Jump to content

How to enable the NotPetya/Petna/Petya Vaccine


straycat19

Recommended Posts

How to Enable the NotPetya/Petna/Petya Vaccine

To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in theC:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.  

Please note that he batch file will also create two addition vaccination files called perfc.dat andperfc.dll. While my tests did not indicate that these additional files are needed, I added them for thoroughness based on the replies to this tweet.

This batch file can be found at: 

https://download.bleepingcomputer.com/bats/nopetyavac.bat

For those who wish to vaccinate their computer manually, you can do so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.

First, configure Windows to show file extensions. For those who do not know how to do this, you can usethis guide. Just make sure the Folder Options setting for Hide extensions for known file typesis unchecked like below.

Folder Options

Once you have enabled the viewing of extensions, which you should always have enabled, open up theC:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.  

Windows Folder

Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C( Ctrl+C Button) to copy and then Ctrl+V ( Ctrl+V Button) to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.

Grant Permission

Press the Continue button and the file will be created as notepad - Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad - Copy.exe file name and type perfcas shown below.

Rename file

Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.

Confirmation

Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.

Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.

Properties

The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.

Read-only

Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.

Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.

 

Source

Link to comment
Share on other sites

  • Replies 3
  • Views 829
  • Created
  • Last Reply

Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware

NotPetya

The NotPetya ransomware that encrypted and locked thousands of computers across the globe yesterday and today is, in reality, a disk wiper meant to sabotage and destroy computers, and not ransomware. This is the conclusion of two separate reports coming from Comae Technologies and Kaspersky Lab experts.

Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.

This has nothing to do with the fact that a German email provider has shut down the NotPetya operator's email account. Even if victims would be able to get in contact with the NotPetya author, they still have no chance of recovering their files.

NotPetya never bothers to generate a valid infection ID

This is because NotPetya generates a random infection ID for each computer. A ransomware that doesn't use a command-and-control server — like NotPetya — uses the infection ID to store information about each infected victim and the decryption key.

Because NotPetya generates random data for that particular ID, the decryption process is impossible, according to Kaspersky expert Anton Ivanov.

"What does it mean? Well, first of all, this is the worst-case news for the victims – even if they pay the ransom they will not get their data back. Secondly, this reinforces the theory that the main goal of the ExPetr attack was not financially motivated, but destructive," said Ivanov.

MFT file is unrecoverable

Kaspersky's discovery was also reinforced by a separate report released by Comae Technologies researcher Matt Suiche, who found a totally different flaw but reached the same conclusion.

In his report, Suiche describes a faulty sequence of operations that would make it impossible to recover the original MFT (Master File Table), which NotPetya encrypts. This file handles the location of files on a hard drive, and with this file remaining encrypted, there's no way to know where each file is where on an affected computer.

"[The original] Petya modifies the disk in a way where it can actually revert its changes. Whereas, [NotPetya] does permanent and irreversible damages to the disk," Suiche said.

NotPetya was designed for mayhem, not making money

The idea that NotPetya did not follow regular ransomware rules was first proposed by threat intelligence expert The Grugq, in a report published yesterday.

"The real Petya was a criminal enterprise for making money. This [NotPetya] is definitely not designed to make money," The Grugq said. "This is designed to spread fast and cause damage, with a plausibly deniable cover of 'ransomware.'"

What needs to be made clear is that NotPetya is not a disk wiper per se. It does not delete any data but simply makes it unusable by locking files and throwing away the key.

"In my book, a ransomware infection with no possible decryption mechanism is equivalent to a wiper," J. A. Guerrero-Saade, security researcher for Kaspersky Lab told Bleeping Computer today via email. "By disregarding a viable decryption mechanism, the attackers have displayed a complete disregard for long-term monetary gain."

Furthermore, in a tweet sent out today, the author of the original Petya also made it clear NotPetya was not his work, dispelling any rumors that this was a Petya offshoot.

JanusSec tweet

He, in fact, is the second ransomware author that had to say this, after the author of the AES-NI ransomware said in May he did not create the XData ransomware, which was also used in targeted attacks against Ukraine. Furthermore, both XData and NotPetya used the same distribution vector, the update servers of a Ukrainian accounting software maker.

Signs with big bright blinking lights point to the theory that someone is hijacking known ransomware families and using them to attack Ukrainian users.

Hiding wipers in ransomware has become common practice

While this sounds sneaky, it's actually been done before. Attackers with a hidden agenda that are posing as mundane cyber-criminals and hiding disk wipers as ransomware is not a new tactic. It's actually a trend.

This past fall and winter we've seen reports of disk wipers getting "ransomware components" so they could pass on as ransomware infections and avoid the scrutiny of incident responders. This happened with the Shamoon and KillDisk malware families, both tools known for their disk-wiping abilities. Furthermore, even industrial malware is getting disk wiping features.

With NotPetya's reclassification as a disk wiper, experts can easily put the malware in the category of cyber-weapons, and analyze its effects from a different perspective.

With the point of origin and most victims residing inside its borders, it's pretty obvious that Ukraine was the victim. There is no palpable evidence to point the finger towards an attacker, but Ukrainian officials had already blamed Russia, who they accused in the past of several other cyber-incidents going way back to 2014.

The consensus on NotPetya has shifted dramatically in the past 24 hours, and nobody would be wrong to say that NotPetya is on the same level with Stuxnet and BlackEnergy, two malware families used for political purposes and for their destructive effects. Evidence is clearly mounting that NotPetya is a cyber-weapon and not just some overly-aggressive ransomware.

SOURCE

 

Link to comment
Share on other sites

This is posted:

 

Skunknineteensixtysix posted it.  Its the fifth post down the first hyperlink posted.  For your information This vaccine is only a temporary solution.  The malicious developers that made this infection can see the coverage there infection is getting and are probably going to update it to fix this vaccine or bug in this malware.  This is malware not so much ransomware because when it infects you it attacks the MBR and does what malware does and the address you use to send the ransom to was suspended making the ransomware no longer ransomware (if a victim did get in contact with the malware developer there could be a chance if its not nation state sponsored that is.  I read about a victim that got a ransomware and the victim got ahold of the developer and said they cant afford the ransom and the developer said its ok we didnt realize how broke the place we infected was or something like that and the developer set there machine in decryption mode unless that was a hoax).  I just created a text document and renamed it to perfc with no extension that works to.

Link to comment
Share on other sites

46 minutes ago, Holmes said:

This is posted:

Oh did not see that thread. 

 

But also after reading that thread I did not see anything about what I posted: 

Quote

Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware

Quote

Experts say that NotPetya — also known as Petya, Petna, ExPetr — operates like a ransomware, but clues hidden in its source code reveal that users will never be able to recover their files.

This has nothing to do with the fact that a German email provider has shut down the NotPetya operator's email account. Even if victims would be able to get in contact with the NotPetya author, they still have no chance of recovering their files.

NotPetya never bothers to generate a valid infection ID

This is because NotPetya generates a random infection ID for each computer. A ransomware that doesn't use a command-and-control server — like NotPetya — uses the infection ID to store information about each infected victim and the decryption key.

Because NotPetya generates random data for that particular ID, the decryption process is impossible, according to Kaspersky expert Anton Ivanov.

Quote

NotPetya was designed for mayhem, not making money

I think whats written above is the most important point of the article.

Maybe staff should merge these threads? :dunno: 

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...