Tools to Unlock Ransomware
Wednesday, April 13, 2016 @ 07:04 AM gHale
There is an online service and a desktop tool that can help victims generate the password needed to unlock their computer from one type of ransomware.
The Petya ransomware first appeared March 25 and worked differently from any other ransomware.
Instead of encrypting each file in turn and leaving the PC in a functional state, the ransomware crashed the computer, and when it rebooted, it altered the hard drive’s boot record and encrypted the entire hard drive.
The computer would be stuck in this pre-boot medium, and to recover their files, the user would have to pay the ransom and enter the password they received inside the pre-boot command-line.
Since researchers found the ransomware does not communicate with a server in any way, they understood the encryption process is contained locally. They then inspected the virus in order to find a way around its encryption system.
A researcher who did not want to reveal his name, going only by the Twitter name of Leo Stone discovered a way to employ algorithms to crack the ransomware. He even created two websites where victims can go and obtain the decryption password. If one site is not available, then the victim can use the other.
To crack Petya, users need to extract some information from their hard drive, which is extremely difficult. But there’s good news for this problem as well thanks to a tool created by Emsisoft’s Fabian Wosar.
The first thing the victim needs to do is to attach the infected hard drive to another computer. You’ll need a working Windows computer to be able to run Wosar’s tool. This application scans hard drives for Petya infections and automates the process of extracting the information needed to crack the ransomware.
Once Wosar’s Petya Sector Extractor finds Petya-infected hard drives, press the first button that says “Copy Sector.” This will copy a special section of your hard drive to the clipboard. Now go on any of Leo Stone’s websites and press CTRL+V to paste the hard drive sector inside the big textarea that says “Base64 encoded 512 bytes verification data.”
Now go back to Wosar’s Petya Sector Extractor and press the second button that says “Copy Nonce.” Go back to the website and paste this information in the smaller field that reads “Base64 encoded 8 bytes nonce,” below the first.
Once you have both fields filled with the proper data, press “Submit” and wait for the algorithm to do its work.
After you get the decryption password, put the Petya infected hard drive back in its original computer and boot up the PC. Once it reaches the ransom screen, just enter the password in the appropriate section and press Enter.