Jump to content
Tuts 4 You

Reversing the petya ransomware with constraint solvers

Extreme Coders

Recommended Posts

Extreme Coders

Ransomware is very common these days. Once it installs on a user machine it begins encrypting files.
When the user comes to know about the ransomware attack it is already too late. Unless the user has a backup, he/she must must pay the ransom to recover the files.
Luckily there has been cases where due to a faulty implementation of cryptography breaking such malware becomes feasible.
The recently discovered petya ransomware is an example.

This blog post is a short walk through on breaking the petya ransomware with a constraint solvers. Hope you like it & find useful.


  • Like 11
Link to comment
Share on other sites

Hehe, just last week I said to myself - "how is it possible that Extreme Coders doesn't have a blog? He surely has lots of interesting things to write about!":) 

Keep on writing, I'll keep on reading!

  • Like 3
Link to comment
Share on other sites

Extreme Coders

Thanks man.
Your works are a source of inspiration for many.

5 hours ago, kao said:

Hehe, just last week I said to myself - "how is it possible that Extreme Coders doesn't have a blog?

Hmm, that looks like telepathy. Blogging was not a priority for me, but decided to give it a go & it's not bad either.

Link to comment
Share on other sites

  • 1 month later...

These are some links stored @ 13 April 2016

Get your petya encrypted disk back, WITHOUT paying ransom!!! - generator @:


howto use generator - 


generator author - visit his dad - 



Debugging Petya bootloader with IDA




 0day - Ransomware 


CryptXXX Ransomware Will Now Steal Your Passwords as Well


New Cerber Ransomware Variants Morph Every 15 Seconds






Edited by whoknows
Link to comment
Share on other sites

  • 1 year later...

New version of "Petya.C"  



"Major firms, airports and government departments in Ukraine have been struck by a massive cyber attack which began to spread across Europe on Tuesday afternoon. 

In Ukraine, government departments, the central bank, a state-run aircraft manufacturer,  the airport in Kiev and  the metro network have all been paralysed by the hack."

New version is use vulnerability:

  • MS17-010 (used Wanna Cry);
  • CVE-2017-0199 (https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-0199)
  • CVE-2017-0144, EternalBlue (https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-0144)

More peoples already paid for a purse (Bitcoin):




Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...