show image

Oscar Williams

News editor

NotPetya vaccine: 9 steps to protect your system from global malware attack

Since the NotPetya malware infiltrated Ukrainian utility companies yesterday, it has gone on to strike thousands of firms and individuals around the world.

The virus was originally mistaken for a well-known type of ransomware called Petya, but security researchers have since said it was only masquerading as the virus and is actually significantly more destructive.

Now, however, experts claim to have found a way of “vaccinating” computers against the malware to mitigate the impact of a strike.

Unlike the kill switch identified in last month’s WannaCry attack, the vaccine isn’t guaranteed to stop the spread of the virus, nor will it work if the virus is tweaked. But combined with a number of additional measures, it can reduce the risk of Windows users having their computers locked down and their files erased.

Mike McLellan of SecureWorks, a topflight cybersecurity firm, has shared exclusively with New Statesman Tech his nine tips for vaccinating your system:

  1. Install and update antivirus products – most vendors are pretty effective at spotting this ransomware now
  2. Disable SMBv1 – this was also the advice during the WannaCry outbreak
  3. Patch all operating systems, particularly to ensure that the Microsoft patch MS17-010 which prevents one of the propagation mechanisms has been applied
  4. Create the file C:\Windows\perfc
    • Note that if the ransomware picks a different name, you would need to have created a file under that different name in the C:\Windows\ directory
  5. If possible add common but potentially unwanted tools like psexec to lists of blocked programs
    • This may not always be viable depending on how your organisation administers its networks
  6. Make some registry changes, again to make it harder for the ransomware to use some of its propagation capabilities:
    • Add dword to reg key hkey_local_machine\system\currentcontrolset\control\lsa\tokenleakdetectdelaysecs = 30
    • Change reg key hkey_local_machine\system\currentcontrolset\control\securityproviders\wdigest = 0
  7. Disable the update mechanism for the MEDoc software, if the organization uses that software
  8. Block inbound/outbound SMB at network perimeters, to prevent spread
  9. If infected, disable scheduled tasks – this will prevent systems restarting as a result of the infection
    • Again, this is not viable as a generic defence because ordinarily organisations will make extensive use of scheduled tasks

And that’s it…