Following the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided to release his master key, probably closing the project. You can read the full story here.
Based on the released key, Malwarebytes has prepared a decryptor that is capable of unlocking all the legitimate versions of Petya (read more about identifying Petyas):
- Red Petya
- Green Petya (both versions) + Mischa
- Goldeneye (bootlocker + files)
In case if you have a backup of Petya-encrypted disk, this is the time to take it out from the shelf and kiss your Petya goodbye 😉
WARNING: During our tests we found that in some cases Petya may hang during decryption, or cause some other problems potentially damaging to your data. That’s why, before any decryption attempts, we recommend you to make an additional backup.
// Special thanks to @Th3PeKo , @vallejocc and Michael Meyer for all the help in testing!
Variants of the attack
As we know, depending on version Petya may attack your data by two ways:
1 – at a low level, encrypting your Master File Table. For example:
2 – at a high level, encrypting your files one by one (like a typical ransomware). For example:
Fortunately, the released key allows for recovery in both cases. However the process of decryption will look a bit different.
We prepared two different builds of the recovery tool, to support the specific needs:
In both cases, the tool decrypts the individual key from the victim ID.
After obtaining the key, you can use the original decryptors in order to recover your files. You can find the links here:
For Mischa: https://drive.google.com/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE
For Goldeneye: https://drive.google.com/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg
DISCLAIMER: Those tools are provided as is and you are using them at your own risk. We are not responsible for any damage or lost data.