Your IT Consultant

Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.

Get the Peyta Ransomware Decrypt Password for Free

April 13, 2016

Peyta is a pretty scary infection that takes ransomware to a new level. It not only encrypts your data, but encrypts the entire hard disk, including the master boot record (MBR). Encrypting the MBR means that the drive won't even boot since there is effectively no recognizable file system. Thanks to the efforts of a security researcher and a bug in the software, you won't have to pay the ransom in order to get access to your infected drive. The process may be a bit complicated for most users, but there are tools to help you along. A recent BGR post is a good starting point.

You have to connect the infected drive to another uninfected computer. You'll then need to extract data from the hard drive: "specifically (1) the base-64-encoded 512 bytes starting at sector 55 (0x37h) with an offset of 0 and (2) the 64-bit-encoded 8-byte nonce from sector 54 (0x36) offset 33 (0x21)." I'm sure that sounds a little scary for most users that are not comfortable with forensic tools or hex editors. Not to worry, you can use the free Peyta Sector Extractor tool, which automates the process. After you grab the requisite data, you enter it into a web app to disclose the decryption password. Cool beans.

E-mail: Phone: 703.359.0700
Digital Forensics/Information Security/Information Technology
http://www.linkedin.com/in/johnsimek
http://www.senseient.com