Yesterday, new Petya ransomware hit Windows client machines and servers, spreading worldwide after initial infections in Ukraine. The attacks consist of the NotPetya, SortaPetya, and Petna variants of the original Petya malware that was discovered in 2016. This time, the malware family has been targetting the same Windows SMB vulnerability that was exploited by WannaCry.
According to analysis by CyberArk Labs, the new Petya variants appear not to affect Windows endpoints that are configured to use a US English-only keyboard. That leads researchers to believe that the new malware may have been developed by a nation state whose target is a specific country or set of countries. Still, Windows users and enterprises around the world should take the new threat seriously.
Thanks to Cybereason researcher Amit Serper, there's now a “vaccine” that can be applied to Windows machines that haven't yet been infected. Serper's discovery findings have been confirmed by TrustedSec, Emsisoft, and PT Security. Unlike the killswitch for WannaCry that was discovered by Marcus Hutchins, Serper's “vaccine” must be manually applied. He warns that his idea is merely a temporary fix.
When the new Petya variants get access to a victim's Windows partition, it looks for a file named “perfc.dll.” If the malware can't find a file with that name, it commences with its malicious encryption process. Lawrence Abrams has developed a batch file for performing Serper's fix, which should make performing it easier for remote administrators who must apply it to multiple Windows clients. It can be downloaded here.
Upon Serper's discovery, he received multiple job offers. “I'm very happy with working for Cybereason, please stop emailing me. Also, appreciate the praises but let's not go crazy. I'm not that good,” he said. In a later tweet, he added, “Thanks for all the kind words. This is a temporary fix, let's focus on patching, less on thanking me. Thanks again, I'm humbled.”