July 7, 2017

Recovering data from a disk encrypted by #NotPetya with Salsa20

Ransomware attacks are an alarming trend of 2017. There have been many such attacks, but the ones that made the headlines are WannaCry and NotPetya (also known as Petya, Petya.A, ExPetr, and other names). With lessons of the previous epidemic heeded, specialists across the globe promptly reacted to the new challenge and, in a matter of hours after the first computers became infected, began analyzing encrypted disks. As early as June 27, the first descriptions[1] of how NotPetya spreads and infects computers appeared. Even better, a vaccine[2] to prevent NotPetya infections was found.
After NotPetya starts, it performs AES encryption of user files with certain extensions, but the operating system continues to work. The encryption must be completed within a certain time limit (by default, 1 hour). If so, the file README.TXT with a ransom demand appears in the root folder. Unfortunately, recovering user files in that case requires knowing the private RSA key (which is allegedly available for purchase on the Darknet for 100 bitcoins). But if the encryption is not completed, is interrupted, or NotPetya does not have the necessary permissions to write to the root folder, the file README.TXT (containing the encrypted key) is not created, and the files encrypted with AES cannot be recovered even with the private RSA key.

The below method for recovering data works only if NotPetya had administrator privileges and used the Salsa20 algorithm to encrypt the entire hard disk.

It is the second layer of encryption. However decrypting Salsa20 is not a bad idea for several reasons:
  • Some file types (for example, images) are skipped during AES encryption.
  • AES encryption is limited in time (usually 1 hour), and what was not encrypted with AES may be recoverable.
  • AES encryption runs under a specific user account. If several user accounts are used on the computer, AES may not have access to other users' data.

Meanwhile, Salsa20 encrypts all data, regardless of file types, time, and access permissions.