NotPetya ransomware: White House joins UK in blaming Russia for NotPetya cyberattack

US government claims to be “reviewing a range of options" in response to the findings

28/06/2017: Vaccine may hinder Petya spread

Security researchers have chanced upon a workaround solution that disables the Petya ransomware that's wreaked havoc on computers around the world.

According to a blog post by IT security firm Cybereason, its principle security researcher Amit Serper discovered that creating a file named "perfc", with no extension name and placing it in the C:\windows\ folder. The file has to be read-only for the method to work.

The ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease running, according to security researchers.

Advertisement
Advertisement - Article continues below

Cybereason said that once the original file name was found and verified by two different sources, Serper was able to piece together a kill switch that should work for any instance of the original ransomware infection. While this does not stop the ransomware if it is already running, it will act as a vaccination, stopping it from ever trying to encrypt files.

While Petya infects PCs around the world, Kroll Ontrack believed that some data may still be salvaged from infected computers without paying a ransom. 

According to Phil Bridge, managing director, Western Europe of Data & Storage Technologies at Kroll Ontrack, said that the malware does not encrypt all the files on your computer but instead attacks a part of the operating system called the Master File Table (MFT), an essential index' for the computer system to locate files on the computer.

"Attacking one part of the system (the MFT) is much faster than targeting all the individual files but the result is as if each file had been locked separately," he said.

He added that there is a method to decrypt the original Petya ransomware, but one has not yet been released for the updated version. He said that "some data may still be salvaged from infected computers with the use of specialist data recovery techniques.

28/06/2017: Petya ransomware: attack hits global companies

A ransomware attack has locked down corporate computers throughout Europe and the US, a month after the NHS and other organisations were knocked offline by WannaCry.  

Called Petya as well as NotPetya by some, and Goldeneye, by others  has reportedly hit thousands of machines, including at advertising giant WPP,  Danish transport firm AP Moller-Maersk, and Russian oil firm Rosneft, as well as at least one hospital firm in the US.

It appears to have initially infected machines via accounting software that companies use to link to the Ukrainian government, with huge swathes of that country's companies and government bodies wiped offline. While the country's Twitter feed made light of the situation, some of the shutdown was alarming including Chernobyl radiation monitoring being done by hand.

Once in, Petya then spreads via the EternalBlue vulnerability in Windows that has been patched but given the carnage, it appears not everyone has updated. That was the same exploit used by WannaCry's hackers, and was developed by the NSA but leaked in April.

Advertisement
Advertisement - Article continues below

"As far as the EternalBlue exploit, the worm code appears to heavily borrow from WannaCry, including taking advantage of the same EternalBlue exploit code to move around once it is inside the network," said Allan Liska, intelligence architect at Recorded Future. "In addition to the EternalBlue exploit, the new attack appears to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows."

One difference with WannaCry is it lacks an apparent "kill switch" that halted May's ransomware outbreak. "Some are comparing this to WannaCry 2.0 but this version does not have the "kill-switch" that the original WannaCry did. Thus, we should not expect any oddity like that to slow this attack," said Brian Hussey, VP of cyber threat detection and response at Trustwave.

This variant demands $300 in Bitcoin payment from users of infected machines as ransom to unlock their data. However, the German email provider, Posteo, that runs the attackers' email account, has shut it down, so victims likely won't be getting their data decrypted.

To Nicholas Weaver, security researcher at the International Computer Science Institute, that suggests there may be more to Petya. "I'm willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware," Weaver told KrebsonSecurity. "The best way to put it is that Petya's payment infrastructure is a fecal theater."

Matthew Hickley, co-founder of My HackerHouse, said if your computer does force a reboot and show the following screen, turn your PC off to halt the encryption process.

Featured Resources

The IT Pro guide to Windows 10 migration

Everything you need to know for a successful transition

Download now

Managing security risk and compliance in a challenging landscape

How key technology partners grow with your organisation

Download now

Software-defined storage for dummies

Control storage costs, eliminate storage bottlenecks and solve storage management challenges

Download now

6 best practices for escaping ransomware

A complete guide to tackling ransomware attacks

Download now
Advertisement

Most Popular

Visit/security/identity-and-access-management-iam/354289/44-million-microsoft-customers-found-using
identity and access management (IAM)

44 million Microsoft customers found using compromised passwords

6 Dec 2019
Visit/cloud/microsoft-azure/354230/microsoft-not-amazon-is-going-to-win-the-cloud-wars
Microsoft Azure

Microsoft, not Amazon, is going to win the cloud wars

30 Nov 2019
Visit/network-internet/wifi-hotspots/354283/industrial-wi-fi-6-trial-reveals-blistering-speeds
wifi & hotspots

Industrial Wi-Fi 6 trial reveals blistering speeds

5 Dec 2019
Visit/hardware/354237/five-signs-that-its-time-to-retire-it-kit
Sponsored

Five signs that it’s time to retire IT kit

29 Nov 2019