The creator of the original Petya ransomware, a person calling himself Janus, says he has released the private key for decryption of systems infected with the original Petya ransomware. It doesn’t work for the recent NotPetya variant.
He shared key with a Malwarebytes researcher known as Hasherezade. On her GitHub page, she writes, “Looks like this is Janus’ private key for all previous Petya versions.” It would not work with the NotPetya variant, which was distributed last week through the Ukrainian company Intellect Service. She promises to write a decryption tool as soon as she finds the time.
It is unclear whether the tool will still be of value to many people. The Petya ransomware first appeared in March of last year and distinguished itself by rendering the entire system inaccessible after infection. Distribution mainly took place via e-mails with fake job applications. For the first variant, also called Petya Red, a decryption tool appeared afterwards.
According to Hasherezade, it won’t work on later variants, such as Petya Green, Mischa, and Goldeneye. The private key should be for this to work. It wouldn’t be the first time Janus has released ransomware’s decryption keys. In the past, the person behind the name already did that for the competing Chimera ransomware. Janus also offered to help decrypt NotPetya.
Shortly after last week’s internet attacks, it appeared that the malware used was Petya. Afterwards, this turned out not to be the case, which resulted in the name NotPetya, among other things. On Wednesday, the people behind the attack emptied the bitcoin wallet linked to the malware and published a message that they would give away the private key for one hundred bitcoins, converted 225,000 euros.
Motherboard asked the person behind the message to decrypt a file encrypted by NotPetya, which they did successfully. That proves that the person in question has access to the malware’s code, according to two security researchers. Whether that also means that decryption is possible for a large number of victims remains unclear because bugs can get in the way. Security firm F-Secure previously reported that decryption is possible, but only under many conditions.
Several companies, including Microsoft and ESET, concluded that NotPetya was distributed via updates to the MeDoc accounting software from Ukrainian company Intellect Service. Although the company initially denied it, it admitted on Wednesday that attackers had access to the updates. In an analysis published Thursday, Cisco security component Talos writes that the attacker accessed Intellect Service’s servers through stolen administrative data.