A ‘killswitch' for NotPetya ransomware has been found by the research team at Positive Technologies.
Researchers explained that before overwriting the computer's Master Boot Record, the ransomware checks for the perfc file in the C:\Windows\ folder.
If that file is not present, the ransomware gets on with encrypting the computer. If it is, however, then the ransomware stops. The researchers reason that creating a file with the right name can halt the encryption in its tracks. All users need to do is create a perfc file in the C:\Windows folder and make it read only. Bleeping Computer's Lawrence Abrams has created a batch file to help with the fix.
Principle security researcher at Cybereason, Amit Serper also discovered this fix, dubbing it a vaccination, not a killswitch.
MalwareTech, the security researcher who did actually find the killswitch to WannaCry, last month's global ransomware attack of similar proportions, dumped cold water on the idea of a ‘killswitch'. He wrote in a post, “although some companies have claimed to have found a kill switch, this is nothing more than PR.”
For this to be a true killswitch, he wrote, you would have to be able to do it remotely. The solutions offered involve modifying files on your own system. Besides, added MalwareTech, “it's unlikely the Petya ransomware is still spreading and the damage has already been done, thus a kill-switch would be futile.”
Paul Burbage, a malware researcher at Flashpoint told SC that this piece of ransomware does not need internet connectivity to strangle its victims' endpoints, “meaning, compared to attacks such as WannaCry, there is no killswitch as there is no C2 check in. WannaCry had a hardcoded ‘killswitch - in which if a URL connection succeeded, the code exited and infection / worm propagation did not occur.”
@hackerfantastic has proposed merely turning off the computer during the encryption process, allowing the user to retrieve their files off-disk
If machine reboots and you see this message, power off immediately! This is the encryption process. If you do not power on, files are fine. pic.twitter.com/IqwzWdlrX6— Hacker Fantastic (@hackerfantastic) June 27, 2017