Cybersecurity researcher finds 'vaccine' for global cyberattack

By Andrew V. Pestano  |  June 28, 2017 at 7:31 AM
share with facebook
share with twitter

June 28 (UPI) -- A cybersecurity researcher said he found a way to disable the so-called "Petya," also known as "NotPetya," ransomware that shut down computers worldwide Tuesday.

Cybereason principal security researcher Amit Serper said the "vaccine" works on Microsoft's Windows operating system.

The ransomware cyberattack on Tuesday targeted thousands of government and private corporate servers across the globe -- demanding a $300 ransom paid in Bitcoin to release the encryption imposed by the virus that prevents users from accessing their devices.

Ransomware attacks involve malicious software that targets and blocks a user's computer data and effectively holds it hostage until money is paid for its release.

"To activate the vaccination mechanisms, users must locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files," Cybereason said in a statement. "When first run, the NotPetya ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease operating. Once the original file name was found and verified by two different sources, Amit was able to piece together a kill switch that should work for any instance of the original ransomware infection."

Though the "vaccine" protects individual computers on which the "perfc" file is placed, cybersecurity researchers have not yet found a so-called "kill switch" that would prevent the ransomware from infecting other computers.

The malware is widely referred to as "Petya" because it shared a significant amount of code with an older ransomware called "Petya" but researchers later found that the similarities between the recent and previous malwares were superficial. There is no known official name for the current malware. Cybersecurity firms have since renamed the malware. For example, Russia's Kaspersky Lab redubbed the malware NotPetya, which seems to be the second-most popular name, while Romania's Bitdefender named it Goldeneye.

Ukraine's central bank, the Rosneft Russian oil company, the WPP British advertising company and the DLA Piper U.S. law firm were among victims of the ransomware attack.

"Our advanced-warning system detected suspicious activity on our network, which, based on our investigation to date, appears to be related to the global cyber event known as 'Petya.' Our IT team acted quickly to prevent the spread of the suspected malware and to protect our systems," DLA Piper said in a statement.

Related UPI Stories
Trending Stories