We’ve been keeping a close eye on this throughout the day, and have come up with a package that could possibly prevent NotPetya infection. No, this isn’t a guarantee, and while it’s been confirmed by reliable sources (Amit Serper, Hacker Fantastic, Reddit’s /r/netsec), that doesn’t really mean it’s a sure thing, magic bullet, safe unicorn.
From what we’ve been able to gather from the sources above, the NotPetya ransomware looks for a file called perfc in the C:\Windows directory using a wildcard, perfc.* when installing itself.
Note: you can create a perfc.dll, perfc.dat, and perfc.bin, etc. if you want to be super thorough, but no evidence suggests this provides any added benefit.
Warning: We have not tested this proposed immunization or tested the veracity of any of the statements or claims made by any of the agents above or any other source. Use this at your own risk, as the instructions here are provided as-is.
Even with machines that are fully patched, one compromised machine can infect all machines. NotPetya can spread via WMI and PsExec (which it installs) rather than through SMBv1. Speaking of…
It’s also important to note the EnternalBlue (WannaCrypt) is only one attack vector closed by. NotPetya uses several attack vectors (WMI, PsExec), most of which have no patch at the time of this blog. Again, one infected machine can infect all your perfectly patched machines.
And one other important note, mostly theory/rumor at this point, when NotPetya runs PsExec it does so using the -c switch to install/run in ADMIN$, since that directory almost always exists on remote systems.
Now, to potentially immunize your systems against NotPetya, here’s a handy package you can make using PDQ Deploy.
1. Open PDQ Deploy, select New Package and name the package something meaningful.
2. Create a New Step > Command.
3. In the Command step, add the following to the Command field*:
You should end up with a Command step that looks like this:
5. Save the package and test.
6. Deploy the package to all machines that could potentially be infected.
*There has been some speculation perfc needs an extension and be set to read-only. Neither of these seem to be required, but since it doesn’t hurt, why not?
And that’s it.
Watch this video to see the process in action
Invented in the late 1900s, Brigg was an early utilizer of technology one finds in museums. After conquering Canada, he schlepped out technical support for Windows 95 & 98 while learning non-Windows systems. After a series of SysAdmin jobs spanning near-decades, his fossilized remains landed at PDQ, where he has served on occasion as a "resident expert" and deranged webcast personality on PDQ that airs each Thursday on YouTube. Brigg currently resides in Salt Lake with a fish and a plant. He holds a license to practice Active Directory and is board certified in the DNS arts.