As we and everyone else predicted, a variant of the WannaCry/WannCrypt has been released into the wild: NotPetya (early virus scans marked it as last year’s Petya, but it’s not).
We’ve been keeping a close eye on this throughout the day, and have come up with a package that could possibly prevent NotPetya infection. No, this isn’t a guarantee, and while it’s been confirmed by reliable sources (Amit Serper, Hacker Fantastic, Reddit’s /r/netsec), that doesn’t really mean it’s a sure thing, magic bullet, safe unicorn.
From what we’ve been able to gather from the sources above, the NotPetya ransomware looks for a file called perfc in the C:\Windows directory using a wildcard, perfc.* when installing itself. Note: you can create a perfc.dll, perfc.dat, and perfc.bin, etc. if you want to be super thorough, but no evidence suggests this provides any added benefit.
We have not tested this proposed immunization or tested the veracity of any of the statements or claims made by any of the agents above or any other source. Use this at your own risk, as the instructions here are provided as-is.
- Even with machines that are fully patched, one compromised machine can infect all machines. NotPetya can spread via WMI and PsExec (which it installs) rather than through SMBv1. Speaking of…
- It’s also important to note the EnternalBlue (WannaCrypt) is only one attack vector closed by MS17-010. NotPetya uses several attack vectors (WMI, PsExec), most of which have no patch at the time of this blog. Again, one infected machine can infect all your perfectly patched machines.
- And one other important note, mostly theory/rumor at this point, when NotPetya runs PsExec it does so using the -c switch to install/run in ADMIN$, since that directory almost always exists on remote systems.
Now, to potentially immunize your systems against NotPetya, here’s a handy package you can make using PDQ Deploy.
NotPetya Mitigation Package
- Open PDQ Deploy, select New Package and name the package something meaningful.
- Create a New Step > Command.
- In the Command step, add the following to the Command field*:
copy /B NUL C:\windows\perfc & attrib +R c:\windows\perfc copy /B NUL C:\windows\perfc.dll & attrib +R c:\windows\perfc.dll copy /B NUL C:\windows\perfc.dat & attrib +R c:\windows\perfc.dat
- You should end up with a Command step that looks like this:
- Save the package and test.
- Deploy the package to all machines that could potentially be infected.
*There has been some speculation perfc needs an extension and be set to read-only. Neither of these seem to be required, but since it doesn’t hurt, why not?
And that’s it.
Watch this video to see the process in action