Experts devise method to defeat Petya ransomware with complicated but effective technique
13 Apr 2016
Thanks to a method devised by security experts, users infected with the Petya ransomware will not have to pay cyber criminals to be able to boot their computers.
The malware drew the attention of researchers last month when criminals distributed it to companies through spam emails dressed up as job applications.
It stood apart from the file-encrypting ransomware programs as it overwrote a hard disk drive's master boot record (MBR), rendering computers unable to boot into the operating system.
The program substituted the drive's legitimate MBR code, which starts operating system, with code that encrypted the master file table (MFT) and displayed a ransom note. The MFT, is a special file on NTFS volumes, containing information about all other files: their name, size and mapping to hard disk sectors.
Though the actual contents of the user's files were not encrypted, without the MFT, the OS was unable to locate the files on the disk.
However, a user going by the Twitter handle @leostone had devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.
The user has devised a tool for generating the password required by Petya to decrypt the master boot file.
According to Bleeping Computer, a reputable self-help computer forum, the technique worked. Ars Technica had reported two weeks ago, that a technical analysis written in German had already noted that the "encryption" used by Petya in its first phase was a simple fixed-value XOR of the Master Boot Record. That observation likely formed the basis for the tools that were recently made available.