=880"},"modified":"2024-12-23T07:46:22","modified_gmt":"2024-12-23T07:46:22","slug":"petya-ransomware-encryption-cracked","status":"publish","type":"post","link":"https:\/\/www.dogoodsoft.com\/blog\/petya-ransomware-encryption-cracked-880\/","title":{"rendered":"&#8220;Petya&#8221; ransomware encryption cracked"},"content":{"rendered":"<h3><a href=\"https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2016\/04\/14.jpg\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-881 size-full\" src=\"https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2016\/04\/14.jpg\" alt=\"&quot;Petya&quot; ransomware encryption cracked\" width=\"348\" height=\"193\" srcset=\"https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2016\/04\/14.jpg 348w, https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2016\/04\/14-300x166.jpg 300w, https:\/\/www.dogoodsoft.com\/blog\/wp-content\/uploads\/2016\/04\/14-2x1.jpg 2w\" sizes=\"auto, (max-width: 348px) 100vw, 348px\" \/><\/a><\/h3>\n<h3 id=\"article-intro\">Utility generates unscrambling key.<\/h3>\n<p>Users whose data has been held to ransom by the Petya malware now have an option to decrypt the information, thanks to a new tool that generates an unscrambling key.<\/p>\n<p>Petya appeared around March this year. Once executed with Windows administrator privileges, Petya rewrites the master boot record on the computer&#8217;s hard drive, crashes the operating system and on restart, scrambles the data on the disk while masquerading as the CHKDSK file consistency utility.<\/p>\n<p>The Petya attackers then demand approximately A$555 in ransom, payable in BItcoin, to provide a decryption key for the locked system.<\/p>\n<p>An anonymous security researcher using the Twitter handle leo_and_stone has now cracked the encryption Petya uses, the Salsa10 function created by DJ Bernstein in 2004.<\/p>\n<p>Decrypting hard disks scrambled with Petya using the tool is a relatively complex operation. The tool requires data from an eight-byte nonce (random, use-once number) file and a 512-byte sector from the hard disk to be input into a website to generate the the decryption key.<\/p>\n<p>This means the Petya-infected hard drive has to be removed from the victim computer, and the small amount of data needed for the decryptor read and copied with low-level system utilities.<\/p>\n<p>Once that is done, the scrambled hard drive has to be reinserted into a computer to bring up the Petya ransom demand screen, at which stage the decryption key can be entered.<\/p>\n<p>Tech support site Bleeping Computer, run by computer forensics specialist Lawrence Abrams, reported success with Leo Stone&#8217;s Petya decryptor, with keys being generated in just seconds.<\/p>\n<p>A Windows tool to make it easier to extract the verification data and nonce was also created by researcher Fabian Wosar from security vendor Emsisoft.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Utility generates unscrambling key. Users whose data has been held to ransom by the Petya malware now have an option to decrypt the information, thanks to a new tool that generates an unscrambling key. Petya appeared around March this year. Once executed with Windows administrator privileges, Petya rewrites the master boot record on the computer&#8217;s &hellip; <a href=\"https:\/\/www.dogoodsoft.com\/blog\/petya-ransomware-encryption-cracked-880\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">&#8220;Petya&#8221; ransomware encryption cracked<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[52,343,344],"class_list":["post-880","post","type-post","status-publish","format-standard","hentry","category-news","tag-encryption","tag-petya","tag-ransomware"],"_links":{"self":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/880","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/comments?post=880"}],"version-history":[{"count":1,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/880\/revisions"}],"predecessor-version":[{"id":882,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/posts\/880\/revisions\/882"}],"wp:attachment":[{"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/media?parent=880"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/categories?post=880"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.dogoodsoft.com\/blog\/wp-json\/wp\/v2\/tags?post=880"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}