Researchers Found a Vaccine for Petya/NotPetya Ransomware
Lately, the news feed is crawling with ransomware attacks that get bolder every day. In today’s world, these attacks evolved from just infecting personal computers and are targeting governments, official institutions and even businesses.
The latest event happened in Ukraine, when a new Ransomware called Not Petya put everyone on hold. This was a new strain, using some parts of the old Petya (launched in 2016) and targets computers running Microsoft Windows. The ransomware locks the MFT and MBR sections in a hard drive, and prevents the operating system from booting. In typical Ransomware form, the infected user is prompted to pay a ransom in bitcoins to get their computer back, however the email address to send the payment to has been shutdown, so its impossible to pay to get your computer back. If you’re infected you have lost that computer with its data. It will also spread throughout your network so make sure you disconnect and infected computers from the network straight away.
As you can see, the effect is simple and straightforward. But, can you imagine what this would do to your business? Not being able to access important data for your company and not being able to communicate with your customers?
It can be stopped and it’s not difficult
The first reaction in the cyber security community was to analyze the virus and look for loopholes of weaknesses to create a killswitch. However, during the analysis, a researcher from Cybereason security actually managed to create a vaccine that will protect any computer from being infected with a version of the Petya ransomware.
In order to apply this vaccine, every individual user has to create a certain file on their computer and set it to read-only. This way, NotPetya will be blocked from executing and the computer won’t get infected. However, this will only work if every user is updated and follows the instructions. Otherwise, important computers may still remain unprotected.
How to vaccinate your computer: Step-by-Step instructions
A trusted internet computer information company called Bleeping computers has created the following instructions,which we have tested works correctly. The original guide can be found here
First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.
Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.
Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C( ) to copy and then Ctrl+V ( ) to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.
Press the Continue button and the file will be created as notepad – Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad – Copy.exe file name and type perfcas shown below.
Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.
Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.
Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties.
The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.
Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.
Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.
Onsite Helper is protecting your Business
As always, we are here for our clients and our team is prepared to help you in case your business is threatened. Even more, we are a step ahead of you, and all our VIP managed service clients have all had this vaccine automatically pushed out to all computers and servers. So, if you are one of our VIP businesses, you don’t need to worry about this.
Sadly, we can’t cover clients that don’t use our VIP managed services. Since our monitoring and security software is not installed on your machines, we don’t have the necessary access to push this vaccine automatically. This means that you will have to install this vaccine manually. Or, better yet, give us a call and we’ll do it for you!
In the end, we strongly recommend all our customers to consider using our VIP managed services. As you can see, we can protect you and your business from a wide range of attacks (present or future). You should also be aware of the fact that no antivirus software is effective against such threats, which is why you should have a layered security approach that we can recommend.
To learn more about how to protect your business from these attacks in future, please read: //www.onsitehelper.com/blog/protect-business-worldwide-ransomware-attack-wannacry/
Disclaimer: Please note that this vaccine only protects against the current Petya (NotPetya/SortaPetya/Petna) ransomware, future variations of Petya may not be protected by this patch and the thousands of other Ransomware and other malware wont be protected by this either.