The Windows Club

TheWindowsClub covers authentic Windows 11, Windows 10 tips, tutorials, how-to's, features, freeware. Created by Anand Khanse, MVP.

This NotPetya Ransomware vaccination will stop the latest ransomware in its tracks

Download Windows Speedup Tool to fix errors and make PC run faster

A Kill Switch or Vaccination for the Petrwrap or NoPetya or NotPetya Ransomware has been found that can stop the ransomware in its tracks and save your computer from being infected. The NotPetya Ransomware has already created havoc in most parts of the world.

NotPetya Ransomware vaccination

NotPetya uses the EternalBlue vulnerability (WannaCry technique) that infects computers using SMBv1. It also uses Windows WMIC and PSExec processes. If the WannaCry vulnerability is patched on your system, it uses PsExec or LSADUMP and the Windows Management Interface to spread.

The ransomware is capable of attacking and infecting all Windows systems. It overwrites the Master Boot Record and on reboot, infects the computer blocking access to it. Once it hacks your computer, it demands a ransom amount of $300 in Bitcoin.

If your computer reboots and you see this ‘false check disk’ message, power off immediately!

This is the NotPetya encryption process taking place. If you power off immediately or do not power on, your data will remain safe.

If the encryption process is allowed to continue, you will lose your data to theis ransomware!

There are however some basic precautions you can take, and they are:

  1. Install all Windows patches
  2. Block SMB1 across your network
  3. Disable default ADMIN$ accounts and communication to Admin$ shares
  4. Use a tool like MBR filter to block write access to the Master Boot Record

More details about how this ransomware operates can be found on Cybereason.com.

NotPetya Ransomware Vaccination

Cybereason Principal Security Researcher Amit Serper tweeted that he has discovered a vaccination that stops NotPetya ransomware in its tracks.

NotPetya Ransomware Kill Switch

To activate the vaccination mechanism you have to create a file named perfc, with no extension and place it in the C:\Windows\ folder.

When NotPetya ransomware runs, it searches for this file in the C:\Windows\ folder, and if it is found, it ceases its operation.

UPDATE: Eset recommends that you create three blank files with the following filenames and extensions:

  1. C:\Windows\perfc
  2. C:\Windows\perfc.dat
  3. C:\Windows\perfc.dll

Ransomware attacks are on the rise, and all computers users need to take some basic precautions to secure their systems. One can also consider some free anti-ransomware software like RansomFree as an additional security layer.

You might want to also check out CyberGhost Immunizer.

AnandK@TWC

Anand Khanse is the Admin of TheWindowsClub.com, a 10-year Microsoft MVP (2006-16) & a Windows Insider MVP (2016-2022). Please read the entire post & the comments first, create a System Restore Point before making any changes to your system & be careful about any 3rd-party offers while installing freeware.