There's no cure for the latest ransomware attack, but a researcher has discovered a way to prevent infection through the creation of a single Windows file.
Only weeks after WannaCry caused chaos worldwide, the latest ransomware campaign to disrupt businesses is Petya/NonPetya. On Tuesday, the ransomware successfully attacked victims in Ukraine, Russia, Denmark, the UK, and the United States, locking down and disrupting banks, energy companies, and airports.
Researchers believe the EternalBlue SMB exploit was used to propagate the ransomware, which is heavily influenced by the original Petya strain, but comes with additional functionality, including the encryption of full hard drives and the ability to use PSExec on a system it has administrative credentials on, allowing it to duplicate the ransomware on any system on a network.
As reported by Bleeping Computer, there is a way to prevent infection -- not cure, but protect from -- which takes no more than a few minutes of your time.
After investigating the Petya ransomware, Cybereason security researcher Amit Serper realized that if the malware is downloaded and executes on an infected system, the ransomware looks for a specific local file and will both exit and not encrypt a system if that file is found.
Potential victims, which have not -- or for whatever reason, cannot -- patch their systems can create a file, set it to read-only, and block the ransomware from executing.
In order to enable the preventative measure, an extensionless file called perfc needs to be created in the C:\Windows folder and made read-only.
The first step is to enable Windows extensions. The C:\Windows folder should then be opened, and a separate tab should open the Notepad application. Create a file called perfc, press enter, and make sure there is no extension added. Now the file has been created, right-click the file and select Properties, and check "Read-only." Copy this file to the Windows folder.
You should now have the file in the correct place to display C:\Windows\perfc.
Other researchers later confirmed the discovery, although some noted that creating a perfc.dat file as well is likely to help.
This is not a kill-switch for Petya. As of the time of writing, no researcher has been able to find a way to create one to shut down the campaign. However, this is a measure that can protect individual systems -- at least, for now.
As the workaround is now public, it is possible the Petya operators will modify the malware's source to negate these defenses. Patching, as in many cases, is king.
If you have been the unfortunate victim of the latest global ransomware outbreak, you should not, under any circumstances, pay the ransom.
While some ransomware strains dangle the carrot in order to force you to pay up, there is no point paying in this case. The email address set to slurp up $300 blackmail payments in return for supposed decryption has been blocked.
Unfortunately, there is no way to retrieve lost and encrypted files caused by this attack, and so the best advice which can be offered at the moment is to restore a backup if you can or keep the system in the hopes that researchers will be able to develop a free decryption key.