Petya Ransomware Fix Kill Switch

Help protect your Enterprise against Malware and Phishing with Nuspire's nuMAIL

Update 3:44pm EST

Petya ransomware is also taking advantage of WMIC and PSEXEC tools to infect fully-patched Windows computers, you are also advised to disable WMIC (Windows Management Instrumentation Command-Line). Additionally Petya encrypts the system after the reboot, so if your system is infected with Petya ransomware and tries to restart, just do not power it back on. If your machine reboots and you see the picture linked with this article, power off immediately!!

Posteo, the German email provider has suspended the email address (wowsmith123456-at-posteo.net) which was being used by the criminals to communicate with victims after getting the ransom to send the decryption keys.

A "Kill-Switch" has been discovered and users are advised to create a file "C:\Windows\perfc" to prevent the ransomware infection. Based on the way the malware is coded, if "perfc" already exists on the system it won't allow the malware to run.

 

Petya ransomware infects 300,000

Another large scale ransomware attack is happening right now that has already infected over 300,000 machines in just over 72 hours. Using the same Windows SMBv1 vulnerability as WannaCry, a new variant of the Petya ransomware is spreading rapidly. In March of 2016 we issued a SAT News article regarding Petya and how it encrypted the Master File Table (MFT) of the infected PC instead of encrypting individual files. Once infected, Petya reboots the PC and displays its own malicious code that provides instructions on how to pay the ransom and decrypt files.

According to VirusTotal only 13 out of 61 anti-virus services are successfully detecting the Petya virus, and the malicious actors are demanding $300 dollars worth of bitcoin for decryption. To protect against this threat users are urged to apply the Microsoft issued patches for (MS17-010) EternalBlue vulnerability and disable the SMBv1 File-Sharing protocol on all Windows systems. As always with any ransomware always be suspicious of unwanted files and documents sent over email and never click links unless the source has been verified. Having a backup solution in place that is tested and working is always valuable in this situation, if files are encrypted, a backup is you only hope without paying the ransom.

 

March 2016 Post

Fix for Petya announced

The leading cyber threat in 2016 is ransomware, and security researchers see it only continuing to evolve. One of the latest in this brand of malware is Petya, a ransomware that locks users out of their computers and displays a ransom screen upon startup.

PetyaRansomware2

Petya infects machines via spam email campaigns, disguising itself as a resume document with a link to a Dropbox location. Once executed, the system’s Master Boot Record (MBR) of the hard drive is overwritten, causing Windows to crash and display a blue screen of death. Upon restart, a flashing red and white screen with a skull-and-crossbones is instead displayed, demanding a ransom payment in Bitcoin.

Researchers have released a tool to assist in removing Petya from an infected system without having to send payment to the attacker.

To clear a system of Petya:

  1. Remove the infected drive and connect it to a working PC or USB dock.
  2. Download the Petya Sector Extractor from download.bleepingcomputer.com/fabian-wosar/PetyaExtractor.zip. This tool is necessary in pulling the needed sectors from the HDD.
  3. Go to petya-pay-no-ransom.herokuapp.com. This site requires a Base64 encoded 512 bytes of verification data and Base64 encoded 8 bytes nonce. Using the tool from step 2, select “Copy Sector” and paste the copied sector to the website. Do the same for “Copy Nonce.”
  4. Click “Submit.” The site will then provide your password.
  5. Attach the infected HDD back to the infected machine and enter the password on the ransom screen, which should initiate the decryption process.

If the creator of Petya is still active, there is a chance this solution could eventually stop working. Cyber attackers are consistently refining their methods just as security researchers are working to create solutions to fight against cyber threats.

The ultimate key in mitigating these types of threats is end user awareness. As ransomware continues to gain popularity, the need for proper network security measures also continues to increase dramatically.

For further information on other types of cybersecurity risks, click here.


Nuspire Insights






Nuspire Infographic


Contact Us

Leave this empty: