
Hack-petya mission accomplished – Petya ransomware decryptor - aw3c2
https://github.com/leo-stone/hack-petya
======
aerovistae
Must be pretty nice to have a son-in-law who can, oh, you know, just come over
for Easter and reverse-engineer the cryptographically complex malware holding
your system hostage.

~~~
yesiamyourdad
Less at stake on this one, but I had a friend in college whose father was a
business owner. He was stuck with some database software that all his customer
records were locked in; he wanted to migrate but had no way out other than
copying them all over by hand. Up until one weekend when his daughter brought
home her boyfriend, who dad had regarded as a dirty hippie up until then.
Turns out dirty hippie was a pretty good hacker and in the course of a few
hours, he wrote a program to export dad's database into a usable format.

Moral: your significant other may not be impressed by your hacking skills, but
you might win the family over for life in a few hours.

~~~
annnnd
I am guessing the daughter was less impressed by the event? I mean, she went
out of her way to find someone her parents disliked, and it turns out he is
just what his father was looking for... :)

~~~
it_luddite
I realize it was a tongue in cheek comment (at least interpreted that way),
but that was a serendipitous opportunity for the young lady's boyfriend. I
know I've had several such opportunities with my now in laws. Regardless of
the differences of opinions, nothing wins over people more than just helping
when help is needed.

------
mschuster91
Jeez, thank God that malware authors are too stupid to include gnupg within
their code.

I'm afraid of the moment when they get more clever. Or if they include
filesystem drivers that silently encrypt every file... if done right, you can
even compromise backups transparently for weeks until arming, so that backups
are essentially useless too.

~~~
leni536
> so that backups are useless too

It can hardly be considered a backup if it's easily compromised from your
every day computer. In a good backup configuration your computer only have
read and "append only" privilages for the backup so past snapshots are safe.

Having said that not many people have this kind of config (including me).

~~~
SmellyGeekBoy
Not sure why you're being downvoted, you make a very valid point.

~~~
leni536
I guess it's because this kind of backup doesn't mitigate an ongoing
compromise of your machine (much like what the GP talked about). I don't think
any backup can protect for that. However a good backup limits the damage to
the timeframe of the machine being compromised (if your machine is compromised
for 1 day you might only lose that day's new data).

------
d33
> Last, but not least, it fires up a genetic solver which gets us the key in a
> few seconds.

That's pretty impressive! On the other hand, is it a general vulnerability of
Salsa that genetic solvers can break it? Sounds like a huge vulnerability.

~~~
RUBwkVjwLsDKgPw
It's a 16-bit version of Salsa20, which is far less secure. Proof: this
project. I have no clue what possessed the author to do this.

Stop hand-rolling crypto, people! Ransomware needs security too. :(

~~~
mangeletti
My guess is that the authors wanted to ensure they could encrypt a full disk
quickly.

~~~
arviewer
Maybe it's just a test to see how quickly this was broken.

------
AdmiralAsshat
What's the shelf-life of one of these ransomware fix utilities? I'd be
inclined to assume that if they operate by exploiting a flaw in the
ransomware, the ransomware author can simply "fix" the bug and the utility no
longer works.

~~~
tux3
Here the crypto used by the ransomware seems to be thoroughly and
systematically broken, so while it's certainly possible that a stronger
variant will appear, I have my doubts on the author's capacity to do much
"better" any time soon. I'm far from being a cryptographer, but at a glance it
looks so weak I have to wonder if it's deliberate.

~~~
kobayashi
>at a glance it looks so weak I have to wonder if it's deliberate.

Any suppositions as to why it would be deliberate?

~~~
tux3
Well, I can't say that it's deliberate, but it's definitely some "interesting"
choices.

A reasonable Salsa20/20 implementation on a modest processor encrypts on the
order of 400MiB/s [0][1]. So that the author went to the trouble of halving
the number of rounds and changing the word-size when there are perfectly good
and plenty fast off-the-shelf Salsa implementations strikes me as rather
strange. Surely this is not the bottleneck on most employee's machines.

And then there's the apparently tiny keyspace used. You could argue that this
makes the key more "user-friendly" (!), but just a hex representation of a
random 256bit key would seem much more natural, and the poor targets are
hardly in a position to complain.

[0]
[https://www.cryptopp.com/benchmarks.html](https://www.cryptopp.com/benchmarks.html)
[1] [https://cr.yp.to/snuffle.html](https://cr.yp.to/snuffle.html)

~~~
sleepychu
Actually customer service is _very_ important to these operations. They have
to create trust that paying will relieve your machine of their infliction.

------
joshumax
I have the strangest urge to build a tiny user space around the malware kernel
that gets booted by the infected MBR... _opens IDA_

~~~
Godel_unicode
Careful, I don't know about you but anytime I have a thought that ends with
"let me just open IDA real quick" nobody sees me for 2-3 weeks minimum.

~~~
philovivero
I don't know what IDA is, but you get an upvote, because I have had this exact
experience so many times... so many times.

If I could have a dollar for everytime I put my head to a random problem and
came out 3 months later... I'd have more than fifty dollars.

~~~
umanwizard
IDA is _the_ industry-standard binary disassembly tool. Expensive, so used
over (dramatically) cheaper competitors like Hopper mainly by people whose
company pays for a license :D

~~~
coldtea
Or people who have ...disassembled the locked down original?

~~~
hatsunearu
I got to play with some hackmes in a hackathon and my teammates got frustrated
by the crippled IDA demo version that they just downloaded a pirate version.

Amusingly the readme for the pirate version said "I cracked it with IDA Pro"
or something along those lines.

------
Cpoll
I'm guessing the ransomware uses Salsa10 because it's fast?

According to
[https://www.cryptopp.com/benchmarks.html](https://www.cryptopp.com/benchmarks.html),
Salta20 is 4x faster than AES - and if I understand it, Salsa10 is half the
iterations.

~~~
TillE
Salsa20 / ChaCha20 are quite nice when you want to do byte-for-byte file
encryption. It's a good choice in a lot of situations.

The unusually reduced number of rounds is more difficult to explain, since I
expect hard drive I/O would be the bottleneck in almost any situation. Maybe
it's just a little more "stealthy" to not have elevated CPU usage while the
ransomware is incubating.

------
eugenekolo2
"Don't roll your own crypto" strikes again.

------
mijoharas
Are there any security researchers that can comment on this? I'm very confused
about the efficacy of a genetic algorithm on a hashing function. Having read
some of the comments, I'm only more confused (how can the symmetric difference
be a useful fitness function?).

------
lqdc13
Anyone has a link to the malware sample?

~~~
caffeinewriter
Looks like someone got their hands on a sample to throw in theZoo. Also, live
malware sample warning! BE VERY CAREFUL WITH THESE.

hxxps://github(dot)com/ytisf/theZoo/tree/master/malwares/Binaries/Ransomware.Petya

------
cfarre
Great!

------
totoroisalive
HN typical question:

Why Go?

