A decoder for Petya victim keys, using the Janus' masterkey.
Switch branches/tags
Nothing to show
Clone or download
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
src [BUGFIX] Removed invalid debug string Jul 26, 2017
tests [NOBIN] Added a test for Mischa Jul 20, 2017
README.md Update README.md Jul 26, 2017

README.md

petya_key

A decoder for Petya victim keys, using the Janus' masterkey
It supports:

  • Red Petya
  • Green Petya (both versions) + Mischa
  • Goldeneye (bootlocker + files)

Read more about identifying Petyas: https://blog.malwarebytes.com/cybercrime/2017/07/keeping-up-with-the-petyas-demystifying-the-malware-family/
DISCLAIMER: Those tools are provided as is and you are using them at your own risk. I am not responsible for any damage or lost data.
Usage:
./petya_key [victim_data]
where the 'victim_data' is a file containing the 'personal decryption code' displayed by the bootlocker

1) Save your 'personal decryption code' as a continuous string, without separators. Example of the valid file content:
e2NKAXKGX7YFYUHPUuwrcfZ6FUkkYtRUdvzqRUwacPgjMvyYr8mH5Pw4X8Wdt6XgLrK7G7m1TVVeBdVzRDayyHFWp76353A1

2) Supply the saved file to the decoder:
./petya_key saved_id.txt
Choose your version of Petya from the menu. If the given data is valid, you will get your key, i.e:
[+] Your key   : TxgTCXnpUPSeR2U7
3) Before unlocking attempt I strongly recommend you to make a dump of the full disk. Some versions of Petya are buggy. For example they may hang during decryption and corrupt your data.
In order to decrypt MFT, supply the generated key to the bootlocker.
In order to decrypt files you need supply the key to an appropriate decryption tool.
For Mischa: https://drive.google.com/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE
For Goldeneye: https://drive.google.com/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg