Friday, June 30, 2017

Latest cryptolocker outbreak

As if the latest crypto ransomware outbreak of NotPetya isn't bad enough, the operator of the e-mail service that the scammer was using for communications (posteo.net) has in what can only be described as a moment of blinding stupidity, shut down the e-mail account he was using.

Yes, no doubt it follows their standard procedures, and I realise that they don't want their platform being used for illegal activity.  But you're fucking morons.  Now anyone who gets infected has zero way of decrypting their PC, because they can't communicate with the scumbag to retrieve their decryption key!

Would it have killed them to act like a responsible netizen, and maybe reach out to law enforcement to offer whatever assistance they could in tracking down whoever was accessing the account?  Nope, fuck everyone, let's just delete it.  Cretins.

The only good news about this is very much hidden inside some further bad news.  Apparently unlike the recent Petya outbreak, NotPetya doesn't generate a valid encryption key - so there's no way of returning a decryption key either.   If correct, there's no point in paying the ransom, because you're just setting fire to money.

Oh yeah - just for fun, it scrubs the MBR too.  Time to reach for the install disk.

What is good news is that the NotPetya installer looks for a certain file on the PC to determine if it's been infected yet, and if it finds that, it aborts.  So while it isn't possible to disinfect a PC, it is possible to immunize one against infection.  Suggest that everyone do so immediately, the batch file linked to on the page is safe.

Here's the code for the enthusiasts:

@echo off


REM Administrative check from here: https://stackoverflow.com/questions/4051883/batch-script-how-to-check-for-admin-rights

REM Vaccination discovered by twitter.com/0xAmit/status/879778335286452224

REM Batch file created by Lawrence Abrams of BleepingComputer.com. @bleepincomputer @lawrenceabrams



echo Administrative permissions required. Detecting permissions...

echo.


net session >nul 2>&1

if %errorLevel% == 0

( if exist C:\Windows\perfc
( echo Computer already vaccinated for NotPetya/Petya/Petna/SortaPetya.

echo.

)
else
(

echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc

                echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dll
                
echo This is a NotPetya/Petya/Petna/SortaPetya Vaccination file. Do not remove as it protects you from being encrypted by Petya. > C:\Windows\perfc.dat



attrib +R C:\Windows\perfc

attrib +R C:\Windows\perfc.dll

attrib +R C:\Windows\perfc.dat


echo Computer vaccinated for current version of NotPetya/Petya/Petna/SortaPetya.

echo.

)
)
else
(

echo Failure: You must run this batch file as Administrator.

)


pause