As per security researchers, the original author of Petya known as Janus was not involved in the latest attacks on Ukraine. In fact, it was found that the original malware was pirated and extended by an unknown actor. As a result of the recent events, the malware author Janus decided to shut down the Petya project. Similarly to the authors of TeslaCrypt, he released his private key, allowing all the victims of the previous Petya attacks, to get their files back. Janus made a public announcement on Twitter and the message contained a link to the file in which the decryption keys were saved. However, this key cannot help in case of the new Petya variant that made the headlines at the end of June 2017. Since in this particular case, the Salsa keys are not encrypted with Janus’ public key, but instead erased and lost forever. The released decryption keys can therefore only help the people who were attacked by Petya/Goldeneye in the past.
Mauritian Computer Emergency Response Team (CERT-MU)
National Computer Board
7th Floor, Stratton Court
La Poudriere Street