Researchers find Petya ransomware vaccine, but no kill switch
The Petya ransomware campaign is still running rampant across the globe, and researchers have yet to find a kill switch.
However, Cybereason security researcher Amit Serper may have found a vaccine for those computers not already infected with the virus. These initial findings were confirmed by Emsisoft, TrustedSec and PT Security.
[Also: Microsoft says hacked software updater source of global Petya ransomware attack]
Serper realized that when the malware is downloaded and executed onto a computer, it seeks out a specific local file. If found, the virus will exit and not encrypt the computer. So those who either haven’t or are unable to patch their systems can create a read-only file, which will block a potential Petya threat from executing.
To vaccinate a computer, the user needs to enable Windows extensions and open the C:\\Windows folder, according to security blog BleepingComputer. A separate tab will open the Notepad application, where the user will need to create a file called perfc or perfc.dat.
[Also: Nuance knocked offline by ransomware attacking Europe]
Once the file is created, the user needs to make the file ‘read-only.’ The user should then copy this file to the Windows folder.
It’s important to note this isn’t a kill switch for Petya, and at the time of publication, no researcher has found one. For now, this is merely a preventative measure. Since this vaccine is public, it’s likely the Petya hackers will modify the virus to go around it.
Patching vulnerabilities are always the best defense.
Further, those who have already been infected will unlikely be able to retrieve the files from the hackers, as the email address associated with the ransomware was shut down by German email company Peteo.
At the moment, about 64 countries have been hit, including bio pharma giant Merck and major voice and language tool provider Nuance were hit in the U.S., as well as a health system in Pennsylvania. The attack is on pace to be just as large as May’s WannaCry attack.
Twitter: @JessieFDavis
Email the writer: jessica.davis@himssmedia.com
