Petya ransomware skull

The author of the original Petya ransomware — a person/group going by the name of Janus Cybercrime Solutions — has released the master decryption key of all past Petya versions.

This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn't the work of Janus. This list includes:

First Petya ransomware version (flashed white skull on red background during boot-up screens)
Second Petya version that also included Mischa ransomware (flashed green skull on black background during boot-up screens)
Third Petya version, also known as GoldenEye ransomware (flashed yellow skull on black background during boot-up screens)

Authenticity of Petya decryption key confirmed

Janus released the master key on Wednesday in a tweet that linked to an encrypted and password-protected file uploaded on

Malwarebytes security researcher Hasherezade cracked the file yesterday and shared its content:

Here is our secp192k1 privkey:
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the "Personal Code" which is BASE58 encoded.

Kaspersky Lab security researcher Anton Ivanov tested and confirmed the master key's validity.

This key is the private (server-side) key used during the encryption of past Petya versions. Decrypters can be built that incorporate this key. In the past, security researchers have cracked Petya encryption on at least two ocassions [1, 2], but with the private key in the open, decrypter will recover files much faster than the previously known methods.

Unfortunately, this decryption key won't be as useful as many people think.

Most (original) Petya campaigns happened in 2016, and very few campaigns have been active this year. Users that had their files locked have wiped drives or paid the ransom many months before. The key will only help those victims who cloned their drives and saved a copy of the encrypted data.

Decryption key is useless for NotPetya victims

This key won't help NotPetya victims because the NotPetya ransomware was created by "pirating" the original Petya ransomware and modifying its behavior by a process called patching. NotPetya used a different encryption routine and was proven to have no connection to the original Petya.

In 2016, Janus had been very active on Twitter while promoting a Ransomware-as-a-Service (RaaS) portal where other crooks could rent access to the Petya+Micha ransomware combo. Janus became active in 2017 after a long period of silence just to deny any involvement with the NotPetya outbreak.

Hashezerade believes that Janus released Petya's decryption key as a result of the recent NotPetya outbreak, and he might have decided to shut down his operation.

Janus is not the first ransomware author/group who released his master decryption key. The TeslaCrypt group did the same in the spring of 2016. Last year, Janus also hacked the servers of a rival ransomware author — Chimera ransomware — and dumped his decryption keys.