ZP Enterprises

Cyber Security with a flare

Malware / Viruses / Worms

Anti-Petya live CD (the fastest Stage1 key decoder)

Byzpenterprises

Apr 20, 2016 #Administration, #Cyber Security, #Malware/Viruses/Worms
Petya Ransomware

❗❗❗ATTENTION❗❗❗

Please use the  LATEST version of the decoder, available here:

newUPDATE: 17-th July, a new version of Petya has been released. At the moment, there is no way to decrypt the disk. Don’t let the infection reach Stage 2!

Please read the first Petya key decoder for more background information.

If you open some executable downloaded from the Internet and your system crashes, it can be an attack of PETYA RANSOMWARE.

Please do not let the system reboot from the hard disk! I will cause the infection to progress.

Run your computer from a live CD (i.e., Kali Linux) and back up the entire disk. Example:

dd if=/dev/sda of=dump.bin bs=512

If you caught Petya at Stage 1, your files are still untouched and there is a chance to save them.

Petya detector in the form of a bootloader:

With the help of this small tool, you can quickly check if Petya has been detected on your disk. In the case of Petya versions 1 and 2 it can also recover the Stage 1 key.

ISO: antipetya.iso
BIN: antipetya.bin

Source code:  https://github.com/hasherezade/petya_recovery/tree/master/stage1_asm

To use it,  just (from a different computer) download the antipetya.iso, burn it on a CD, and boot your machine from the CD.

Alternatively, instead of CD you can use a flash disk. In this case, you need to dump antipetya.bin onto your disk. Example (using Linux):
1. Log in as root.
2. Check how your flash disk is represented in the system.
If the flash disk is /dev/sdb:

dd if=antipetya.bin of=/dev/sdb bs=512 count=1

The tool will give you quick info on whether the bootloader of Petya has substituted your bootloader.
In the case of versions 1 and 2 of Petya -it will give you the Stage 1 key automatically:

Output of Antpetya Live CD (Stage1):

Write down this key. This is the same key that Petya uses to encrypt/decrypt your data:

The bootloader will inform you if Petya has already erased the key. In the Red Petya case, your disk can still be decrypted at Stage 2 – you can read about it here: Stage2 decoder. Unfortunately, such a recovery procedure does not work for the current Green version.

Nord VPN
60% off Nord VPN
Coinbase - Getty Images - 1234552839
Coinbase – Crypto Currency – Sign up with this link and get $10 free?! Buy/sell/exchange crypto, and use their ATM card to access your cash easily!
Chase Sapphire Preferred - Travel Points
NordPass - Password Manager - CJ Banner
https://www.dpbolvw.net/click-100604079-15345170
Binance Cryptowallet - Buy/Sell
Binance Blockchain
Amazon - Daily Deals
Amazon’s Daily Deals!
Your favorite restaurants are delivered to your front door! Grubhub!
Game Fly
Game Fly Video Game Rentals!

By zpenterprises

Related Post

Cyber Security Cybercrime Malware / Viruses / Worms

What is Maze ransomware?

Dec 26, 2023 zpenterprises
Cyber Security Linux Malware / Viruses / Worms News

Stealthy Linux rootkit found in the wild after going undetected for 2 years

Dec 8, 2023 zpenterprises
Cyber Security Cybercrime Internet Malware / Viruses / Worms Project

What is OWASP? What is the OWASP Top 10?

Nov 17, 2023 zpenterprises
Please enter CoinGecko Free Api Key to get this plugin works.