Application security, Malware, Patch/Configuration Management, Ransomware, Threat Management, Vulnerability Management

NotPetya: Researchers find ‘kill switch’, then clash over naming

A ‘killswitch' for NotPetya ransomware  has been found by the research team at Positive Technologies.

Researchers explained that before overwriting the computer's Master Boot Record, the ransomware checks for the perfc file in the C:Windows folder.

If that file is not present, the ransomware gets on with encrypting the computer. If it is, however, then the ransomware stops. The researchers reason that creating a file with the right name can halt the encryption in its tracks. All users need to do is create a perfc file in the C:Windows folder and make it read only. Bleeping Computer's Lawrence Abrams has created a batch file to help with the fix.

Principle security researcher at Cybereason, Amit Serper also discovered this fix, dubbing it a vaccination, not a killswitch.

MalwareTech, the security researcher who did actually find the killswitch to WannaCry, last month's global ransomware attack of similar proportions, dumped cold water on the idea of a ‘killswitch'. He wrote in a post, “although some companies have claimed to have found a kill switch, this is nothing more than PR.”

For this to be a true killswitch, he wrote, you would have to be able to do it remotely. The solutions offered involve modifying files on your own system. Besides, added MalwareTech, “it's unlikely the Petya ransomware is still spreading and the damage has already been done, thus a kill-switch would be futile.”

Paul Burbage, a malware researcher at Flashpoint told SC that this piece of ransomware does not need internet connectivity to strangle its victims' endpoints, “meaning, compared to attacks such as WannaCry, there is no killswitch as there is no C2 check in. WannaCry had a hardcoded ‘killswitch - in which if a URL connection succeeded, the code exited and infection / worm propagation did not occur.”

@hackerfantastic has proposed merely turning off the computer during the encryption process, allowing the user to retrieve their files off-disk

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.