Positive Technologies publishes method for recovering data encrypted by NotPetya

Positive Technologies expert Dmitry Sklyarov has created a method to recover data encrypted by the NotPetya virus, which struck over 100 companies in Ukraine, Russia, and other countries in late June . The method can be used on systems on which NotPetya had administrator privileges and encrypted the entire hard disk.

Errors by the creators of NotPetya in their implementation of the Salsa20 encryption algorithm are to thank for this latest breakthrough. The recovery method has been successfully verified on a test system as well as on an encrypted hard disk belonging to one of the victimized companies.

Companies and developers specializing in data recovery are free to use and automate the described method, including in their own tools.

“Recovering data from a hard drive with this method requires applying heuristics, and may take several hours,” says Dmitry Sklyarov, Head of Reverse Engineering at Positive Technologies. “The completeness of data recovery depends on many factors (disk size, free space, and fragmentation) and may be able to reach 100% for large disks that contain many standard files, such as OS and application components that are identical on many machines and have known values.”

Details of the method are available on the Positive Technologies blog.

NotPetya, also known under names including Petya, Petya.A, and ExPetr, began to spread on 27 June. Analysis and recommendations for handling NotPetya can be found on the Positive Technologies site.