Amit Serfer, an Israeli researcher at Siibrizn Labs, discovered a method to block attacks of the Petya ransomware program that on Tuesday hit thousands of computers around the world, including in Israel, Ha’aretz reported on Wednesday.
Tuesday’s second major global ransomware attack in as many months crippled and held for ransom the computers of major firms including British multinational advertising and public relations company WPP, food company Mondelez, legal firm DLA Piper and Danish shipping and transport firm Maersk.
Researchers have reported that Petya not only encrypts specific files, but also encapsulates the computer boot sector (MBR), the part of the hard disk that’s loaded first when the computer is started. It includes information on the hard disk structure and is used to load the operating system.
Serfer discovered a way to prevent Petya from turning on and multiplying itself. “When the malicious software starts working, it checks whether in the past it ran the files, so as not to encrypt them twice,” he told Ha’aretz. “It looks for the name of the file without an extension in a Windows folder that turned it on (C:\windows\perfc).”
According to Serfer, if Petya finds the file, it concludes the computer has already been attacked and does not activate the encryption function.
Serfer sees his solution as an inoculation against the invading virus.
