Friday, 30 June 2017

'Kill switch\vaccine' for latest Petya\NotPetya ransomware found

A report on Bleeping Computer says that a way to prevent infection by the latest NotPetya ransomware is to create a read-only file at C:\Windows\perfc.

You can do this by downloading and running this file as Administrator.

I have no idea if it works, but if your organisation has un-updated/unpatched systems, this could be useful to prevent your disk from being encrypted.

As I suspected, virus developers will build in some sort of 'kill switch' to prevent their own systems from getting infected, as with WannaCry. I guess it's kinda difficult to write code and test it, only to find that the code has just encrypted all your source files and the decryption algorithm is not yet working! The Wannacry vaccine was coded to find a specific web server which meant it could be easily stopped by setting up a server of the correct name. The Petya developers obviously did not want to use the same mechanism, which was discovered and then used as a global 'kill switch', and so have used a local file instead to stop infection.