New ransomware attack hits Europe

Ian

Administrator
Joined
Feb 23, 2002
Messages
19,878
Reaction score
1,509
Airlines, powerstations, banks and other businesses have been hit by a new wave of "Ransomware" attacks. Affected PCs will find that the operating system has been encrypted, with demands for a payment to unlock the system. Windows XP - Windows 10 PCs could be vulnerable, so be sure you have installed all current Windows updates and have anti-virus software installed.

This "Petya" cyber-attack has even caused problems at the infamous Chernobyl power station, meaning that radiation levels are now manually performed.

As usual, take care when opening e-mail attachments or other unfamiliar files. The best defence is by having a fully patched operating system with AV software installed (even if it's Windows Defender).
 
If looks like you'll get an image like this upon booting if you have been infected:

DDWXCFWW0AA6pwD.webp


Turning your system off at this stage will prevent the encryption from completing, meaning that you can restore the data manually.

Thanks to https://twitter.com/hackerfantastic for the image.
 
Of course, you should already be patched against the exploits which the ransomware spreads with; NotPetya uses the same NSA exploits that WannaCry used last month to cause worldwide chaos.

However, it's still possible to receive NotPetya by email, malware dropper or malicious drive-by download. Therefore, it pays to take preventative measures:

In the Windows directory (usually C:\Windows\), create the following read only files:

perfc
perfc.dat
perfc.dll

Source (external link, BleepingComputer)

If the presence of these files annoys you, set these files to hidden.
These files are allegedly how the ransomware's poorly implemented anti-re-infection mechanism works, so by simply creating these read only files, a potential infection of NotPetya will stop before delivering its payload (at least with the current strain of the ransomware).

There are now unconfirmed reports that a new variant of the ransomware places these files in %ProgramData%. This seems like a quick and dirty workaround to continue targeting those who have discovered the information above. So I'd also recommend doing the same in this location too.

Last night, I used a Group Policy Preferences item to automatically deploy these files to all computers, but if you're not as lucky as me, you can always use a script or batch file.

- Capt. Jack Sparrow.
 
Last edited:
Back
Top