Tuesday, 12 April 2016

Petya disk encryption fix

I see on BleepingComputer.com that there is a way to decrypt a hard disk that has been encrypted with the Petya malware (actually, I think only the $MFT is encrypted by this MBR virus). Although Bleeping Computer say to remove the hard disk from the system, I don't see why we cannot just boot the infected system to WinPE from a USB drive (just be careful it does not boot from the internal hard disk!).

I copied the PetyaExtractor.exe program to my E2B USB drive and booted to a Windows 10 32-bit Install ISO. I then ran the PetyaExtractor.exe program which appeared to run OK (but I cannot be sure as I did not have an infected system). It is a 32-bit program, so you need to boot to 32-bit WinPE (or a 64-bit WinPE that has WoW64 support - e.g. ChrisR's WinPESE10).

The idea is that we could then save the sector 55 and 'Nonce' data from sector 54 to the E2B drive using NotePad, and then copy and paste it into the Petya Decrypting site page to get the decryption key.

It also would be trivial to write a grub4dos (E2B) script to save the required data (or even just use dd) and then encode it to base64 by uploading it to a website such as this one. However, it is probably just as easy to just boot to WinPE and use the PetyaExtractor tool.

Why not add the tool and a .txt file with the web links to your 'Swiss-army E2B drive' so that you will have the tool handy if you need to fix someone's system?