How to protect your computer from NotPetya ransomware?

NotPetya ransomware hit the globe; the vaccine has been found

On Tuesday, massive NotPetya ransomware attack hit Ukraine, as well as other countries in Europe, Russia, and the United States. Judging from the scale of the attack, malware might become a huge competitor to WannaCry ransomware.

Currently, researchers are analyzing this cyber threat in order to find its origins, operation peculiarities and ways to stop it. Nevertheless, data recovery is currently unavailable without paying the ransom (not recommended); people can vaccinate their computers to avoid this cyber threat. ^[1]

However, researchers point out that it’s only a vaccine, not a kill a switch. Thus, the discovered solution doesn't help to disable or terminate the virus.

Inspired by WannaCry, based on Petya

NotPetya was believed to be a new version of Petya ransomware. However, the research revealed that it just uses some parts of Petya’s source code.

The virus also exploits the same system vulnerabilities as WannaCry ransomware. According to the recent data, it uses a modified EternalBlue exploit that allows attackers to take advantage of Microsoft SMBv1 protocol. ^[2] What is more, it also uses another NSA’s exploit – EternalRomance – that targets unsupported Windows OS, starting from Windows XP to Windows 2008. ^[3]

On the affected system, it targets network’s administrator tools and continues spreading with the help of PsExec and remote Windows Management Instrumentation (WMI).^[4]

Ransomware mainly spreads via compromised networks. Thus, only one insecure and unpatched computer might be responsible for infecting the whole local network.

Vaccine for NotPetya

The first thing NotPetya does on the compromised computer is looking up for its filename in C:\\windows\\ folder. If malware finds it, it starts data encryption procedure. Therefore, users just need to create this file and set it read-only. ^[5]Then ransomware won’t be able to cause damage to the computer.

In order to activate vaccination, follow these steps:

1. Go to Folder Options and make sure that “Hide extensions for known file types” option is unchecked. This feature allows seeing file extensions.

2. Open C:\\Windows folder

3. Find notepad.exe and left-click on it.

4. Click Ctrl + C and Ctrl + V to copy and paste it.

5. In the appeared Destination Folder Access Denied prompt, click Continue. The file called “notepad – Copy.exe” will be created.

6. Left-click “notepad – Copy.exe” and then press F2 on the keyboard. You will be allowed to erase the file name (notepad).

7. Instead of the real name enter perfc and click Enter.

8. In the appeared prompt click Yes to rename the files.

9. In the received Windows notification, click Continue button.

10. Once the perf file is created, you have to set it read-only. Right-click the file and choose Properties.

11. At the bottom of perf Properties window, you will Attributes section. Mark the checkbox saying “Read-only.”

12. Click Apply and then OK.