The maker of the original Petya ransomware (not to be confused with the latest NotPetya malware) published the encryption master key on Twitter, which should now allow everyone who has been affected by Petya to decrypt their files for free.
Good Guy Malware Maker?
The person or group going by the almost professional-looking name of “Janus Cybercrime Solutions” made the Petya master key available on Twitter without further comments on why they are releasing it.
Over the past few days, NotPetya, a piece of malware that may have been based off a version of Petya, has started infecting thousands of companies in Ukraine. It’s plausible that the Janus group wanted to make it clear that the latest attack, which has brought much unwanted media attention, isn’t organized by them.
One way to do that is to “fix” the damage they’ve previously done themselves with their own Petya ransomware by releasing the key that can decrypt all the files that have been locked by Petya. The key can decrypt all the files that have been encrypted by all three versions of Petya (the ones showing the red, yellow, and green skull flash screens). However, to actually use the key, a Petya decryptor tool will have to incorporate it. Such tools should show up shortly online.
Apparently, Janus didn’t want to make it too easy for security researchers, so they put a password on the file they linked on Twitter for download. However, the password seems to have been easily bruteforced using a dictionary attack.
Janus previously leaked the master key for Chimera, a rival ransomware.
Key Unusable Against NotPetya
As NotPetya seems to have been created and deployed by a different group, it makes sense that the key Janus released wouldn’t work on NotPetya, which also used a different encryption scheme than the one used in the original Petya.
Janus previously claimed that Petya was “pirated,” but only after it tried to give other cybercrime groups the ability to make their own Petya variant through a subscription service. If Petya was indeed pirated, then other malware makers should be able to create Petya spin-offs even if Janus has completely shut down all operations to avoid being a target of various law enforcement groups.