July 7, 2017

Recovering data from a disk encrypted by #NotPetya with Salsa20

Ransomware attacks are an alarming trend of 2017. There have been many such attacks, but the ones that made the headlines are WannaCry and NotPetya (also known as Petya, Petya.A, ExPetr, and other names). With lessons of the previous epidemic heeded, specialists across the globe promptly reacted to the new challenge and, in a matter of hours after the first computers became infected, began analyzing encrypted disks. As early as June 27, the first descriptions[1] of how NotPetya spreads and infects computers appeared. Even better, a vaccine[2] to prevent NotPetya infections was found.
After NotPetya starts, it performs AES encryption of user files with certain extensions, but the operating system continues to work. The encryption must be completed within a certain time limit (by default, 1 hour). If so, the file README.TXT with a ransom demand appears in the root folder. Unfortunately, recovering user files in that case requires knowing the private RSA key (which is allegedly available for purchase on the Darknet for 100 bitcoins). But if the encryption is not completed, is interrupted, or NotPetya does not have the necessary permissions to write to the root folder, the file README.TXT (containing the encrypted key) is not created, and the files encrypted with AES cannot be recovered even with the private RSA key.

The below method for recovering data works only if NotPetya had administrator privileges and used the Salsa20 algorithm to encrypt the entire hard disk.

It is the second layer of encryption. However decrypting Salsa20 is not a bad idea for several reasons:
  • Some file types (for example, images) are skipped during AES encryption.
  • AES encryption is limited in time (usually 1 hour), and what was not encrypted with AES may be recoverable.
  • AES encryption runs under a specific user account. If several user accounts are used on the computer, AES may not have access to other users' data.

Meanwhile, Salsa20 encrypts all data, regardless of file types, time, and access permissions.

June 29, 2017

#NotPetya and #Petya compared: any hope for decrypting files? - UPDATED

#NotPetya and #Petya compared: any hope for decrypting files?
Positive Technologies expert Dmitry Sklyarov provides here his comparison of NotPetya ransomware, which attacked companies this week, with a sample of Petya from 2016. Is decryption of ransomed files possible? And what does the code tell us about the malware's creation?
This post considers the portions of the two viruses responsible for MFT encryption. This encryption runs when the ransomware has administrator rights.

June 27, 2017

The new malware that broke out today is slightly similar to Petya ransomware known since 2016

Positive Technologies experts are still analyzing the malware sample and gathering additional data—in particular, information on the mechanism of its intrusion into a network. But even at this point it is obviously not just a new version of WannaCry. This ransomware combines hacking techniques, such as standard utilities for system administration and tools for obtaining passwords to operating systems. This ensures fast spread of the malware within the network and causes a large-scale epidemic—if at least one computer is infected. As a result, the computer is out of operation and data are encrypted.