U.S. Markets closed

Email scam Petya locks down PCs until a ransom is paid

Brad Jones

If you unwittingly fell victim to the Petya ransonware, there’s a way to get your data back without paying hundreds of dollars. The solution may not be effective in defeating future Petya code if the code is changed in the future, but it works with the current version, according to BleepingComputer.com.

When your computer is hijacked by Petya, the entire drive isn’t encrypted. The actual area that’s encrypted and effectively renders your system useless until unlocked is a specific segment on the drive. The boot sectors hold information needed to fully operate and access all the data on your computer, and that’s what the malware locks down. When you enter the decryption code the Petya developers want you to purchase, the boot sector information is un-encrypted and everything is put back to normal.

Related: Email scam Petya locks down PCs until a ransom is paid

But you don’t have to pay the ransom. If you’re comfortable removing your hard drive, attaching it to another Windows computer, and downloading and running free utilities created by two Twitter users, you can do it all yourself.

First, remove your encrypted hard drive and attach it as a non-boot drive to a second computer.

The data you need to find the Petya boot information is a 512-byte string starting at sector 55 (0x37h) with an offset of 0 and the 8 byte nonce from sector 54 (0x36) offset: 33 (0x21). Of course, finding that yourself won’t be easy. You’ll want a utility created by Fabian Wosar, whose Twitter handle is @fwosar. Download his Petya Sector Extractor utility, save the zip file to your desktop, extract the file, and the run PetyaExtractor.exe. This program searches the required sectors of your drive to find the proper string of data.

The next step is to go to either of two websites created by Twitter user @leostone. With your browser go here or here. When you open either of @leostone’s sites you’ll see a screen with two boxes for information generated by Fabian Wosar’s extractor utility. Use cut and paste to enter the data in the boxes on either of the websites. Click the Submit button and your decryption key will be generated. Write it down.

The last step involves re-attaching your original hard drive to the infected computer, and re-starting. When you see the Petya screen, enter the key you wrote down. It should be accepted, and your computer should immediately start decrypting. It soon will be as it was before you were infected.

Detailed instructions for the above process are available at BleepingComputer.com. If you find these steps daunting, your best bet will be to call local computer support firms, and find one familiar with this process.

This method of defeating Petya works for now. If the code is changed to subvert this rescue procedure, hopefully people like @leostone and Fabian Wosar can help again.

Also watch: Asus ROG GX700 Hands On
Please enable Javascript to watch this video

A new piece of malware doing the rounds using popular cloud storage service Dropbox as its carrier is reportedly able to lock users out of their systems. The ransomware is known as Petya, and at present it seems to be forcing users to pay more than $400 to regain access to their computers.

Petya is being distributed via email, according to a report from Trend Micro. The package is included in correspondence intended to look like a message from a professional looking for work, which contains a Dropbox link that will supposedly allow the recipient to download their resume.

Unfortunately, that file is in fact a self-extracting executable that’s designed to install a Trojan which blocks any active security software and downloads the Petya ransomware. Once that groundwork has all been laid, the real attack can get underway.

Related: Kaspersky finds 1,200 versions of ‘Steam stealer’ malware

Petya overwrites the master boot record of the infected system, causing a blue screen of death. Once the user tries to reboot, they’ll be greeted with a bright red screen emblazoned with an ASCII skull and crossbones — and there’s no way of escaping this, as safe mode will have already been disabled.

The ransomware then informs the user that their system has been locked with a “military-grade encryption algorithm.” The only way to reverse the process is to head to the dark Web and pay for a key with bitcoin — the going rate is $431, and that figure doubles if the victim doesn’t pay within a certain schedule.

This is undoubtedly a very nasty piece of malware, and another piece of evidence that online criminals are continually developing their methods of attack. At present, it’s unclear what individuals can do to avoid being targeted, aside from being continually vigilant about the sort of links they click on in emails from unknown senders.

Also watch: Asus ROG GX700 Hands On

Please enable Javascript to watch this video