The author of original Petya ransomware is back.
After a long 6 months of silence, the author of now infamous Petya ransomware appeared on Twitter today to help victims unlock their files encrypted by a new version of Petya, also known as NotPetya.
“We’re back having a look in NotPetya,” tweeted Janus, a name Petya creator previously chose for himself from a James Bond villain. “Maybe it’s crackable with our privkey. Please upload the first 1MB of an infected device, that would help.”
This statement made by Petya author suggests he may have held on a master decryption key, which if worked for the new variant of Petya infected files, victims would be able to decrypt their files locked in the recent cyber outcry.
Janus sold Petya as a Ransomware-as-a-Service (RaaS) to other hackers in March 2016, and like any regular ransomware, original Petya was designed to lock victim’s computer, then return them when a ransom is paid.
This means anyone could launch the Petya ransomware attack with just the click of a button, encrypt anyone’s system and demand a ransom to unlock it. If the victim pays, Janus gets a cut of the payment. But in December, he went silent.
However, On Tuesday, computer systems of the nation’s critical infrastructure and corporates in Ukraine and 64 other countries were struck by a global cyber attack, which was similar to the WannaCry outbreak that crippled tens of thousands of systems worldwide.
Initially, a new variant of Petya ransomware, NotPetya, was blamed for infecting systems worldwide, but later, the NotPetya story took an interesting turn.
Yesterday, it researchers found that NotPetya is not a ransomware, rather it’s a wiper malware that wipes systems outright, destroying all records from the targeted systems.
NotPetya also uses NSA’s leaked Windows hacking exploit EternalBlue and EternalRomance to rapidly spread within the network, and WMIC and PSEXEC tools to remotely execute malware on the machines.
Experts even believe the real attack has been disguised to divert world’s attention from a state-sponsored attack to a malware outbreak.
The source code to Petya has never been leaked, but some researchers are still trying hard to reverse engineer to find possible solutions.
Would this Really Help Victims?
Since Janus is examining the new code and even if his master key succeeds in decrypting victims’ hard drive’s master file table (MFT), it won’t be of much help until researchers find a way to repair MBR, which is wiped off by NotPetya without keeping any copy.
Tuesday’s cyber outbreak is believed to be bigger than WannaCry, causing disaster to many critical infrastructures, including bricking computers at a Ukrainian power company, several banks in Ukraine, and the country’s Kyiv Boryspil International Airport.
The NotPetya also canceled surgeries at two Pittsburgh-area hospitals, hit computers at the pharmaceutical company Merck and the law firm DLA Piper, as well as infected computers at the Dutch shipping company A.P. Moller-Maersk forced to shut down some container terminals in seaports from Los Angeles to Mumbai.