A virulent strain of ransomware that took crypto-extortion to new heights has been flawed by a lone security researcher.
The ransomware called Petya had only been in the wild for a couple of weeks, and had already earned a reputation as being far more sophisticated than usual strains of malware, and extremely destructive. It terrorised victims by rendering their entire computer unusable, locking all files in their startup drive. It specifically targeted enterprise IT departments and hid itself in Dropbox links in email messages.
> See also: How Chimera changes the ransomware game
Previously, the only way to recover from the infection was to pay up. But mystery Twitter user @Leostone announced over the weekend that they had successfully cracked the ransomware's code in order to device a method to allow victims to restore files without paying the hefty ransom:
'I just finished reversing the hashing algorithm that petya uses to encrypt and… hacked together a program to search for key via bruteforce,' said @Leostone.
The researcher then posted the full code on GitHub, and a free web app has been put up on hosting platform Heroku which allows victims to generate a key in seconds that is then used to retrieve the password that Petya used to encrypt your files.
To use @Leostone’s decryption tool you will need to attach the Petya affected drive to another computer and extract specific data from it. Blogger Lawrence Adams at Bleeping Computer explained in full how to do this to defeat Petya and completely unencrypt your computer.
Its inevitable that the criminals behind the Petya will soon improve their malware in response to this solution, releasing a newer version with stronger encryption that. But this instance shows that malware is not invincible, like any piece of software it has bugs and paying up is not inevitable.
'The ease of retrieving the password is yet another reminder of the oft-repeated maxim that crypto is hard – both for good and bad guys alike,' wrote Dan Goodin, security editor at Ars Technica. 'The task can be particularly difficult when deriving and storing a password on a computer that's accessible to the adversary.'
Even when a solution like the one shown here isn't immediately available, Paul Evans, CEO of backup firm Redstor argues it's not necessary for most companies to live in fear of debilitating ransomware like Petya. Keeping regular backups of data and the having proper restoration strategy in place is a start.
'Whether your backups are kept on the premises or off-site, it should become regular practice to test your data protection solution for integrity and completeness,' he says. 'This will ensure that when the time comes, you'll have the right data at your disposal and you'll know that your data recovery will be more effective.'
'The bottom line is, by recovering systems in this fashion you'll essentially be overriding any malware infection and getting your IT systems to a working state once again.'