Israeli Amit Serper (Technion) from Cybereason discovers NotPetya Vaccination

Cybereason Principal Security Researcher Amit Serper discovered a work around solution that disables the NotPetya ransomware that wreaked havoc in Europe on Tuesday. To activate the vaccination mechanisms users must locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting files.

When first run, the NotPetya ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease operating. Once the original file name was found and verified by two different sources, Amit was able to piece together a kill switch that should work for any instance of the original ransomware infection.

Source cybereason

Cybereason, developers of the most effective Total Protection Platform including EDR & NGAV, today announced that it has made available a new version of RansomFree, its award-winning free anti-ransomware tool. RansomFree 2.3.0.0 detects and prevents NotPeyta ransomware from executing on computers. RansomFree is the world’s most widely used free anti-ransomware tool with more than 350,000 small business and consumer users.

NotPetya encrypts files only after the machine is rebooted – unlike most ransomware that encrypts files as soon as it executes. NotPetya spreads throughout the network, extracts admin credentials, and schedules a task to reboot the machine. As soon as a victim reboots their machine, NotPetya overwrites the Master Boot Record (MBR) with a malicious payload that encrypts the full disk.

In related news, Cybereason’s Principal Security Researcher Amit Serper discovered a vaccination for NotPeyta that prevents the ransomware from running on any computer on which it is activated.

Follow Serper’s discovery on Twitter: https://twitter.com/0xAmit. To activate the kill switch, users must locate the C:\Windows\ folder and create a file named perfc, with no extension name. This should kill the application before it begins encrypting any files.

Cybereason was the first cybersecurity company to develop a free anti-ransomware tool and it was made available in December, 2016. RansomFree stops more than 99 percent of ransomware variants from encrypting files. RansomFree uses behavioral and proprietary deception techniques to target the core behaviors typical in ransomware attacks. It is designed to block never-before-seen ransomware in order to protect organizations against emerging ransomware threats. Today, more than 350,000 small businesses and individuals are using RansomFree.

Founded in 2012 by Lior Div,Yossi Naar and Yonatan Striem-Amit, Cybereason recently announced an infusion of new capital of $100 million from SoftBank Corp. This new financing solidifies Cybereason as the leading cybersecurity startup changing the status quo in the security industry, with 500 percent growth in revenue in the past year.

About Cybereason
Cybereason is the leader in endpoint protection, offering endpoint detection and response, next-generation antivirus, and managed monitoring services. Founded by elite intelligence professionals born and bred in offense-first hunting, Cybereason gives enterprises the upper hand over cyber adversaries. The Cybereason platform is powered by a custom-built in-memory graph, the only truly automated hunting engine anywhere. It detects behavioral patterns across every endpoint and surfaces malicious operations in an exceptionally user-friendly interface. Cybereason is privately held and headquartered in Boston with offices in London, Tel Aviv, and Tokyo.