The author of the original Petya ransomware that made news more than a year ago, known only by the name Janus, is now reaching out on Twitter to see if he can help victims of the modified NotPetya ransomware, which is now thought to be a destructive data wiping malware in disguise.
— JANUS (@JanusSecretary) June 28, 2017
The wording of the message indicates that Janus might have a master decryption key that would help unlock victims’ files, but it might not be that simple.
For any decryption key to work, the MBR, or master boot record, needs to be available. This is a special boot sector of the storage device in a computer where the boot loader resides: the code that helps load the installed operating system.
The problem with NotPetya is that the master boot record is wiped, with no copy kept. In such a scenario, no decryption key would work because the MBR contains the partition table that helps figure out where disk partitions start. In fact, even a damaged MBR can wreak havoc until it is repaired. It’s often a simple process, but the MBR needs to be present in some form for a decryption key to work. A damaged or obliterated MBR can be recreated using partitioning tools, but it requires specialized tools.
What Janus is offering seems like an altruistic move, but we need to remember that he created and sold the malware in the first place.
NotPetya is quickly getting bigger than even Wannacry, and has already shut down Ukraine’s Kyiv Broyspil International Airport, several banks and a power company. Elsewhere, the malware has hit at least two Pittsburgh area hospitals, where surgeries had to be cancelled because of system outages. Dutch shipping major A.P. Moller-Maersk has also been forced to shut down several container terminals across the globe.
This attack doesn’t seem to be restricted to any particular country or industry type. It’s spreading fast, and it’s much more dangerous than WannaCry, which had several flaws that forced it to fizzle out in a few weeks.
Janus still hasn’t provided the source code for Petya, but hackers everywhere are now trying to reverse-engineer compromised systems to try and find a solution.
If Janus can effectively provide a fix for affected system, there’s still no guarantee that he’ll offer it for free. He might, but he’s clearly in it for the money, as his earlier sale of Petya as a Ransomware-as-a-Service (RaaS) application to other hackers back in March 2016 clearly shows.
Source: The Hacker News