Ever since the new Petya also known as EternalPetya ransomware outbreak has occurred and it’s payment e-mail was shut down and after it was determined that the virus cannot reverse the encryption even if you pay, many researchers have put their effort into attempting to restore files encrypted by the new virus. What is new however, is that the original creator of the original Petya has resurfaced after being silent for several months when he released the older Petya, Mischa and GoldenEye variants in the deep web. And he resurfaced with the goal to help victims crack the virus.
The Petya Creator Offering Help on Twitter
Called by the nickname Janus, the hacker tweeted:
“Maybe it’s crackable with our privkey. Please upload the first 1MB of an infected device, that would help.”
The hacker Janus has put the Petya ransomware for sale back in spring 2016, just like many ransomware creators have done – via a RaaS scheme (Ransomware-as-a-service). However, how that the victims cannot decrypt their files from the modified variant, also known as NotPetya, the hacker appears to be sincere in offering assistance by using his own master decryption key. This may jeopardize his malicious activity, but for a good cause – to help crippled organizations recover their data. Looks like Janus did not mean for the virus to be making such a great impact as it happened.
The Outbreak Continues
Ever since the outbeak became serious In the 27th of June, many corporate systems as well as computers that are critical to Ukraine’s infrastructure were affected and crippled via the EternalBlue exploit used by the latter known EternalPetya variant and by WannaCry. This activity is very similar to the WannaCry ransomware outbreak which was stopped via a killswitch.
The bad news here is that cybersecurity researchers, like @hasherezade and friends have revealed on Twitter more information about the virus and how it was coded. Later, it became clear that the damage done by the ransomware virus cannot be reversed, because it cripples data in a way that cannot be decrypted. Many are calling the ransomware a cyber-weapon, due to it’s modification to target organizations massively via their system updates. This is interesting because while WannaCry’s lesson was “always update Windows”, the lesson that the new Petya (EternalPetya variant) gives is “I am infecting you via the Updates”.
The virus hit primarily Windows 7 and Windows XP – based operating systems, but around 8% of the computers hit had newer versions of Windows as well, spiking criticism and debates in the cyber-security sphere that Windows is not a good choice for organizations anymore.
— Mehmet Akcin (@mhmtkcn) June 30, 2017
The WannaCry outbreak was surely a big one, but it was stopped quite fast. It is curious to see the proportions which the EternalPetya variant will achieve as many already call it to be bigger than Wcry. What is not good in this particular situation is that the EternalPetya outbreak has also hit hospitals, which means that many people’s lives could be at stace, because of ransomware, which really points out to the importance of the matter. Researchers are still attempting to fight their way through reverse engineering Petya’s source code to try and decrypt data, but even if the master key provided by the hacker Janus succeeds in decrypting the MFT (Master File Table), the Master Boot Record (MBR), which is still replaced with an empty block of data remains a riddle many have yet to deal with to restore their drives. This is the main reason why many remain skeptic about directly decrypting their drives.