Prevent Infection from Petya/NonPetya Ransomware Using a Single File

A new strain of ransomware dubbed “Petya” is worming its way around the world with alarming speed. The malware is spreading using a vulnerability in Microsoft Windows that the software giant patched in March 2017 — the same bug that was exploited by the recent and prolific WannaCry ransomware strain.

Security firm Symantec confirmed that Petya uses the “Eternal Blue” exploit, a digital weapon that was believed to have been developed by the U.S. National Security Agency and in April 2017 leaked online by a hacker group calling itself the Shadow Brokers.

Microsoft released a patch for the Eternal Blue exploit in March (MS17-010), but many businesses put off installing the fix. Many of those that procrastinated were hit with the WannaCry ransomware attacks in May. U.S. intelligence agencies assess with medium confidence that WannaCry was the work of North Korean hackers.

Organizations and individuals who have not yet applied the Windows update for the Eternal Blue exploit should patch now. However, there are indications that Petya may have other tricks up its sleeve to spread inside of large networks.

There’s no cure for the latest ransomware attack, but a researcher has discovered a way to prevent the infection through the creation of a single Windows file.

After investigating the Petya ransomware, Cybereason security researcher Amit Serper realized that if the malware is downloaded and executes on an infected system, the ransomware looks for a specific local file and will both exit and not encrypt a system if that file is found.

In order to enable the preventative measure, an extension less file called perfc needs to be created in the C:\Windows folder and made read-only.

The first step is to enable Windows extensions. The C:\Windows folder should then be opened, and a separate tab should open the Notepad application. Create a file called perfc, press enter, and make sure there is no extension added. Now the file has been created, right-click the file and select Properties, and check “Read-only.” Copy this file to the Windows folder.

You should now have the file in the correct place to display C:\Windows\perfc.

This is not a kill-switch for Petya. Since the ransomware outbreak was reported, no researcher has been able to find a way to create one to shut down the campaign. However, this is a measure that can protect individual systems — at least, for now.

As the workaround is now public, it is possible the Petya operators will modify the malware’s source to negate these defenses. Patching, as in many cases, is king.

If you have been the unfortunate victim of the latest global ransomware outbreak, you should not, under any circumstances, pay the ransom.

Ransomware encrypts important documents and files on infected computers and then demands a ransom (usually in Bitcoin) for a digital key needed to unlock the files. With most ransomware strains, victims who do not have recent backups of their files are faced with a decision to either pay the ransom or kiss their files goodbye.

Ransomware attacks like Petya have become such a common pestilence that many companies are now reportedly stockpiling Bitcoin in case they need to quickly unlock files that are being held hostage by ransomware.

Security experts warn that Petya and other ransomware strains will continue to proliferate, as long as companies delay patching and fail to develop a robust response plan for dealing with ransomware infestations.

According to ISACA, a nonprofit that advocates for professionals involved in information security, assurance, risk management and governance, 62 percent of organizations surveyed recently reported experiencing ransomware in 2016, but only 53 percent said they had a formal process in place to address it.