Security researchers developed a free decryptor tool which allows to recover files affected by all versions of Petya ransomware.
The tool works on the basis of the master key released by the author of the original Petya version, who uses the online nickname Janus, to develop keys for Red Petya, Green Petya, Mischa and Goldeneye ransomware.
For the first time the Petya ransomware was discovered in March 2016. Unlike other malware of this kind, Petya ransomware completely encrypts the hard drive of the infected computer – not only a few types of files, for example, images or documents. Later Janus created and released three separate versions of the Petya ransomware – Red Petya, Green Petya and Goldeneye.
Two other variants of Petya have also been discovered, but security researchers believe that these variants were created by unknown hackers who modified Petya’s compiled executable code with the goal of inserting their own encryption keys.
One of these versions is the destructive NotPetya ransomware that hit many companies and organizations all around the world in June. The other version is known as PetrWrap, and it was used in targeted attacks against companies in March.
Petya ransomware writes its own malicious code to the master boot record (MBR) of an infected PC and it gets executed when the system is rebooted. The purpose of this malicious code is to encrypt the system’s master file table (MFT), a special file that contains information about all files stored on a HDD partition, including their names, sizes and locations. With a damaged MFT Windows OS can no longer know how to read files from the hard drive. In other words, the OS becomes blind.
The decryption tool can be used to extract the so-called victim ID, a unique string that identifies each victim and is tied to the master key. This string is needed to recover the individual keys that were used to encrypt each victim’s personal data. Once users have their individual keys, they can download and use the special data decrypting program for the particular Petya version that locked their files.
Unfortunately, these tools don’t allow users to recover files affected by pirated versions of Petya such as mentioned above PetrWrap and NotPetya.
You can download decryptor tool for Petya ransomware on GitHub using the following link – https://github.com/hasherezade/petya_key/releases