‘GoldenEye’ Movie Quote Leads to Decryption Key for Petya Ransomware

- July 12, 2017

A researcher and programmer guest authoring for the MalwareBytes blog explained how she obtained the decryption key for the original Petya ransomware.

The original author of Petya, a hacker known by the Twitter handle @JanusSecretary, tweeted a quote from the 1995 Bond film GoldenEye, “They’re right in front of you and can open very large doors,” along with a link to a Mega shared file. He also tagged @MalwareTechBlog and @Hasherezade, the researcher who wrote the article.

The @JanusSecretary Twitter account uses the character Boris Grishenko, played by actor Alan Cumming, as an avatar. Boris Grishenko’s character is described as “a computer geek who started out as a programmer in the Soviet space weapons division,” but ends up working for the Janus crime syndicate.

The line quoted from the movie is from Grishenko when he gives a password hint to another character, to which the answer is “knockers.”

Predictably, when Hasherezade opened the Mega link it opened an encrypted file. Using the password from the movie, she received a plaintext “secp192k1” elliptic curve key, which is purported to be the private key used for all previous Petya versions.

Hasherezade notes that the early versions of Petya have been cracked and decryption methods were released, but because of improvements over time it’s no longer possible. And this does not help with decrypting the current version of EternalPetya/NotPetya.

However, it’s still very relevant because, “thanks to the currently published master key, all the people who have preserved the images of the disks encrypted by the relevant versions of Petya, may get a chance of getting their data back.”