Authenticity of Petya decryption key confirmed

The author of the original Petya ransomware going by the name of Janus Cybercrime Solutions, has released the master decryption key of all past Petya versions.

This key can decrypt all ransomware families part of the Petya family except NotPetya, which isn’t the work of Janus.

Janus released the master key on Wednesday in a tweet that linked to an encrypted and password-protected file uploaded on

Malwarebytes security researcher Hasherezade cracked the file yesterday and shared its content:

Here is our secp192k1 privkey:
We used ECIES (with AES-256-ECB) Scheme to encrypt the decryption password into the “Personal Code” which is BASE58 encoded.

The key is tested and confirmed by Kaspersky Lab.

Protect Yourself Against Petya Ransomware

The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

Access Director can help you by removing permanent local admins.

Recommendations for Enterprises

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  • Consider disabling SMBv1 to prevent spreading of malware.
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access.

Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.

“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.


Multiple subdomains with LetsEncrypt? YES!

Need to add multiple subdomains with LetsEncrypt?
maybe Certificate for WWW and non-WWW?

do a dry run, to test it

./certbot-auto certonly -d -d -d -d -d –dry-run

I tested it with apache2 works great!

Unified Extensible Firmware Interface (UEFI)

Unified Extensible Firmware Interface

For many years BIOS has been the industry standard for booting a PC. BIOS has served us well, but it is time to replace it with something better. UEFI is the replacement for BIOS, so it is important to understand the differences between BIOS and UEFI. In this section, you learn the major differences between the two and how they affect operating system deployment.

Introduction to UEFI

BIOS has been in use for approximately 30 years. Even though it clearly has proven to work, it has some limitations, including:

  • 16-bit code
  • 1 MB address space
  • Poor performance on ROM initialization
  • MBR maximum bootable disk size of 2.2 TB

As the replacement to BIOS, UEFI has many features that Windows can and will use.

With UEFI, you can benefit from:

  • Support for large disks. UEFI requires a GUID Partition Table (GPT) based disk, which means a limitation of roughly 16.8 million TB in disk size and more than 100 primary disks.
  • Faster boot time. UEFI does not use INT 13, and that improves boot time, especially when it comes to resuming from hibernate.
  • Multicast deployment. UEFI firmware can use multicast directly when it boots up. In WDS, MDT, and Configuration Manager scenarios, you need to first boot up a normal Windows PE in unicast and then switch into multicast. With UEFI, you can run multicast from the start.
  • Compatibility with earlier BIOS. Most of the UEFI implementations include a compatibility support module (CSM) that emulates BIOS.
  • CPU-independent architecture. Even if BIOS can run both 32- and 64-bit versions of firmware, all firmware device drivers on BIOS systems must also be 16-bit, and this affects performance. One of the reasons is the limitation in addressable memory, which is only 64 KB with BIOS.
  • CPU-independent drivers. On BIOS systems, PCI add-on cards must include a ROM that contains a separate driver for all supported CPU architectures. That is not needed for UEFI because UEFI has the ability to use EFI Byte Code (EBC) images, which allow for a processor-independent device driver environment.
  • Flexible pre-operating system environment. UEFI can perform many functions for you. You just need an UEFI application, and you can perform diagnostics and automatic repairs, and call home to report errors.
  • Secure boot. Windows 8 and later can use the UEFI firmware validation process, called secure boot, which is defined in UEFI 2.3.1. Using this process, you can ensure that UEFI launches only a verified operating system loader and that malware cannot switch the boot loader.


UEFI Version 2.3.1B is the version required for Windows 8 and later logo compliance. Later versions have been released to address issues; a small number of machines may need to upgrade their firmware to fully support the UEFI implementation in Windows 8 and later.

Hardware support for UEFI

In regard to UEFI, hardware is divided into four device classes:

  • Class 0 devices. This is the UEFI definition for a BIOS, or non-UEFI, device.
  • Class 1 devices. These devices behave like a standard BIOS machine, but they run EFI internally. They should be treated as normal BIOS-based machines. Class 1 devices use a CSM to emulate BIOS. These older devices are no longer manufactured.
  • Class 2 devices. These devices have the capability to behave as a BIOS- or a UEFI-based machine, and the boot process or the configuration in the firmware/BIOS determines the mode. Class 2 devices use a CSM to emulate BIOS. These are the most common type of devices currently available.
  • Class 3 devices. These are UEFI-only devices, which means you must run an operating system that supports only UEFI. Those operating systems include Windows 8, Windows 8.1, Windows Server 2012, and Windows Server 2012 R2. Windows 7 is not supported on these class 3 devices. Class 3 devices do not have a CSM to emulate BIOS.

Windows support for UEFI

Microsoft started with support for EFI 1.10 on servers and then added support for UEFI on both clients and servers.

With UEFI 2.3.1, there are both x86 and x64 versions of UEFI. Windows 10 supports both. However, UEFI does not support cross-platform boot. This means that a computer that has UEFI x64 can run only a 64-bit operating system, and a computer that has UEFI x86 can run only a 32-bit operating system.

How UEFI is changing operating system deployment

There are many things that affect operating system deployment as soon as you run on UEFI/EFI-based hardware. Here are considerations to keep in mind when working with UEFI devices:

  • Switching from BIOS to UEFI in the hardware is easy, but you also need to reinstall the operating system because you need to switch from MBR/NTFS to GPT/FAT32 and NTFS.
  • When you deploy to a Class 2 device, make sure the boot option you select matches the setting you want to have. It is common for old machines to have several boot options for BIOS but only a few for UEFI, or vice versa.
  • When deploying from media, remember the media has to be FAT32 for UEFI, and FAT32 has a file-size limitation of 4GB.
  • UEFI does not support cross-platform booting; therefore, you need to have the correct boot media (32- or 64-bit).

Synology NAS Recovery password (telnet)

Synology’s “secret” telnet password….

If you ever had to recover a Synology nas box in recovery-mode, pre DiskStation installation or after a failed DiskStation install….. Then you would need the “secret” telnet password for admin (or in some cases root)

In case you don’t want to contact Synology here is how it’s generated

  • 1st character = month in hexadecimal, lower case (1=Jan, … , a=Oct, b=Nov, c=Dec)
  • 2-3 = month in decimal, zero padded and starting in 1 (01, 02, 03, …, 11, 12)
  • 4 = dash
  • 5-6 = day of the month in hex (01, 02 .., 0A, .., 1F)
  • 7-8 = greatest common divisor between month and day, zero padded. This is always a number between 01 and 12.

So, let’s say today is October 15, the password would be: a10-0f05 (a = month in hex, 10 = month in dec, 0f = day in hex, 05 = greatest divisor between 10 and 15).

In some cases the clock is also set to factory default… then try the password: 101-0101

Based on the original correct_password.c source,here is a short snippet to generate the daily password.


#include <stdlib.h> 
#include <time.h> 
#include <stdio.h> 

void main()
    struct timeval tvTime;
    struct tm tmOutput;

    gettimeofday(&tvTime, 0);
    localtime_r(&(tvTime.tv_sec), &tmOutput);

    tmOutput.tm_mon += 1;
    printf("password for today is: %x%02d-%02x%02d\n\n",
        tmOutput.tm_mon, tmOutput.tm_mon, tmOutput.tm_mday,
        gcd(tmOutput.tm_mon, tmOutput.tm_mday));

int gcd(int a, int b)
    return (b?gcd(b,a%b):a);


Access Director 3.0 Released

The future of Windows is coming on July 29

To make your next Windows experience even better – We have just released the next version of Access Director.                                                                                               Using Access Director you will be able to secure your desktop, simple and easy!

– Run your desktop in a non-elevated user context
– Elevate only needed applications with a single click
– Elevate in your current user-context without affecting other unsecured applications like IE or Office

What’s in Access Director 3.0 ?

– Updates to support the next Windows experience (10)
– Support for integration modules
– Minor bug fixes

Get it from the Download Center

Direct Download Link

Poweshell under the security context of another user (RunAs)

Recently i needed to run some powershell scripts under multiple security context’s – the main reason for this was my client’s strict delegation model.

We ended up with multiple service account with rights only to the needed systems (Its not such a bad thing!)

The result was this powershell script to change security context

$SPAccountName = “<username>”;
$AccountPassword = “<password>”;
$AccountPasswordAsSecureString = $AccountPassword | ConvertTo-SecureString -Force -AsPlainText
$credential = New-Object System.Management.Automation.PsCredential(“$env:userdomain\$SPAccountName”,$AccountPasswordAsSecureString)
$SvcAccSession = New-PSSession -Credential $credential;
Invoke-Command -Session $SvcAccSession -Script { Import-Module ActiveDirectory }
Invoke-Command -Session $SvcAccSession -Script { Get-AdGroupMember “Some-group”}

In the above example we just get the member of some application group – but really, you can do whatever you like.

If you need it to query a specific server you can use -Computername <servername> right after New-PSSession.

This method also came in rather handy when running service-side powershell execution invoked by a webservice.. but more on that later


Access Director released!

It’s been some time since our last update, but here we go again

Access Director has been updated and released

This is a major upgrade, all previous versions should be uninstalled prior to installing the new versions

Short list of changes

  • Its now possbile to use localized balloon notification (or your own)
  • Language default is en-us
    • valid values are auto, or specific lananuge files e.g. de-de.lng (must reside in existing languages folder)
  • Localized menu options (remember du save lng files as unicode)
  • Registry modifications now resides in HKLMSoftwareNoLightPeopleAccess Director
  • as per request the MSI, and application itself is now signed
  • Removed the need for any registry keys needed for the service to start (will run with default values if no other is present
  • Updated Policy Prefences template included in zip file

Direct Download Link:

let me know of bugs and feature requests 🙂 @MarcussenThomas



Admin Rights: The Root Of Many Vulnerabilities

A recent survey conducted by BeyondTrust (, a developer and marketer of least privilege management software, reveals that 92% of critical vulnerabilities reported by Microsoft could have been prevented simply by removing administrator rights from Windows users. Also, the survey points out, removing administrator rights helps companies protect themselves and their computers against 94% of Microsoft Office, 89% of Microsoft Internet Explorer, and 53% of Windows vulnerabilities. Given the prevalence of Microsoft software in today’s corporate environment, these numbers should give any administrator pause.

Get a head start removing Admin Rights – by using Access Director from Curago – its FREE

ATEA Essentials – AdminAccess

Allowing a known user to elevate specific applications or tasks on demand

In the video we are logged on a workstation with the TestUser
TestUser is not member of the Local Administrators group
TestUser is member of the custom created local group AdminAccess

When requesting local administrators access using the tray icon, it will verify that we are a know user that is a member of the local group AdminAccess. If we are member of the local group we will be elevated for a predefined number of minutes (2 minutes in the example)

When elevated, we can click on any application and RunAs Administrator – we will as always be prompted for our logged on credentials, but this time the application is running with local administration privileges.

When the timer hits 2 minutes, our administration privileges are expired.

This will make it possbile ONLY to elevated, when needed and not having to load the full profile with administrative privileges

The tray icon does not require addtional rights to run
A local system service will handle all requests
All options are configurable through gpo and/or registry