Updated 3:19PM Pacific Time: A method to ‘vaccinate’ yourself against this ransomware variant has been found. I have posted details towards the end of the post along with a batch file you can run. It is as simple as creating the file C:\Windows\perfc and marking it read-only.
Update 2 at 7pm PST on Tuesday: It appears that the initial infection many have come from a company called MeDoc that was breached. Their systems were infected and they then pushed out an update, spreading the infection. MeDoc are disputing the allegation. Sources: Talos quoted on ZDNet, Forbes and FireEye.
This is a public service announcement from Wordfence due to the widespread and severe nature of this attack. A major ransomware attack targeting Microsoft Windows systems is affecting companies and systems, many of them critical, on a global scale.
What We Know
A new ransomware variant is spreading quickly across the globe at the time of this writing. There is no consensus yet in the security research community, so the following information is provisional in nature:
The ransomware has been dubbed “Petya.” It likely spreads by using two separate exploits. You don’t need to click on anything or take any action. This can spread into your system through the network. That is why it is having such a wide impact and why it is important that you update your system to protect yourself.
For the technically minded: This ransomware is exploiting a vulnerability in Microsoft Office when handling RTF documents (CVE-2017-0199). It also exploits a vulnerability in SMBv1 which is the Microsoft file-sharing protocol. This second vulnerability is described in Microsoft security bulletin MS17-010.
The ransomware has affected a large number of companies, organizations and government entities on an international scale. The following is a screenshot of the ransomware page you are confronted with once your files are encrypted:
Colin Hardy has provided a behavioral analysis of Petya, which includes a video demonstration of the malware in action:
If you currently run an unpatched Windows system, you may not have time to patch it before you are infected. Consider shutting down your machine, if feasible, and leaving it off the network until there is consensus in the research community on what this exploits and how to protect against it.
If you are technically able to, we recommend you block network access to port 445 on your Windows workstations. You may also want to monitor traffic to that port if you are a security professional.
In the past couple of hours researchers have found a ‘vaccine’ against having your files encrypted by this new variant of Petya. They discovered that if a file exists, the encryption routine will not run.
To vaccinate a machine against this ransomware, simply create a file called perfc in the C:\Windows folder and mark it read only. The following batch file courtesy of BleepingComputer will do the job for you:
This post in BleepingComputer also includes instructions on how to create the file manually if you would prefer to do that. Once this file is created, the encryption routine for this specific ransomware variant will not run and encrypt your files.
Help Keep the Community Safe
We recommend you let your friends and family know about this fast spreading campaign as a matter or urgency to help them stay safe.