A read-only file in Windows folder could immunise computers against ransomware attack, researchers say.
Security researchers have chanced upon a workaround solution that they say disables the GoldenEye ransomware (also known as Petya or NotPetya) wreaking havoc on computers around the world, including the Cadbury chocolate factory in Tasmania.
According to a blog post by IT security firm Cybereason, its principle security researcher Amit Serper discovered that creating a file named "perfc", with no extension name and placing it in the C:\windows\ folder. The file has to be read-only for the method to work.
The ransomware searches for its own filename in the C:\windows\ folder, and if it is found, will cease running, according to security researchers.
Cybereason said that once the original file name was found and verified by two different sources, Serper was able to piece together a kill switch that should work for any instance of the original ransomware infection. While this does not stop the ransomware if it is already running, it will act as a vaccination, stopping it from ever trying to encrypt files.
While GoldenEye infects PCs around the world, Kroll Ontrack believed that some data may still be salvaged from infected computers without paying a ransom.
According to Phil Bridge, managing director, Western Europe of Data & Storage Technologies at Kroll Ontrack, the malware does not encrypt all the files on your computer but instead attacks a part of the operating system called the Master File Table (MFT), an essential ‘ index’ for the computer system to locate files on the computer.
“Attacking one part of the system (the MFT) is much faster than targeting all the individual files but the result is as if each file had been locked separately,” he said.
He added that there is a method to decrypt the original GoldenEye ransomware, but one has not yet been released for the updated version. He said that “some data may still be salvaged from infected computers with the use of specialist data recovery techniques.”
What caused the GoldenEye outbreak?
Earlier, security researchers suggested that GoldenEye appeared to have initially infected machines via accounting software that companies use to link to the Ukrainian government, with huge swathes of that country's companies and government bodies wiped offline. While the country's Twitter feed made light of the situation, some of the shutdown was alarming — including Chernobyl radiation monitoring being done by hand.
Once in, GoldenEye then spreads via the EternalBlue vulnerability in Windows that has been patched — but given the carnage, it appears not everyone has updated. That was the same exploit used by the hackers behind the WannaCry ransomware that infected Victorian speed cameras and many other organisations around the globe — an exploit that was developed by the NSA but leaked in April.
“As far as the EternalBlue exploit, the worm code appears to heavily borrow from WannaCry, including taking advantage of the same EternalBlue exploit code to move around once it is inside the network,” said Allan Liska, intelligence architect at Recorded Future. “In addition to the EternalBlue exploit, the new attack appears to take advantage of WMIC for lateral movement. WMIC (Windows Management Instrumentation Command-line) is a command line tool that is used to execute system management commands on Windows.”
One difference with WannaCry is it lacks an apparent “kill switch” that halted May's ransomware outbreak. “Some are comparing this to WannaCry 2.0 but this version does not have the ‘kill-switch’ that the original WannaCry did. Thus, we should not expect any oddity like that to slow this attack,” said Brian Hussey, VP of cyber threat detection and response at Trustwave.
This variant demands US$300 in Bitcoin payment from users of infected machines as ransom to unlock their data. However, the German email provider, Posteo, that runs the attackers' email account, has shut it down, so victims likely won't be getting their data decrypted.
To Nicholas Weaver, security researcher at the International Computer Science Institute, that suggests there may be more to GoldenEye. “I’m willing to say with at least moderate confidence that this was a deliberate, malicious, destructive attack or perhaps a test disguised as ransomware,” Weaver told KrebsonSecurity. “The best way to put it is that Petya’s payment infrastructure is a fecal theater.”
Matthew Hickley, co-founder of My HackerHouse, said if your computer does force a reboot and show the following screen, turn your PC off to halt the encryption process.