Petya is a relatively new member of the ransomware epidemic. Security companies started to report it less than a month ago and it created some serious concerns. This is because unlike other types of ransomware it doesn’t encrypt files individually but instead targets the Master Boot Record (MBR) at the start of the hard disk.
In most cases this would prevent a disk from loading and there have been virus attacks against the MBR in the past. The loss of the MBR does not mean data cannot be recovered and there are many companies who offer tools and even services to recover lost data on drives. However it is expensive and time consuming with no guarantee of success. Having been there I know this from personal experience.
In this case the goal was not to wipe out the disk but demand money. For that to happen the disk needed to boot so the cybercriminals behind Petya wrote their own boot loader and kernel. Now, it appears, all of that effort was in vain as a free utility to help users unlock their computers without paying money to the Petya authors has appeared.
The appearance of this tool is credited to a twitter user using the handle @leostone and the name Keith Beech. Little is known about this user who appears to be following 4 people and has just 3 followers. However, the twitter handle has been trending since the news of this answer to Petya broke.
How easy is it?
That’s a good question and the answer is not quite as simple as you may think. In essence all anyone with an infected machine has to do is extract some data from the locked drive and then input it into a field on a website. That will then provide a key that can be used to restore the data. As Alexander Orlov of Compare the Meerkat would say: “simples!”
The problem is it’s not quite that simple. To extract the required data from the computer you can either:
- Remove the hard disk from the computer and then attach it to a second machine
- Boot the computer using a USB stick or some other bootable media
There is no proof at the moment that using option 1 could lead to an infection of the second machine. It’s a fair bet, however, that the Petya authors will be looking at how to make this happen in their next update.
Once access to the disk is obtained a tool is needed to locate two piece of data on the disk:
- 512 bytes of data starting at sector 55 (0x37h) with an offset of 0
- An 8-byte nonce (this is the cryptographic key used by the Petya ransomware) from sector 54 (0x36) offset 33 (0x21)
While there are many tools on the market that will enable a user to see data at this level on the disk they are not always the easiest to use. It is important that the tools are used in read-only mode to prevent any risk of changes being written back to the drive. According to this article on Bleeping Computer Fabian Wosar (@fwosar) has created a tool to make data extraction simple. More importantly, Bleeping Computer claims to have tested all parts of the solution and proved that they work.
Once the data has been obtained it is then input into the website set up by @leostone and an unlock key will be generated. That key can then be used to free the hard disk once it is inserted back into the original computer and rebooted into the Petya warning screen.
Is this the end of Ransomware?
No! This has only been possible because in the first version of Petya the author(s) made a mistake in how they encrypted the data and the cryptographic nonce. It is likely that we will see a second version circulating soon not only with this loophole closed but potentially with some additional code to detect when the drive has been connected to another computer.
While this is a temporary reprieve it is important that companies continue to educate their staff not to open emails and attachments that they are unsure of.