How to prevent Petya RANSOMWARE from executing..

[BitMaster]

Look at this approach at HardOCP, only takes 30 sec to immunize your PC with the creation of a simple file in C:\WINDOWS called perfc with NO extension.

 

https://www.hardocp.com/news/2017/06/28/petya_ass_there_killswitch_for_notpetya

 

 

HardOCP now states this does indeed work. You should make that file READ-ONLY as well.

Edited June 28, 2017 by BitMaster

[Rangi]

Do you know what the vector of this is? Email?

 

Good find.

[BitMaster]

MeDoc accounting software is the source. They seem to have been hacked and any company downloading the recent patches from MeDoc got infected with the initial "downloader" for the actual virus. Email afaik is not the primary way of spreading.

 

Since it uses EternalBlue in it's code, it is very capable of spreading inside your LAN via SMB in various ways BEFORE it starts it's destruction. Once it has ( tried at least ) spreading internally it starts to encrypt that PC after a forced reboot, disguised as a CheckDisk. Pull the plug if you see that happening.

 

As there is no killswitch as with WannaCry it is still going strong as of now.

 

MeDoc is a Ukraine accounting software which every global company needs to have if they do business with the Ukraine...and many companies use it around the globe, they have to to file taxes afaik. MeDoc is a victim themselves, not the actual bad guy.

 

Some rumours blame it to NK as it is purely destructive. They will not make a single Bitcoin out of it, that is pretty clear and was never attempted as of the way it acts.

The Bitcoin thing is a disguise to hide it's actual intention, that is very clear.

Edited June 29, 2017 by BitMaster