In light of the devastating NotPetya attack, the creator of the original Petya ransomware has released his private key for the malware. This means victims of the original Petya attacks (excluding NotPetya) will be able to decrypt their files for free.
The original Petya ransomware (aka GoldenEye) encrypts the Master File Table using Salsa20, locking the victim’s entire system down.
It was hijacked by the creators of NotPetya, who carefully manipulated its assembly code to create the destructive wiper that swept through Ukraine two weeks ago. Important changes include removing of the ability to actually restore encrypted files, as the victim’s keys are erased after encryption.
To obtain the key, security researchers had to jump through a couple hoops. About a week after the NotPetya outbreak, the creator tweeted a link to an encrypted file, with a password hint.
Researchers used this quote (from the GoldenEye movie) to figure out the password and decrypt the file, which contained the private key and some implementation details for the ransomware.
To add protection against Petya, we recommend enabling the following targets:
If you do not have a ThreatSTOP account,
If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our