The Ransomware is a malware that has been circulating via emails; it is said to come from individuals looking to be employed, since March 2016. Once the mail is opened, the malware infects your machine by changing the MFT. The operating system fails to locate your data due to the master file table (MFT) encryption, and a ransom note shows asking for 0.9-bit coins that are equivalent to 264 Euros.
Experts Recover Data Encrypted by Petya Ransomware
An expert programmer only known by the Twitter Handle Leo_and_Stone was able to generate a tool to fault the malware. The programmer developed the tool when trying to help the father-in-law, whose computer had been Recover Data Encrypted by Petya Ransomware. They then released the tool as a code via Github, a site for sharing codes, for others to access.
How the code works
Other experts from Bleeping Computer.com stated that the code works through removing some data from the infected hard drive. They explained that the code scans the computer for the Petya boot code, upon detecting it, the boot code is selected, and users are allowed to copy the sectors and the nonce that it is associated with. These data are used to come up with a decryption password in seconds but through the website of Leo_and_Stone.
One has to extract the drive from the infected computer manually, attach it to another uninfected Windows device to obtain precise data, then convert the extracted data to Base64 programming and finally use the website to create the password. After discovering the password, reconnect the encrypted drive to its computer to retrieve the encrypted files.
Another expert, Tim Stiller, a system Engineer explained to IT Pro that “the ransomware only encrypts the disk with one key,” which has to be extracted to decrypt the MFT. This is good news because the code now makes it possible for victims of the malware to recover their data without paying the ransom.
The con of using the decryption tool
The unfortunate thing is that this extracting process might not be easy for most victims of the malware, but lucky for them, Wosar devised a tool that they can use to remove the data quickly.
However, to use this tool, one still needs to extract the drive from the infected machine, attach it to another working Windows device, then launch the tool to identify the password. In case, the affected machine has many drives, remove only the boot drive of the infected computer.
Although the experts were able to decrypt the malware, it is wise to protect your machine. Tim Stiller stated that it was likely that the authors of the malware will result in changing the functions of the encryption from the MFT encryption to a file-by-file encryption.
He advised institutions to” backup their data either through cloud backup, that can be easily accessed and backs up your data daily, or through an external hard drive. It is important to evade opening suspicious emails or downloading unexpected attachments. They should also make a habit of sending strange emails to their security experts for examination”.