After being praised for not having a kill switch, it appears the NotPetya ransomware has a weakness after all. When it starts running, the malware checks for its own filename. If found, it then stops encrypting. Researchers are not totally sure they have found the real filename, but so far they found one that works for the current variant.
To mitigate this, all you need to do is create a file named ‘perfc’ without an extension in C:\Windows. After that set the file to read-only permissions and you have vaccinated your PC against the malware. Please note this is just a quick fix, and it will only stop the ransomware from encrypting your files. It will still spread across the network, wrecking havoc in machines without the vaccine.
Setup vaccine using a batch file
If you are not the one to get dirty with Windows, you can use a .bat file to set up the vaccine. To do that, you can download this .bat file and run it as administrator. Of course, you should be wary of just downloading and running batch files from the internet. You can copy the code below and paste it into a new file in notepad. Save the file as ‘anyname.bat’. Be sure to select save as type “All Files” in notepad, otherwise it will be saved as .txt.
After that, right-click on the file and choose run as administrator. The script creates the file for you and marks it as read-only.
@echo off@echo offREM Administrative check from here: https://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rightsREM Vaccination discovered by twitter.com/0xAmit/status/879778335286452224REM Batch file created by Lawrence Abrams of BleepingComputer.com. @bleepincomputer @lawrenceabrams
echo Administrative permissions required. Detecting permissions...echo. net session >nul 2>&1
if %errorLevel% == 0 ( if exist C:\Windows\perfc ( echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya. echo. ) else ( echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat
attrib +R C:\Windows\perfc attrib +R C:\Windows\perfc.dll attrib +R C:\Windows\perfc.dat
echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya. echo. )) else ( echo Failure: You must run this batch file as Administrator.) pause
Set up the perfc file manually
- Enable showing file extensions for known files in windows explorer.
- Navigate to C:\Windows
- Copy notepad.exe and paste it in the same folder. You will be asked for permissions to write to the folder.
- Rename the ‘notepad – Copy.exe’ file to ‘perfc’ without a file extension. Again, you need to give administrator permissions
- Right click on the file, choose properties. At the bottom, check read-only attribute.
The NotPetya is certainly smarter than WannaCry, which had a simple kill switch. However, it looks like it was not created to make money for the hackers, and there was little thought given to collecting the loot. The email address that was supposed to be used for decrypting has been blocked, taking away any chance of file recovery. Researchers are convinced this tool was simply created to wreak havoc.
This fix was put up by Armit Serper from Cybereason. They have also put up a free anti ransomware software for download. This is not the exact solution alone, you need patch those computers.