Anonymous Programmer ‘Patches’ Petya Ransomware

A patch that disarms the Petya ransomware has been posted online by an anonymous programmer and includes a tool that exploits shortfalls in the way the malware encrypts a file that allows Windows to start up.

It’s thought that the developer, who goes by the Twitter handle @leo_and_stone, produced the key generator to help his father-in-law unlock his computer, which had been hit by the malware

Scammed

Petya, which first emerged in March, infected victims by hiding in documents attached to emails purporting to come from people looking for work.

Unlike typical ransomware strains, which leave the PC operational but encrypt all files, Petya crashed the computer, and upon rebooting, would alter the hard drive’s boot record and encrypt the entire hard drive, catching the device in a pre-boot stage.

The malware would demand a ransom of 0.9 bitcoins (£265) to free the device, with victims needing to pay the ransom and enter the password they received inside the pre-boot command-line.

Ransomware

The anonymous researcher discovered that the ransomware did not broadcast to an external server, unlike most malware, meaning that the encryption process is all self-contained on the system. He or she then developed a way to employ genetic algorithms to crack the ransomware, and created two websites where victims can obtain the decryption password.

However, users looking to remove Petya will still need to carry out some complex steps in order to extract some information from their hard drive, which involves attaching the infected drive to another computer.

Then, by using an external tool which scans hard drives for Petya infections and automates the process of extracting the information needed to crack the ransomware, the drive can be cleaned and re-attached to the original device.

Ransomware has become an increasingly popular tactic for cybercriminals in recent years, as they can target large numbers of users for a quick financial return.

Researchers at security firm Trend Micro revealed last month that there were more ransomware-related infections found in February this year as the first six months of last year in total.

The company found that there were more than twice as many infections last month than in the entire first three months of 2015, and that the combination of January and February 2016’s tally is already more than triple the infection count for the first three months of last year.

Are you a security pro? Try our quiz!