Home Guides Perfc.dat file makes Windows immune to Petya/NotPetya ransomware

Perfc.dat file makes Windows immune to Petya/NotPetya ransomware

2 min read
Researchers have found a way to protect a Windows computer against the current outbreak of the revamped Petya ransomware using the ‘perfc’ file trigger.

A new massive ransomware distribution wave, which took root as of June 28, is instilling fear with its top-notch proliferation tactics and devastating effect on compromised computers. This time, it’s a virus called Petya to blame for such an apprehension. While there are ongoing speculations in the security community about considerable deviations of this infection’s code from its one-year-old prototype, the modus operandi and user interaction modules suggest that it’s most likely a heavily remade edition of Petya.

One way or another, numerous organizations, mostly ones based in Ukraine, have been hit within a span of just one day, and officials are still at their wit’s end trying to sort things out. Furthermore, this onslaught could well be a politically motivated move of Russian intelligence agencies aimed at disrupting the activity of its neighboring country’s businesses and critical infrastructure. For the record, the ransomware has also made a small number of victims in other European countries, including France and Spain. The Ukrainian incidents were reportedly backed by a booby-trapped update of the M.E.Doc accounting software.

Lock screen shown on Petya-infected computers
Lock screen shown on Petya-infected computers

This particular spinoff of Petya (also referred to as NotPetya, PetrWrap, PetyaWrap, Petna, SortaPetya, or ExPetr) does much more damage than classic ransomware strains. Instead of encrypting important files and holding them for ransom, it scrambles a target host’s MBR (Master Boot Record) and MFT (Master File Table). Consequently, victims end up unable to boot their machines. What they see when trying to start their computers is a scary lock screen that demands $300 worth of Bitcoin. The alleged recovery process involves a specific email address – wowsmith123456@posteo.net – to which infected users are supposed to submit their personal ID along with payment transaction details. When the Posteo email provider suspended this account on Tuesday in light of the incident, everyone thought that move would make it impossible to restore access to computers even for those who paid the ransom. However, later on it became apparent that there is absolutely no way to fix the problem, whether you pay or not. This fact suggests that the new Petya virus was designed for pure destruction rather than financial gain. It’s more of a warfare than an extortion instrument.

Perfc file created in Windows folder
Perfc file created in Windows folder

The good news is, security analysts discovered a weakness in the way this ransomware operates. According to their findings, the malicious code uses a specific file as a trigger to continue the attack after it has gotten inside. Specifically, it only moves on with the compromise if it fails to locate a file named “perfc” under a predefined directory on the machine. The threat actors’ motivation for setting up this file hallmark for their campaign is not clear at this point. Anyway, by creating a read-only “perfc” file inside C:\Windows folder, users should be safe from the Petya baddie, at least its current version. So follow the steps below to steer clear of this nasty program.

Create Perfc file to prevent Petya ransomware attack

1. For a start, make sure the Hide extensions for known file types feature is disabled in your system. So open up My Computer (or This PC) folder, go to Tools (or View) and select Folder Options. If the Hide extensions for known file types option is turned on, remove the checkmark in the box next to this entry. Hit Apply
Unhide extensions for known file types

2. Now open C:\Windows folder and locate the notepad.exe item in itFind notepad.exe under C:\Windows

3. Highlight the notepad.exe entry, press Ctrl+C and then press Ctrl+V. By doing so, you will paste a copy of this item into the same folder. Windows will display a Destination Folder Access Denied dialog during this process. Click Continue on it
Click ‘Continue’ on ‘Destination Folder Access Denied’ dialog

4. Now you will see an entry named notepad – Copy.exe in the Windows directory. Left-click on it, press F2 key and rename this file to perfc
Rename 'notepad – Copy.exe' to 'perfc'

5. Hit Enter. The system will display another dialog box titled Rename asking if you are sure you want to change the file name extension. Go ahead and click Yes
File name extension change alert

6. A File Access Denied alert will now appear. Select Continue on itSelect 'Continue' on 'File Access Denied' popup

7. Now right-click on the perfc file you have just created. Select Properties in the context menu. When the perfc Properties dialog pops up, put a checkmark next to the Read-only option to enable it
Make perfc read-only

8. Hit the Apply, then OK button to make perfc file read-only. The manipulations above should suffice to make your PC immune to the Petya ransomware. Some analysts additionally recommend that users also create two more files (perfc.dat and perfc.dll) under C:\Windows. You can follow the procedure above to create these files as well.

Make doubly sure you are protected from Petya virus

Although the overall Petya detection rate was quite low when it began spreading, some of the more reliable security suites were able to identify the threat and block it. By downloading and launching the antimalware solution below, you can rest assured ransomware like this will be stopped in its tracks before it can do any damage.

Download Petya ransomware removal tool

Leave a Reply

Your email address will not be published. Required fields are marked *