Friday, 30 June 2017

'Kill switch\vaccine' for latest Petya\NotPetya ransomware found

A report on Bleeping Computer says that a way to prevent infection by the latest NotPetya ransomware is to create a read-only file at C:\Windows\perfc.

You can do this by downloading and running this file as Administrator.

I have no idea if it works, but if your organisation has un-updated/unpatched systems, this could be useful to prevent your disk from being encrypted.

As I suspected, virus developers will build in some sort of 'kill switch' to prevent their own systems from getting infected, as with WannaCry. The Wannacry vaccine was to find a specific web server which meant it could be easily stopped by setting up a server of the correct name. The Petya developers obviously did not want to use the same mechanism which was discovered and then used as a global 'kill switch' and so have used a local file instead to stop infection.