1. To prevent the initial infection, patch against EternalBlue (the WannaCry hole). This should have been done in March already…
2. If ONE client in your network gets compromised (because it was forgotten for patching…) , a "Killswitch" prevents the spreading of malicious code via WMI and psexec. Create a file called C\Windows\perfc (no extension with any content or size).
3. If you are hit, power off immediatly. The CheckDisc screen is a fake. You can still recover files from a booted CD or USB thumb drive.
Good night.
Thank you. Probably the Ukranian MeDoc customers are affected after MeDoc self was breached.
Create a file called C\Windows\perfc (no extension with any content or size).
Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://
Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.
jaclaz
Create a file called C\Windows\perfc (no extension with any content or size).
Are you sure?
Some sources talk about a perfc.dat set to Read Only
https://www.theregister.co.uk/2017/06/28/petya_notpetya_ransomware/ Creating the read-only file C\Windows\perfc.dat on your computer prevents the file-scrambling part of NotPetya running, but doesn't stop it spreading on the network. Note, the software is designed to spread internally for less than an hour and then kicks in; it doesn't attempt to spread externally across the internet like WannaCry did.
jaclaz
Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.
best regards,
Robin
Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.
best regards,
Robin
Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …
jaclaz
Both ways are possible. %windir%\perfc is checked for existence, then the process of infections stops (quit). If you create the file %windir%\perc.dat as read-only, the infection breaks, because file can not be written.
Good ) , thanks.
For the "better be safe than sorry series", possibly one can use both, they don't seem like being mutually exclusive …jaclaz
This is what i suggested to my client and was done this morning. I am currently working for one of the major banks in Frankfurt and we started an emergency software rollout just for these two files. And we have patched (long ago), updated all antivirus products via push notice and blocked the four known C+C IP adresses tonight….and a lot of other measures.
Since psexec from Sysinternals/ Microsoft was abused so often, we deployed a Software Restriction Policy for all Windows OS to prevent any execution of psexec.exe (by name and hash value). The next steps will be a very strict Execution Policy for Powershell and WMI(C), but this needs some testing and might break some legitimate applications. Kicking Powershell and WMI completly is the target.
best regards,
Robin
Comae & Kasp webinar about PetrWrap/NotPetya wiper not ransomware
https://
Yara rules
https://
Make sure to close SMB port 445
FYI
The following files are dropped by the malware
Ransomware DLL
C\windows\pef_c.dat
The malware decompresses its resource named 0x3 of type RT_RCDATA, and writes the contents to C\Windows\dllhost.dat. Analysis of dllhost.dat shows that it is a copy of the PsExec utility, which is a telnet replacement that allows execution of processes on other systems.C\windows\dllhost.dat
Credential theft module
Written as a .tmp file to the temp directory
Ransomware splash and warning files
Command Line ExecutionThe malware is a DLL that is launched using rundll32.exe
“C\Windows\perfc.dat”,#1 18 “usernamepass” “usernamepass”
Perfc.dat is the malware name. It is executed with the following arguments
#1 → This is the ordinal number of the exported function
18 → Minutes used to determine how long to wait for the scheduled shutdown
“usernamepass” → Credentials to be used to propagate the malware on the network.
https://
The execution chain leading to the ransomware installation is represented in the diagram below and essentially confirms that EzVit.exe process from MEDoc, for unknown reasons, at some moment executed the following command-line
C\\Windows\\system32\\rundll32.exe\” \”C\\ProgramData\\perfc.dat\”,#1 30
https://
"You can still recover files from a booted CD or USB thumb drive."
Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?
"You can still recover files from a booted CD or USB thumb drive."
Do you mean that the files or the extensions are still as they were; ie. not changed nor crypted?
If you shut down immediately when you see the CheckDisc screen, yes it's possible, as while you see this the screen, Petya encrypts the files in the background. Check the following blog post by MS under the "Boot recovery options"
https://