Prevention Guide for Petya Ransomware

 

 

While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.

This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.

While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because each computer user must independently create this file, compared to a "switch" that the ransomware developer could turn on to globally prevent all ransomware infections.

How to Enable the NotPetya/Petna/Petya Vaccine

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.

Please note that he batch file will also create two addition vaccination files called perfc.dat and perfc.dll. While my tests did not indicate that these additional files are needed, I added them for thoroughness based on the replies to this tweet.

This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat

For those who wish to vaccinate their computer manually, you can do so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.

First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.

Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program

 

Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C  to copy and then Ctrl+V  to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.

 

Press the Continue button and the file will be created as notepad - Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad - Copy.exe file name and type perfc as shown below.

 

Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.

Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.

Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.

The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.

 

Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.

Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.

Additional reporting by Lawrence Abrams.

 

 

 

Comments

Post a Comment

Popular posts from this blog

How to install XIbo?

Image
How to install Xibo on Windows 10 64 bit What is Xibo? XIbo is open source signage software, Xibo Digital Signage is a low-cost, high performance solution to launch your business, workplace or organisation into the future. Xibo doesn’t just replicate print media, but actively increases engagement allowing you to deliver your message more effectively than ever before What is  Digital signage?  Digital signage is a sub-segment of electronic signage. Digital displays use technologies such as LCD, LED, projection and e-paper to display digital images, video, web pages, weather data, restaurant menus, or text.  Wikipedia How to install Xibo on Windows 10. It is very easy to install the Xibo on windows 10 x64 bit os with docker. Below is the step to install the Xibo. ð   Step 1.   Download the docker for windows 10 x64,  Link to download Docker ð   Step 2. Install the Docker. Double-click  Docker for Windows Installer  to run the installer
Read more

How to install - Snipe-IT, Free IT Asset manager software

Image
 Snipe-IT, IT Free Asset manager Software. S nipe-IT was made for IT asset management, to enable IT departments to track who has which laptop, when it was purchased, which software licenses and accessories. Pre-requisite 1) Wamp Webserver - Download Link 2)  composer  - Download Link Step 1.  Install Composer 2) Install Wamp  create database snipeit; show databases; Create user snipe_user; grant all on snipeit.* to 'snipe_user' @ 'localhost' identified by 'password123' ; Extract and configure Snipe-IT and run composer https://snipeitapp.com/download Download and exact Snipe-IT to c:\wamp\www\snipe-it. Edit  .env.example See the  Configuration  options for more information on how to configure your Snipe-IT installation. Save your edited  env.example  as  .env Open command prompt then change directory to  c:\wamp\www\snipe-it\ . Then ru
Read more

Get information about SSL protocols

Image
  Get the information about the SSL version using and strength by utilizting the SSL Disagnos SSL Diagnos is used to test SSL strength; Get information about SSL protocols (pct, ssl2, ssl3, tls, dtls) and cipher suites. It can also be used for testing and rating ciphers on SSL clients. It has also specific support for pop3s, sip, smtp and explicit ftps. Tests for heartbleed (including dtls). Furthermore a separate tool, SSLPressure, not using openssl can be used to check the whole spectrum of possible SSL protocols on a server. Can also be used for testing ssl for mssql-servers (was added since nessus did not support this) and contains mitm poc for stripping ssl from mssql-connections. Features SSL scanner including rating of SSL cipher suite strength for server and clients Test SSL strength in for example https, smtp, sip, pop3s, ftps Can be used for OWASP-CM-001 Uses OpenSSL to test ssl2, ssl3, tls, dtls, explicit ftps Tests renegotiation and availability
Read more