Found a way to locally stop the execution of the program virus-the extortioner Petyaaffecting many computers in Russia and Ukraine. For this in the folder with Windows you need to create a file without extension with the name “perfc” – his lack of virus checks before acting destructively. However, experts of “Kaspersky Lab” claimedthat networks attacked another virus.
Manual to block of the virus published in his Telegram-channel specialist in cyber security Alexander Litreyev.
In detail the mechanism of virus described by the experts of Positive Technologies. TASS reports that intensified on the eve Petya virus affects the master boot record (MBR code, which is needed to load the operating system) boot sector of disk. The malware encrypts the record and replaces its own data. After entering the virus into the system gives the computer a command to reboot in 1-2 hours, and after reboot instead of the operating system runs the malicious code.
If you have time before the reboot to run the command bootrec/fixMbr (allows you to restore the MBR), it is possible to recover the operating system and run it, noted in Positive Technologies. In this case, the files will still be encrypted, to decrypt them requires knowledge of a special key.
Locally disable encryption by creating a file “C:Windowsperfc” experts say Positive Texhnologies. The virus, which has administrator privileges, before substitution, the MBR checks to the address specified empty file with no extension with the same name as the name of the dll file of the Trojan horse. If a virus finds an empty file, the execution of the virus program will stop.
However, if the virus is not an administrator he will not be able to verify the presence of an empty file in the folder “C:Windows”. Then the process of file encryption will still run, but without replacing the MBR and restart the computer.
To avoid becoming a victim of such an attack, experts recommend to update the Windows operating system, as well as to minimize user privileges on workstations.
If infection has occurred is to pay the cyber criminals you should not. “The postal address of the violators were blocked, and even in the case of payment of redemption key to decrypt the files probably will not be received,” said Positive Technologies.
27 Jun virus ransomware, locking access to data and demanding money for the unlock, attacked dozens of companies and organizations in Russia and Ukraine and then spread around the world. How figured out the experts of the company Group-IB, specializing in computer security and cyber defence, the reason for the large-scale attacks in the energy, telecommunications and financial companies in Ukraine and in Russia has become virus-cryptographer Petya, which prevents your system from booting, locks computers and demands a ransom.
According to preliminary estimates of Group-IB, the virus attacked nearly 80 companies, most of whom were Ukrainian. Russia was attacked by “Rosneft”, “Bashneft”, Mars, Nivea and Mondelez International (maker of chocolate Alpen Gold). The Bank of Russia also reported cyber attacks on Russian credit institutions which have not led to disturbances in the operation of banks.