Ransomware has grown rapidly over the past few years and is now one of the most common threats on the Internet.
These attacks have become increasingly aggressive, often leaving victims with little choice but to pay a ransom to recover critical and sensitive data.
However, victims of Petya ransomware have been given a rare break.
Due to a flaw in the malware’s code, infected systems can be unlocked without paying the ransom.
What Is Petya Ransomware?
Petya is a ransomware strain that first appeared roughly two weeks ago and operates very differently from most file-encrypting malware.
Instead of encrypting individual files, Petya forces a system reboot and encrypts critical parts of the hard drive. It targets the master boot record (MBR) and related boot data, preventing Windows from starting normally.
Also Read: How to Decrypt CoinVault and Bitcryptor Ransomware
The master boot record is located in the first sector of a hard drive and tells the system how to load the operating system. Once Petya damages this area, the computer can no longer boot into Windows.
After rebooting, the ransomware displays its own screen and demands a payment of 0.9 Bitcoin (around $381 at the time) to restore access.
Without the correct decryption password, the system remains unusable and all data on the affected disk stays inaccessible.
A researcher using the Twitter handle @leostone later discovered a weakness in Petya’s encryption process and built a tool capable of generating the required decryption key.
How to Unlock a Petya-Infected System for Free
The flaw was identified after Petya infected the researcher’s father-in-law’s computer, prompting a closer look at how the malware generates its encryption key.
The key-generation method can unlock a Petya-infected system in as little as seven seconds.
To use the password generator, victims must remove the infected hard drive and connect it to a clean Windows computer.
The following data must be extracted from the drive:
- Base64-encoded 512 bytes starting at sector 55 (0x37) with an offset of 0
- A 64-bit encoded 8-byte nonce from sector 54 (0x36) with an offset of 33 (0x21)
This information can then be entered into the web app (or its mirror site) to generate the decryption key used by Petya.
A Simpler Tool for Extracting the Required Data
The manual extraction process can be difficult for many victims.
To simplify recovery, researcher Fabian Wosar created a free utility called Petya Sector Extractor, which automates the data extraction process.
The tool can be downloaded from the net and must be run on a clean Windows system with the infected drive attached.
A detailed step-by-step guide is available that walks victims through the full recovery process.
While this method currently works, there is no guarantee it will remain effective. The Petya authors are likely aware of the flaw and may update their code to block this recovery technique in future versions.
