Virus fighters and ransomware authors have been playing catch-up ever since file-encrypting trojans emerged, and unfortunately the latter tend to win. The crypto standards that computer extortionists leverage are impossible to crack most of the time, the only known success stories involving flaws in their implementation. In the Petya Ransomware incident, things are different. The cybercriminals appear to have done everything professionally, but they chose to rely on a not-so-strong algorithm for data encoding, decoding and key verification. They use Salsa10, a stream cipher that doesn’t feature too much entropy when scrambling the data matrix.
Thankfully, a security enthusiast nicknamed leostone has succeeded in devising an instrument to obtain the password required to unlock a Windows PC hit by Petya. This technique is somewhat different from other crack cases as the ransomware under consideration is non-standard. Rather than simply encrypt files on the hard drive, this infection encodes what’s called the Master File Table, rendering the computer unable to even identify the location of files. To get hold of the string that decrypts MFT, victims are told to pay about 1 BTC, or approximately 400 USD.
What leostone did was he came up with a solution that calculates the password automatically in a matter of minutes. The researcher set up a website to aid the infected users. His code is based on the so-called genetic algorithm, or genetic solver, which is intelligent enough to brute-force Salsa10 and generate the key. A victim needs to enter some system-specific data in two online forms on the aforementioned page, click the Submit button and give the algo some time to do the math.
For non-tech-savvy users, though, it may be difficult to extract the necessary details. First off, they need to provide Base64 encoded 512 bytes verification data that has the following location on the infected drive: sector 55 (0x37) offset 0 (0x0). In another field, the victim must paste Base64 encoded 8 bytes nonce located at sector 54 (0x36) offset 33 (0x21). While it may indeed sound like rocket science to most users, other experts lent them a helping hand.
To get hold of this information, the person should temporarily remove the corrupted hard drive from the infected machine and connect it to a healthy computer. Then, they can download a tool dubbed the Petya Sector Extractor courtesy of Emsisoft’s Fabian Wosar, a well-known ransomware researcher. When this app runs it automatically grabs the sector and nonce details that can then be simply copied and pasted into leostone’s Petya-Pay-No-Ransom page. When unlocked, the hard drive can be safely connected to the original PC again.
Combined effort like this is a remarkable thing. The infected Windows users can now decrypt their Master File Table and regain access to their computers without having to pay a penny. In the past, ransomware creators would upgrade their code as a response to successful security initiatives in order to make its new editions uncrackable. Hopefully this won’t be the case with Petya. Meanwhile, the tool works wonders for everyone infected.