Killswitch Petya Ransomware
For End-users
In this article I will briefly describe how to implement a Killswitch to prevent Petya's Cryptolocker.
The Ransomware checks the presence of three files in the %SystemRoot% folder before infecting his target.
If found, it appears that he stops his process.
To prevent your computer to be hit from Petya Ransomware you will need to create those files to kill the execution process.
In the %SystemRoot% folder typically : C:\Windows\
Create 3 files named perfc , perfc.dat and perfc.dll
To achieve this you will first need to disable the "Hide extension for known file types" checkbox by opening the folder options in Windows Explorer
Create a new text (.txt) file with notepad, save it in C:\Windows and remove the txt extension
Copy this file twice and add the following extensions to the file : .dat & .dll
Your C:\Windows folder will look like this :
Those files needs to be in read-only mode , right click on each of them and check the box :
You will also need to install this KB of Microsoft to close the security hole used by WannaCry and Petya (SMBv1 Vulnerability)
https://technet.microsoft.com/en-us/library/security/ms17-010.aspx
For professionals
Same process as above but to avoid to do it manually to each end computer, you can implement a GPO in your Active Directory server to spread the creation of the three files in your domain.
Basically you will need to remote desktop one of your internal Domain Controllers and open the Group Policy Manager.
1) Create a remote share readable and reachable for all computers
For ex : \\servername\Share\NoPetya\
2) Create manually the 3 files (perfc, perfc.dat, perfc.dll) in this share
Check if the 3 files are in Read-only.
3) Create a new GPO for ex called "Cryptolocker prevention"
4A) Implement the following rule under COMPUTER => Preferences => Windows Settings => Files
Right click => New File
Actions : Create
Source Files : \\servername\Share\NoPetya\*.* or make 3 separate rules
Destination Folder : C:\Windows\
OR
4B) by using a Startup GPO with a batch File
Computer Configuration => Policies => Windows Settings => Scripts => Startup => copy batch file inside
With the following script where PATH is the source folder of the 3 files
Set PATH=\\%replace_with_yourdomainname%\SYSVOL\%replace_with_yourdomainname%\scripts\NoPetya
Copy /Y %PATH% C:\Windows
5) Link the GPO to the right computer OU or to the top of your domain.
Howto : https://www.petri.com/how-to-create-and-link-a-group-policy-object-in-active-directory
6) Wait after the GPO to apply or try a gpupdate/force (4A) in CMD or reboot the computer (4B).
Also you will need to install this HotFix https://technet.microsoft.com/en-us/library/security/ms17-010.aspx to all servers and computers (better to use WSUS Service to achieve this fast and easily).
Good luck.
Sources :
http://ransomwares.net/petya-ransomware-kill-switch/
https://blog.kaspersky.com/new-ransomware-epidemics/17314/
