A new type of PC ransomware hit users a couple of weeks ago and it’s some of the most dangerous malware of its kind. While previous ransomware apps would encrypt just specific personal data on a computer, Petya can encrypt a victim’s entire startup drive. That means you would not even be able to boot up your computer without the encryption password and in order to obtain it, you would have to pay the ransom.
However, it looks like there’s a critical error in Petya that lets anyone decrypt his or her hard drive for free, thanks to the work of a person who found the security hole in this malware tool – this goes to show that even hackers who create malware apps aren’t always able to ensure their security.
Explained by Ars Technica, the process requires a bit of work.
First of all, you need a second computer, one that’s not infected with Petya. Then, you need to remove the startup drive from the infected machine and connect it using an external enclosure. Then the victim needs to extract data from the hard drive: “specifically (1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and (2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21).” That sounds annoying, but a separate security expert created a Petya Sector Extractor tool that does the work for you automatically.
Once that’s done, simply input the data into a web app created by the person who found the flaw, @leostone, and you should obtain the password you need to decrypt the device. If this sounds too complicated, a step by step tutorial from Bleeping Computer will come in handy.
In addition to fixing your hard drive, you should also make sure you avoid falling for ransomware tricks in the future, as next time you might not be so lucky. Review your recent internet activity so you can figure how your PC was infected with Petya, and you can read more about this ransomware app at this link.