找回密碼
 註冊
查看: 3479|回覆: 17

[轉載] Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak

  [複製鏈接]
簽到
3092
發表於 2017-6-30 04:29:17 | 顯示全部樓層 |閱讀模式
Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak
- [Bleepingcomputer]  
https://www.bleepingcomputer.com ... ansomware-outbreak/

Cybereason security researcher Amit Serper has found a way to prevent the Petya (NotPetya/SortaPetya/Petna) ransomware from infecting computers.

The ransomware has been wreaking havoc across the globe today, locking hard drive MFT and MBR sections and preventing computers from booting. Unless victims opted to pay a ransom (which is now pointless and not recommended), there was no way to recover their systems.
mbr-ransom-note.jpg
In the first hours of the attack, researchers believed this new ransomware was a new version of an older threat called Petya, but they later discovered that this was a new strain altogether, which borrowed some code from Petya, hence the reason why they recently started it calling it NotPetya, Petna, or as we like to call it SortaPetya.

Researchers flocked to find killswitch mechanism
Because of the ransomware's global outreach, many researchers flocked to analyze it, hoping to find a loophole in its encryption or a killswitch domain that would stop it from spreading, similar to WannaCry.
While analyzing the ransomware's inner workings, Serper was the first to discover that NotPetya would search for a local file and would exit its encryption routine if that file already existed on disk.

The researcher's initial findings have been later confirmed by other security researchers, such as PT Security, TrustedSec, and Emsisoft.
This means victims can create that file on their PCs, set it to read-only, and block the NotPetya ransomware from executing.
While this does prevent the ransomware from running, this method is more of a vaccination than a kill switch. This is because each computer user must independently create this file, compared to a "switch" that the ransomware developer could turn on to globally prevent all ransomware infections.

How to Enable the NotPetya/Petna/Petya Vaccine
To vaccinate your computer so that you are unable to get infected with the current strain of NotPetya/Petya/Petna (yeah, this naming is annoying), simply create a file called perfc in the C:\Windows folder and make it read only.  For those who want a quick and easy way to perform this task, Lawrence Abrams has created a batch file that performs this step for you.  
Please note that he batch file will also create two addition vaccination files called perfc.dat and perfc.dll. While my tests did not indicate that these additional files are needed, I added them for thoroughness based on the replies to this tweet.
This batch file can be found at: https://download.bleepingcomputer.com/bats/nopetyavac.bat
For those who wish to vaccinate their computer manually, you can do so using the following steps. Please note that these steps are being created to make it as easy as possible for those with little computer experience. For those who have greater experience, you can do it in quite a few, and probably better, ways.

登入後,內容更豐富

您需要 登錄 才可以下載或查看,沒有賬號?註冊

×
 樓主| 發表於 2017-6-30 04:34:30 | 顯示全部樓層
First, configure Windows to show file extensions. For those who do not know how to do this, you can use this guide. Just make sure the Folder Options setting for Hide extensions for known file types is unchecked like below.
1 show-extensions.jpg
Once you have enabled the viewing of extensions, which you should always have enabled, open up the C:\Windows folder. Once the folder is open, scroll down till you see the notepad.exe program.
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-6-30 04:40:09 | 顯示全部樓層
2 windows-folder.jpg
Once you see the notepad.exe program, left-click on it once so it is highlighted. Then press the Ctrl+C ( Ctrl+C Button) to copy and then Ctrl+V ( Ctrl+V Button) to paste it. When you paste it, you will receive a prompt asking you to grant permission to copy the file.
3 adminprivs-prompt.jpg
Press the Continue button and the file will be created as notepad - Copy.exe. Left click on this file and press the F2 key on your keyboard and now erase the notepad - Copy.exe file name and type perfc as shown below.
4 rename.jpg
Once the filename has been changed to perfc, press Enter on your keyboard. You will now receive a prompt asking if you are sure you wish to rename it.
5 rename-confirmation.jpg
Click on the Yes button. Windows will once again ask for permission to rename a file in that folder. Click on the Continue button.
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-6-30 04:45:37 | 顯示全部樓層
Now that the perfc file has been created, we now need to make it read only. To do that, right-click on the file and select Properties as shown below.
6 file-properties.jpg
The properties menu for this file will now open. At the bottom will be a checkbox labeled Read-only. Put a checkmark in it as shown in the image below.
7 read-only.jpg
Now click on the Apply button and then the OK button. The properties Window should now close. While in my tests, the C:\windows\perfc file is all I needed to vaccinate my computer, it has also been suggested that you create C:\Windows\perfc.dat and C:\Windows\perfc.dll to be thorough. You can redo these steps for those vaccination files as well.

Your computer should now be vaccinated against the NotPetya/SortaPetya/Petya Ransomware.
Additional reporting by Lawrence Abrams.
6/28/17 8:26AM EST: This article has been updated to clarify in more detail how the batch script works
回覆 讚好 不讚 使用道具

舉報

 樓主| 發表於 2017-6-30 04:52:16 | 顯示全部樓層
有誰在大陸或那裡看不到這些資料, 我們樂意提供,  互相研發,

Bleeping Computer Petya/NotPetya coverage:

Surprise! NotPetya Is a Cyber-Weapon. It's Not Ransomware
https://www.bleepingcomputer.com ... its-not-ransomware/

Petya Ransomware Outbreak Originated in Ukraine via Tainted Accounting Software
https://www.bleepingcomputer.com ... ccounting-software/

Vaccine, not Killswitch, Found for Petya (NotPetya) Ransomware Outbreak
https://www.bleepingcomputer.com ... ansomware-outbreak/

Email Provider Shuts Down Petya Inbox Preventing Victims From Recovering Files
https://www.bleepingcomputer.com ... m-recovering-files/

WannaCry Déjà Vu: Petya Ransomware Outbreak Wreaking Havoc Across the Globe
https://www.bleepingcomputer.com ... c-across-the-globe/
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 06:06:01 | 顯示全部樓層
You can do the research with Henry

轉載 :【新型勒索病毒 Petya】在歐洲爆發並迅速蔓延!這次鎖定的目標是銀行、機場和公家機關電腦
http://141hongkong.com/forum.php ... &fromuid=402585
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 07:01:06 | 顯示全部樓層
回復 jgyjgw #1 的帖子

亨利出咗中文版
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 07:43:30 | 顯示全部樓層
睇唔明英文版
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 09:30:54 | 顯示全部樓層
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 10:26:53 | 顯示全部樓層
very good info  
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 17:49:54 | 顯示全部樓層
有英文版本都是好
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 21:15:56 | 顯示全部樓層
easy to be infected
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 21:47:30 | 顯示全部樓層
Use apple ma !
回覆 讚好 不讚 使用道具

舉報

發表於 2017-6-30 22:53:22 | 顯示全部樓層
出咗中文版
回覆 讚好 不讚 使用道具

舉報

發表於 2017-7-1 01:02:29 | 顯示全部樓層
好快有新版本,呢劑藥可能好快冇用
回覆 讚好 不讚 使用道具

舉報

發表於 2017-7-1 20:11:09 | 顯示全部樓層
asiachu 發表於 2017-7-1 01:02
好快有新版本,呢劑藥可能好快冇用

都有可能
回覆 讚好 不讚 使用道具

舉報

發表於 2017-7-1 20:15:28 | 顯示全部樓層
HKOXSEX 發表於 2017-6-30 06:06
You can do the research with Henry

轉載 :【新型勒索病毒 Petya】在歐洲爆發並迅速蔓延!這次鎖 ...

有個疑問:  冇提及UEFI device 唔用 FAT 會唔會鎖唔到?
回覆 讚好 不讚 使用道具

舉報

發表於 2017-7-2 00:57:59 | 顯示全部樓層

改個名有幾難
回覆 讚好 不讚 使用道具

舉報

您需要登錄後才可以回帖 登錄 | 註冊

本版積分規則

Archiver|聯絡我們|141華人社區

GMT+8, 2024-11-27 11:35

Powered by Discuz! X3.5

© 2001-2024 Discuz! Team.

快速回覆 返回頂部 返回列表