PETYA RANSOMWARE: HOW CAN WE HELP?
One of the worst things that can happen to a company is a malicious attack on its data. Since the WannaCrypt Ransomware attack, I have been interested in how malware and ransomware attacks a system or network, and what can be done to prevent such attacks. When WannaCrypt struck, it was due to a flaw with windows SMB v1, but in the end the ransomware was deactivated due to a domain killswitch.
Now, there is another ransomware attack occurring across Europe named ‘Petya’, but this version of ransomware doesn’t include a domain killswitch (that we know of). Instead, a ‘vaccination’ has been discovered to attempt to prevent the ransomware from encrypting data.
The ‘vaccination’ is simply a file within the ‘C:\Windows’ directory which the ransomware checks to see if it exists before executing its attack. The file is ‘C:\Windows\Perfc.dat’ which if it already exists and is set to read-only when the ransomware is launched, has shown to stop the encryption. This file alongside the MS17-010 (KB4013389) patch for SMB provide a form of prevention if the ransomware is launched on the device.
To protect our clients, I have written a small batch script to create the ‘Perfc.dat’ file in the windows directory and set its file attributes to read only. We then deployed this to all windows devices within our management system. We also run regular patch checks and updates to ensure all devices are actively protected from the attack vectors.
If you are hit by the Petya ransomware, you should not pay the ransom, as the email used to contact the host has been seized and closed. This means that even if you pay, there would be no method of contacting the host and getting the decryption key.
Other effected users have stated that if the ransomware is launched on a device, it will wait for approximately 1 hour before rebooting the device and then starting the encryption process. This is disguised as a ‘CHKDSK’ process, however it will only land on the ransom page if left to complete. It is possible to prevent most of the files from being encrypted if the machine is powered off immediately after the reboot once the ‘CHKDSK’ screen is displayed. An external machine/caddy can then be used to recover the files from the disk.
Ultimately, the best protection from ransomware are backups, more so remote/cloud backups, so that any network attacking malware is unable to find the backup files. Be sure to keep all data that is important backed up in case of these attacks, and new attacks to come.
If you do need any help or advice, please give us a call on 01923 537247, and I or one of my colleagues would be more than happy to assist.