Golden eye

In light of the devastating NotPetya attack, the creator of the original Petya ransomware has released his private key for the malware. This means victims of the original Petya attacks (excluding NotPetya) will be able to decrypt their files for free.

The original Petya ransomware (aka GoldenEye) encrypts the Master File Table using Salsa20, locking the victim’s entire system down.

It was hijacked by the creators of NotPetya, who carefully manipulated its assembly code to create the destructive wiper that swept through Ukraine two weeks ago. Important changes include removing of the ability to actually restore encrypted files, as the victim’s keys are erased after encryption.

To obtain the key, security researchers had to jump through a couple hoops. About a week after the NotPetya outbreak, the creator tweeted a link to an encrypted file, with a password hint.

Janus Petya Key clue

Researchers used this quote (from the GoldenEye movie) to figure out the password and decrypt the file, which contained the private key and some implementation details for the ransomware. 

 To add protection against Petyawe recommend enabling the following targets:

  • Standard Mode
    • TS Curated - Ransomware - IPs
    • TS Curated - Ransomware - Domains
  • Expert Mode (included in the curated targets for standard mode) 
    • TS Originated - Ransomware - IPs
    • TS Originated - Ransomware - Domains

If you do not have a ThreatSTOP account, Sign up to try a free demo.

If you do have a ThreatSTOP account, instructions to add targets to DNS or IP Defense policies are available on the ThreatSTOP Documentation Hub. Or, contact our Support team.