‘System affected by NotPetya can be manually decrypted under certain conditions’

Researchers from security firm Positive Technologies have taken a closer look at the encryption of the NotPetya malware. They state that in certain cases it is possible to decrypt infected systems, although there is as yet no simple solution.

One of the conditions for decryption is that the NotPetya malware was able to gain administrative privileges on an affected system. In that case, the malicious software uses the Salsa20 stream encryption, the researchers said. In the event that it fails to obtain the necessary permissions, encryption takes place with aes and there is no way to restore the encrypted files as yet.

The fact that it is possible to recover files has to do with the fact that the people behind NotPetya made mistakes in their implementation of Salsa20. This is a stream cipher, or stream cipher. The input, or plaintext, is converted bit by bit into encrypted text using a keystream. One of the errors caused the encryption key used to only use 128 out of a total of 256 bits.

In addition, it is possible to reconstruct the keystream used on the basis of standard documents that can be found on every Windows installation and whose contents are therefore known. This can be done, for example, by mapping all standard DLLs and exe files. By recovering enough parts of the keystream in this way, it is also possible to decrypt unique files, according to the researchers.

An automated decryption tool is not yet available and manual decryption takes a long time, according to the researchers. Still, their findings could be used in the future by companies specializing in file recovery. The completeness of file recovery also depends on a number of additional factors, such as hard drive size, available space, fragmentation and the presence of default files.

Last week, it emerged that the creator of the original 2016 Petya ransomware, someone who calls himself Janus, had released his private key. A Malwarebytes researcher indicated that she was working on a decryption tool, which, however, would not work for NotPetya. In addition, those behind NotPetya also claimed to want to release the decryption key for an amount of 100 bitcoin. They opened a chat room for communication, but have not made any statements about the key since then.