An individual going by the twitter handle leostone was able to create an algorithm that can generate the password used to decrypt a Petya encrypted computer. In my test this, this algorithm was able to generate my key in 7 seconds.
The solution used to generate this key is called a genetic algorithm and is one that that mimics the evolutionary process in order to solve problems. According to MathWorks:
A genetic algorithm (GA) is a method for solving both constrained and unconstrained optimization problems based on a natural selection process that mimics biological evolution. The algorithm repeatedly modifies a population of individual solutions. At each step, the genetic algorithm randomly selects individuals from the current population and uses them as parents to produce the children for the next generation. Over successive generations, the population "evolves" toward an optimal solution.
Leostone has setup a web site (you can use this site if the other one is down) that a victim can use to generate the key once they provide some information from the infected drive. Below are instructions on how to retrieve the required information so you can use leostone's site to generate your decryption key.
How to generate your Petya Decryption key to decrypt your hard drive
To use Leostone's decryption tool you will need attach the Petya affected drive to another computer and extract specific data from it. The data that needs to be extracted is 512-bytes starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). This data then needs to be converted to Base64 encoding and used on the https://petya-pay-no-ransom.herokuapp.com/ site to generate the key.
Unfortunately, for many victims extracting this data is not an easy task. The good news is that Fabian Wosar created a special tool that can be used to easily extract this data. In order to use this tool, you need to take the encrypted drive from the affected computer and attach it to a Windows computer that is working properly. If your infected computer has multiple drives, you should only remove the the drive that is theboot drive, or C:\ drive, for your computer.
For those who may find it difficult to remove a hard drive from one computer and attach it to another, you can purchase a USB hard drive docking station. A docking station that I have used and recommend is the Inateck FD1003 docking station as it supports both 3.5" and 2.5" SATA drives and comes with everything you need to hook the drive up to a computer. Simply insert the encrypted drive into the docking station and then attach it via the USB cable to a working computer.
Once you have the encrypted drive attached to a working computer, simply download Fabian Wosar's Petya Sector Extractor and save it to your desktop. Once saved, extract it and execute the PetyaExtractor.exe program. Once the program starts it will scan all of the removable and fixed drives on your computer for ones that contain the Petya Ransomware bootcode. When it detects the drive, it will automatically select it and display a screen like the one below.
Now, open a web browser and navigate to either the https://petya-pay-no-ransom.herokuapp.com or https://petya-pay-no-ransom-mirror1.herokuapp.com/ site. On this site are two textboxes labeled Base64 encoded 512 bytes verification data and Base64 encoded 8 bytes nonce. In order for leostone's site to generate your decryption key, you need to enter the data extracted from Fabian's Petya Sector Extractor into these textboxes.
In Petya Extractor, click on the Copy Sector button, which will copy the 512 byte verification data to your clipboard. Now go back to the decryption site and paste () the verification data into the textbox labeled Base64 encoded 512 bytes verification data.
Then go back to the Petya Sector Extractor and click on the Copy Nonce button to copy the nonce to your clipboard. Once again, go back to the decryption site and Then go back to the decryption site and paste () the nonce into the textbox labeled Base64 encoded 8 bytes nonce.
When you are done, the decryption site should have data in both textboxes as shown below.
To generate your decryption password, click on the Submit button. Leostone's site will now execute the genetic algorithm that is used to create your password for the Petya Ransomware lock screen. This process shouldn't take more than a minute, and when done, will display your password as shown below.
Now write down this password and attach your encrypted hard drive back into the original computer. With the drive attached, boot up the infected computer and when it gets the Petya Ransomware lock screen, enter the generated password. The password should be accepted and the ransomware will begin to decrypt your hard drive.
Once the hard drive is decrypted, the ransomware will prompt you to reboot your computer and it should now boot normally.
For those who would like to show their appreciation, there is a donation button on Leostone's decryption site.
Update (4/11/16): Added information about the mirror decryption site in the event that the primary is down. The mirror site: https://petya-pay-no-ransom-mirror1.herokuapp.com/
Comments
T3P0X - 7 years ago
when i open the site , i get an application error..
leostone - 7 years ago
@T3P0X
https://petya-pay-no-ransom-mirror1.herokuapp.com/
because: https://twitter.com/leo_and_stone/status/719431163266392065
Lawrence Abrams - 7 years ago
Thanks..updated the guide.
ebrobonea - 7 years ago
Very, very useful, I don't know if I can do it, but I have to di it!, I am studying.
amaringo - 7 years ago
This is good news..now is it possible to defeat .surprise ransomware too..please
ebrobonea - 7 years ago
Thank you! The good world is opened for me! This is wonderful! I have to prepare something, I will have another hacked computer network!
I'will be back soon,( a few days)
All the best
SteveSi - 7 years ago
Why can't you just boot from a USB drive on the infected computer to get the sector info?
I booted to WinPE 32-bit and ran the PetyaExtractor.exe and it ran (but I did not have an infected disk).
Lawrence Abrams - 7 years ago
Whatever method works for you :) For some even that is too difficult, which is why I went with the USB docking station method.
LBA-Relax - 7 years ago
hi i have my disk encrypted but in the rush i reinstalled windows on my disk "C" but "D" is still encrypted. i have tried to dowload petya but he can't find any infected drive.
Am i screwed? or can i still get my files back?
PS: sorry for my english i'm french and i'm not really strong in english so...^^
Thanks to anyone who wants to help and thanks for this thread btw
Lawrence Abrams - 7 years ago
Unfortunately, the code we need was probably on the MBR of the c: drive. This was overwritten when you reinstalled.
luitelshreeram - 7 years ago
Great finding folks! KUDOS!!!!!
ertuzio - 7 years ago
It seems to me that there is a new Petya ransomware and the method above doesn't work anymore.....i get an infinite loop on that website for making the key...I get also the green message screen after Petya has installed....not red
Demonslay335 - 7 years ago
Correct, there is currently no way to fully decrypt the "green" Petya variant once it has rebooted (stage 2). hasherezade is still looking into it. Her decrypter does work on stage 1 for the new variant I believe, if it hasn't been rebooted yet.
More information: https://www.bleepingcomputer.com/news/security/petya-is-back-and-with-a-friend-named-mischa-ransomware/
procrash - 7 years ago
For the green version there's a solution available too: (see petyaransomwarehilfe.wordpress.com)