home Cyber Security, Internet, Technology Decryptor for old Petya malware versions released

Decryptor for old Petya malware versions released


Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story here.

Based on the released key, Malwarebytes has prepared a decryptor that is capable of unlocking all the legitimate versions of Petya (read more about identifying Petyas):

  • Red Petya
  • Green Petya (both versions) + Mischa
  • Goldeneye (bootlocker + files)

In case if you have a backup of Petya-encrypted disk, this is the time to take it out from the shelf and kiss your Petya goodbye 😉

WARNING: During our tests we found that in some cases Petya may hang during decryption, or cause some other problems potentially damaging to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup.

// Special thanks to @Th3PeKo , @vallejocc and Michael Meyer for all the help in testing!

Variants of the attack

As we know, depending on version Petya may attack your data by two ways:

1 – at a low level, encrypting your Master File Table. For example:

2 – at a high level, encrypting your files one  by one (like a typical ransomware). For example:

Fortunately, the released key allows for recovery in both cases. However the process of decryption will look a bit different.


We prepared two different builds of the recovery tool, to support the specific needs:

  1. a Live CD
  2. a Windows executable

In both cases, the tool decrypts the individual key from the victim ID.

After obtaining the key, you can use the original decryptors in order to recover your files. You can find the links here:

For Mischa: https://drive.google.com/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE
For Goldeneye: https://drive.google.com/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg

DISCLAIMER: Those tools are provided as is and you are using them at your own risk. We are not responsible for any damage or lost data.

Read more


James Barnley

I’m the editor of the DomainingAfrica. I write about internet and social media, focusing mainly on Domains. As a subscriber to my newsletter, you’ll get a lot of information on Domain Issues, ICANN, new gtld’s, Mobile technology and social media.

Leave a Reply

Your email address will not be published. Required fields are marked *