The Petya ransomware program was causing trouble for many users, forcing them to pay a huge amount of money to cyber-criminals to get their data decrypted. Now security experts have devised a method allowing users to recover all their data from infected computers without paying any ransom.
How Petya infects computers
Last month, cyber-criminals distributed the Petya ransomware to companies through spam emails that masqueraded as job applications, and since then, it appeared on researchers’ radar. It is different from other file-encrypting ransomware programs because of its ability to overwrite the master boot record (MBR) of a hard disk drive, making the infected computer unable to boot into the operating system, says PC World.
To start the operating system, the drive’s legitimate MBR code is needed, but this program replaces this with a code that encrypts the master file table (MFT) and shows a ransom note. The MFT is special file on NTFS volumes that include information like name, size and mapping to hard disk sectors about all other files.
Encryption of the actual contents on the user’s file does not take place, but without the MFT, the OS is not able to find the location of the files on the disk. It might be possible to reconstruct the files using data recovery tools, but there is no guarantee that this will work perfectly. It could be time-consuming as well, the report says.
How to get rid of it
Now there is no need to resort to any such methods, nor is there any need to pay money to Petya’s authors. A person using the online handle leostone devised an algorithm to crack the key needed to restore the MFT and recover from a Petya infection.
The technique surely works, according to a confirmation by computer experts from the popular tech support forum BleepingComputer.com. But there is the need for some data extraction from the affected hard drive. This may sound complicated to some users, and for them, a simpler solution is also available, the report says.
Fabian Wosar of Emsisoft, a security firm, has created a simple and free tool to solve the problem. Since it is no longer possible for the infected computer to boot into Windows, the tool can be used only after taking out the affected hard drive and connecting it to a different computer where the tool can run.
Users can also use an external USB-based hard drive docking station. The data that the tool has extracted should then be entered into the Web application that leostone created to crack the key. Then the user needs to put the infected hard drive into the original computer and input the key on the ransom screen displayed by Petya.