{
	"id": "893f83b3-e94d-4976-8bf0-0d5eab442f8f",
	"created_at": "2026-04-06T00:10:09.346017Z",
	"updated_at": "2026-04-10T03:19:58.153564Z",
	"deleted_at": null,
	"sha1_hash": "ab31672aa890923f173bea949bdadd7de2ec4ce8",
	"title": "Bye, bye Petya! Decryptor for old versions released. | Malwarebytes Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 210921,
	"plain_text": "Bye, bye Petya! Decryptor for old versions released. |\r\nMalwarebytes Labs\r\nBy Malwarebytes Labs\r\nPublished: 2017-07-23 · Archived: 2026-04-05 16:02:39 UTC\r\nFollowing the outbreak of the Petya-based malware in Ukraine, the author of the original version, Janus, decided\r\nto release his master key, probably closing the project. You can read the full story here.\r\nBased on the released key, we prepared a decryptor that is capable of unlocking all the legitimate versions of Petya\r\n(read more about identifying Petyas):\r\nRed Petya\r\nGreen Petya (both versions) + Mischa\r\nGoldeneye (bootlocker + files)\r\nIn case if you have a backup of Petya-encrypted disk, this is the time to take it out from the shelf and kiss your\r\nPetya goodbye 😉\r\nWARNING: During our tests we found that in some cases Petya may hang during decryption, or cause some other\r\nproblems potentially damaging to your data. That’s why, before any decryption attempts, we recommend you to\r\nmake an additional backup.\r\n// Special thanks to @Th3PeKo , @vallejocc and Michael Meyer for all the help in testing!\r\nVariants of the attack\r\nAs we know, depending on version Petya may attack your data by two ways:\r\n1 – at a low level, encrypting your Master File Table. For example:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 1 of 8\n\n2 – at a high level, encrypting your files one  by one (like a typical ransomware). For example:\r\nFortunately, the released key allows for recovery in both cases. However the process of decryption will look a bit\r\ndifferent.\r\nDecryptors\r\nWe prepared two different builds of the recovery tool, to support the specific needs:\r\n1. a Live CD\r\n2. a Windows executable\r\nIn both cases, the tool decrypts the individual key from the victim ID.\r\nAfter obtaining the key, you can use the original decryptors in order to recover your files. You can find the links\r\nhere:\r\nFor Mischa: https://drive.google.com/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE For Goldeneye:\r\nhttps://drive.google.com/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg\r\nDISCLAIMER: Those tools are provided as is and you are using them at your own risk. We are not\r\nresponsible for any damage or lost data.\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 2 of 8\n\nDefeating the bootlocker\r\nIn both cases, you can obtain the key to your Petya by using a Windows Executable and supplying it your victim\r\nID. Detailed instructions has been given here and on the video below:\r\nHowever, victim IDs are very long, and retyping them may be painful and prone to mistakes. That’s why, we\r\nprepared an alternative: a LiveCD that will automatically read it from the encrypted disk. In order to use it, you\r\nneed to download the ISO and boot from it your infected machine. Then, follow the displayed instructions:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 3 of 8\n\nAfter obtaining the key, you can use it to decrypt your Master File Table:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 4 of 8\n\nDecrypting files\r\nIn case if your files has been encrypted, i.e. by Goldeneye or Mischa, you can use the key decryptor released in\r\nform of a  Windows executable.\r\n1. Find your victim ID (“personal decryption code”). It will be in your ransom note:\r\nIn case if you don’t have the note, you can find the ID appended at the end of any of your encrypted files:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 5 of 8\n\n2. Save the ID in a file:\r\n3. Use our tool to decrypt your key:\r\n3. Copy the obtained key. Download the original decryptor, appropriate for your version:\r\nFor Mischa: https://drive.google.com/open?id=0Bzb5kQFOXkiSWUZ6dndxZkN1YlE For Goldeneye:\r\nhttps://drive.google.com/open?id=0Bzb5kQFOXkiSdTZkUUYxZ0xEeDg\r\nChoose one of your encrypted files:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 6 of 8\n\nSupply the key obtained from the key decoder:\r\nDecrypt the file and check if the output is valid. If everything is fine, you can use the same key to decrypt rest of\r\nyour files. Supply the extension to the decryptor, and it will find them automatically:\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 7 of 8\n\nConclusion\r\nThe presented tools allow you to unlock all the legitimate versions of Petya that are released up to now by Janus\r\nCybercrime Solutions. It cannot help the victims of pirated Petyas, like PetrWrap or EternalPetya (aka NotPetya).\r\nIt matches the announcement made by Janus on twitter:\r\nIs it the end of Petya’s story? Probably yes, however, the future will learn.\r\nThis was a guest post written by Hasherezade, an independent researcher and programmer with a strong interest\r\nin InfoSec. She loves going in details about malware and sharing threat information with the community. Check\r\nher out on Twitter @hasherezade and her personal blog: https://hshrzd.wordpress.com.\r\nSource: https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nhttps://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"https://blog.malwarebytes.com/malwarebytes-news/2017/07/bye-bye-petya-decryptor-old-versions-released/"
	],
	"report_names": [
		"bye-bye-petya-decryptor-old-versions-released"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791198,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/ab31672aa890923f173bea949bdadd7de2ec4ce8.pdf",
		"text": "https://archive.orkl.eu/ab31672aa890923f173bea949bdadd7de2ec4ce8.txt",
		"img": "https://archive.orkl.eu/ab31672aa890923f173bea949bdadd7de2ec4ce8.jpg"
	}
}