Post Now

A Vaccine for “Petya” or “NotPetya” - Security, Touching Human Lives and Terms!

Image

When Cyber security experts had launched Kill Switch for WannaCry attack, a vaccine has been found out to neutralize and prevent the Petya (NotPetya/SortaPetya/Petna) Ransomware from infecting computers. This was found by Cybereason security researcher Amit Serper.The ransomware has created chaos within companies and firms across the globe today, locking hard drive MFT and MBR sections and preventing computers from booting. CISOs of infected companies are in a panic situation burning out their brains to solve the crisis. Unless victims opted to pay a ransom (which is now pointless and not recommended), as of now there is no question of recovering their files and regaining access to systems. There may be a weakness in the encryption process, that could be exploited to regain the files if experts come up with solutions.

Why NotPetya?
Initially, this new ransomware was believed to be the latest version of an earlier threat called Petya. Researchers later discovered that this was a new strain altogether, which borrowed some code from Petya, and this is how the name “NotPetya” has evolved. It can be also called “Petna” or “SortaPetya.”
Vaccine for “NotPetya” (No Killswitch mechanism)
Researchers and cyber security experts were in deep investigation and analysis to find a loophole in its encryption. The massive spread of malware globally has motivated researchers to flock together and find a Killswitch domain that could stop the spread of this poison, similar to “WannaCry”.While analyzing the ransomware's functionality and operating behaviour, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.Thus the potential victims or computer users could do the following:
  • Create a file on their PCs (more details below)
  • Set it to read-only
  • This will block the NotPetya ransomware from executing.
Why the Not Petya prevention method called a vaccine?
While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because the file should be created independently on each computer. Whereas, a KillSwitch is a switch that can be turned on globally to prevent all Ransomware infections.
How to Enable the NotPetya/Petna/Petya Vaccine?
To vaccinate your computer, please follow the steps:
  • Create a file called perfc in the C:Windows folder
  • Make it read-only.
To vaccinate your computer manually, steps to be followed are:
  • First, configure Windows to show file extensions.
  • For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.
Folder Options
  • Once you have enabled the viewing of extensions,
  • open up the C:Windows folder.
  • Once the folder is open, scroll down till you see the notepad.exe program.  
Windows Folder
  • Once you see the notepad.exe program,
  • left-click on it once so it is highlighted.
  • Then press the Ctrl+C ( Ctrl+C Button) to copy and then Ctrl+V ( Ctrl+V Button) to paste it.
  • After paste, you will receive a prompt asking you to grant permission to copy the file.
Grant Permission
  • Press the Continue button and the file will be created as notepad - Copy.exe.
  • Left click on this file and press the F2 key on your keyboard
  • Now erase the notepad - Copy.exe file name and type perfc as shown below.
Rename file
  • When the name has been changed to perfc, press Enter on your keyboard.
  • You will now receive a prompt asking if you are sure you wish to rename it.
Confirmation
  • Click on the Yes button.
  • Windows will once again ask for permission to rename a file in that folder.
  • Click on the Continue button.
  • Now your perfc file has been created. Now it should be made read only.
  • To do that, right-click on the file and select Properties as shown below.
Properties
  • The properties menu for this file will now open.
  • There will be a checkbox labeled Read-only at the bottom.
  • Click and check mark it.
Read-only
  • Click on the Apply button
  • Then click on the OK button.
  • The properties Window should close
Now your computer is vaccinated against the current variant of  “NotPetya”/”SortaPetya”/”Petya” Ransomware. Using  Group Policy Preferences to deploy the NotPetya vaccine
  • On a file share where there is  read access by domain computers and domain controllers exists
    • Create a directory
    • Create a file named perfc (without any extension)
    • Add some details to the file explaining what it's for (For clarity and later reference)
    • Set the file attribute to read only
  • Create a new group policy for  all the computers you want to deploy the vaccine file
  • Edit the group policy & move Under Computer Configuration -> Preferences -> Windows Settings – Files
  • Right click and select new -> file
  • In the source file location enter the path to the file you created earlier (no extensions)
  • In the destination file enter c:windowsperfc ( no file extension)
  • select Read-only.
  Note: The players behind this attack could easily modify the malware version and come up with a new variant that could be overcoming this vaccination also. We will update this space with any further development on this front.