I took a closer look at the Petya ransomware MBR modification(s). It turns out, that indeed Petya is just a poor “DOS-style” Master Boot Virus, no “military strength” full disk encryption involved AT ALL. In other words: Petya is a joke.

Fact is: After execution, any (active) MBR partition (Partition0) gets infected by a custom Petya-MBR. GPT partitioned HDDs are not affected. The ransomware then “encrypts” the actual MBR record, sector 0 (512 bytes) of the Windows drive with XOR using value 0x37 as a key.

The encrypted MBR is then copied to 0x7000 on the HDD. The original MBR will then be overwritten by the Petya MBR bootloader: A stub, which eventually jumps to the ransom payload:

Capture1

Left: Original MBR, XOR’ed with 0x37 stored at 0x7000 (encrypted copy)
Right: Original Windows XP MBR (original)

Capture

Note: 0x04 (encrypted) XOR 0x37 (the key) = 0x33 (original value)

So there is nothing special over here. Afterall, Petya is a weak and poorly implemented ransomware. It can easily be removed by

  • 1 Clone your infected HDD. Whatever you do, work with a copy of your HDD, ALWAYS!
  • Un-XOR your original MBR (XOR’ed) @0x7000 using XOR and the KEY (BYTE) 0x37.
  • Copy that sector back to 0x7000 to 0x0 (overwrite Petya MBR with the original MBR)
  • [ Delete (set to zero) bytes sector 2-NTBOOTLOADER-1 ] – optional

Left: Petya MBR stub (infected)
Right: Original MBR, XOR’ed with key 37h saved at 0x7000 by the ransomware

Capture2