show image

NotPetya: flaws in virus could help victims salvage their files, researcher claims

A researcher claims to have discovered a way for victims of the NotPetya attack to decrypt their files.

Dmitry Sklyarov of Positive Technologies says the creators of the virus failed to properly implement an encryption algorithm known as Salsa20.

Their errors could help recovery experts to unlock files stored on a hard drive that has been encrypted.

“Recovering data from a hard drive with this method requires applying heuristics, and may take several hours,” said Sklyarov, head of reverse engineering at Positive Technologies.

“The completeness of data recovery depends on many factors (disk size, free space, and fragmentation) and may be able to reach 100% for large disks that contain many standard files, such as OS and application components that are identical on many machines and have known values.”

Sklyarov outlined the method in a blog, acknowledging that it wouldn’t work if NotPetya hadn’t been unable to obtain administrator privileges while running. If it can’t acquire those permissions, the virus performs Advanced Encryption Standard encryption instead.

“Unfortunately, recovering user files in that case requires knowing the private RSA key (which is allegedly available for purchase on the Darknet for 100 bitcoins),” said Sklyarov.

Steven Murdoch, principal research fellow at UCL’s Cyber Security Institute, told New Statesman Tech, that the blog would be useful to data recovery firms.

“An expert can use that to manually remove the information from one disk, with expertise, knowledge of how the computer is set up and a bit of luck,” said Murdoch. “If there’s a company that really needs data back, data recovery firms will be able to make use of this blogpost and help retrieve some of this information.”

But Murdoch added that it would not help individual users who lack access to technical expertise: “We still need an automated tool for general users.”

When it was first detected, the virus was mistaken for a well-known type of ransomware called Petya, but security researchers have since said it is significantly more more destructive.

Confusion appears to have stemmed from the fact that the code was masquerading as the ransomware. Cybersecurity expert the Grugq has said, however, that the similarities were only skin deep.

“Although there is significant code sharing, the real Petya was a criminal enterprise for making money. This [malware] is definitely not designed to make money,” the Grugq said. “This is designed to spread fast and cause damage, with a plausibly deniable cover of ransomware.”