Thursday, June 29, 2017

Protect yourself from the latest ransomware attack.

After investigating the Petya ransomware, Cybereason security researcher Amit Serper realized that if the malware is downloaded and executes on an infected system, the ransomware looks for a specific local file and will both exit and not encrypt a system if that file is found.

Potential victims, which have not -- or for whatever reason, cannot -- patch their systems can create a file, set it to read-only, and block the ransomware from executing.

In order to enable the preventative measure, an extensionless file [ a notepad text file with the .txt removed ] called perfc needs to be created in the C:\Windows folder and made read-only.

clip_image002The first step is to enable Windows extensions. Open Control Panel / Appearance and Personalization.  Now, click on Folder Options or File Explorer Option, as it is now called / View tab. In this tab, under Advance Settings, you will see the option Hide extensions for known file types. Uncheck this option and click on Apply and OK.

Now, you can see file extensions for all files anywhere on your Windows system.

The C:\Windows folder should then be opened, and on your Desktop open the Notepad application. Create a file called perfc, press enter, and make sure there is no extension added. Now the file has been created, right-click the file and select Properties, and check "Read-only." With your File Explorer open but reduced in size and the perfc file showing on the Desktop, move this file to the Windows folder.

You should now have the file in the correct place to display C:\Windows\perfc.


Other researchers later confirmed the discovery, although some noted that creating a perfc.dat file as well is likely to help.

This is not a kill-switch for Petya. As of the time of writing, no researcher has been able to find a way to create one to shut down the campaign. However, this is a measure that can protect individual systems -- at least, for now.

As the workaround is now public, it is possible the Petya operators will modify the malware's source to negate these defenses. Patching, as in many cases, is king.

If you have been the unfortunate victim of the latest global ransomware outbreak, you should not, under any circumstances, pay the ransom.

While some ransomware strains dangle the carrot in order to force you to pay up, there is no point paying in this case. The email address set to slurp up $300 blackmail payments in return for supposed decryption has been blocked.

Unfortunately, there is no way to retrieve lost and encrypted files caused by this attack, and so the best advice which can be offered at the moment is to restore a backup if you can or keep the system in the hopes that researchers will be able to develop a free decryption key.