Yesterday news started to break about a new virus making the rounds. Initially it was being referred to as ransom-ware but the email address to get a recovery key after paying has been blocked and researchers have now discovered that the HD is in fact not encrypted but the MBR destroyed and there is no recovery (Link to more information about that here). There are also several sources speculating that this was a Nation State attack masked as a ransom-ware, Wired Magazine wrote this about the virus and possible ties to Russia. There appears to be a way to “inoculate” your computer to block the virus from infecting you and that is what this will show.
Of course this won’t fix an already infected computer and as always the best defense is to keep your system well patched and be mindful of what you are clicking. The original Petya virus in 2016 used email as an attack vector from what I’ve been able to read this variant originated within a Ukrainian financial software update.
On individual machines or over the network using something like a GPO create files in the Windows Directory to make the virus think that your computer is already infected. Open a text editor and put this code in and save it as a .bat next run the batch file with administrator privileges (right click and Run As Administrator) on your computer.
1 2 3 4 5 6 |
del %WINDIR%\perfc.* /f echo > %WINDIR%\perfc echo > %WINDIR%\perfc.dat echo > %WINDIR%\perfc.dll attrib +R %WINDIR%\perfc.* pause |
This checks for any existing perc.* files and removes them. Then creates 3 files one with no extension and then two more with .dll and .dat. Finally it sets them to be read only and will remain on the screen.
If you want to push this out with a GPO or another tool you might want to remove the pause command so your users don’t call asking about the strange black box on their screen.
Bleeping Computer has a more in depth article that includes a downloadable script, which admittedly is more advanced than mine, here.