Petya ransomware encryption has been cracked

Petya ransomware hit companies hard, but the good news is that there are now tools available to get the encrypted files and locked computers back.

The ransomware not only encrypts the victims’ files, but also their disk’s Master File Table (MFT), and it replaces the boot drive’s existing Master Boot Record (MBR) with a malicious loader.

Nearly two weeks ago a malware analyst that goes by the handle Hasherezade created a decoder that extracted the key Petya victims had to input in order to reverse the damage, but it only worked if the system was not rebooted after the infection (Stage 1).

But on Friday an unidentified programmer that goes by “Leo Stone” published another tool that manages to extract the key even if the computer was rebooted (Stage 2).

Apparently, his father in law fell victim to Petya, and didn’t want to pay the ransom, so Leo Stone went exploring to find a possible fix. The code for the tool (and technical details about his search) can be found on GitHub.

The tool can also be accessed here, and is ready for use. The only problem is that in order to use it, one has to extract two pieces of information from the infected disk, and that’s not that easy for tech-unsavvy users.

Luckily, Emsisoft researcher Fabian Wosar created another tool that will allow victims to the extract this info, but they will have to have another uninfected computer available and know how to remove a hard drive from one computer and attach it to another.

For more information about the whole process, check out these instructions by Bleeping Computer’s Lawrence Abrams.

When you finally input the info into Leo Stone’s tool and get the key, simply insert it into the ransomware lock screen, and wait for the damage to be reversed.