Security researcher creates ‘vaccine’ against ransomware attack

Petya ransomware

Avaccination for the global cyber attack that infected thousands of machines in dozens of countries has been discovered by an American security researcher.

The simple antidote to the Petya ransomware, which stops computers from being able to launch and demands a $300 (£234) payment, uses an empty folder to block the virus from working.

It could prevent further companies from falling victim to the attack that hit the Ukrainian National Bank, advertising giant WPP and US law firm DLA Piper. In total the incident affected 12,500 machines in 64 countries, according to Microsoft.

The fix is reminiscent of the “kill switch” for the WannaCry attack earlier this year that stopped the rapidly spreading virus after it had already infected more than 200,000 machines. But it can’t stop the Petya ransomware from spreading to more computers.

About | Ransomware

What is ransomware?Malicious software that locks a device, such as a computer, tablet or smartphone and then demands a ransom to unlock it

Where did ransomware originate?The first documented case appeared in 2005 in the United States, but quickly spread around the world

How does it affect a computer?The software is normally contained within an attachment to an email that masquerades as something innocent. Once opened it encrypts the hard drive, making it impossible to access or retrieve anything stored on there – such as photographs, documents or music

How can you protect yourself?Anti-virus software can protect your machine, although cybercriminals are constantly working on new ways to override such protection

How much are victims expected to pay?The ransom demanded varies. Victims of a 2014 attack in the UK were charged £500. However, there’s no guarantee that paying will get your data back

Unlike the WannaCry kill switch, discovered by 22-year-old self-taught Marcus Hutchins, the Petya antidote must be manually downloaded onto computers ahead of their being affected.

Amit Serper, the security researcher from Boston who discovered the solution, warned that it is probably a “temporary fix” rather than a tool to stop the problem completely.

Serper found the solution to the problem working with a UK-based cyber expert who goes by the name of Hacker Fantastic. Serper was on holiday with his family in Israel when the problem started.

When the Petya ransomware infects a machine it searches for a folder called “perfc.dll”. If it can’t find the folder it takes hold of the computer, locking files and part of the hard drive. In the event that it finds the file the ransomware is not able to work.

Following his discovery, Serper was inundated with messages of praise and some job offers. He eventually turned off notifications for people he doesn’t follow on Twitter and said he didn’t want a new job.

“I’m very happy with working for Cyber Reason, please stop emailing me. Also, appreciate the praises but let’s not go crazy. I’m not that good,” said Serper.

In a follow-up tweet he added: “Thanks for all the kind words. This is a temporary fix, let’s focus on patching, less on thanking me. Thanks again, I’m humbled.”

A kill switch for Petya appeared to be less pressing than it was for WannaCry as the former doesn’t spread in the same rapid way.

“There is low risk of new infections more than one hour after the attack,” Hutchins said.

Petya cyber attack: Ransomware spreads across Europe


The attack could have infected computers in the first instance through a flaw in accounting software, according to Cisco.

It is not clear who is behind the attack, which appeared to inflict most damage in Ukraine, but research indicates it could have been a nation state assault.

“Based on initial analysis by CyberArk Labs, what we know now is that NotPetya is different from WannaCry in that it appears to be sparing endpoints that use a US English-only keyboard. This seemingly self-imposed restriction has been seen in nation state attacks,” said

Companies in more than a dozen countries were affected by the ransomware, including the UK, US, Ukraine, Russia, Italy, Germany, France, Japan and China.

The first incident appeared in Kiev before spreading across Ukraine and Russia. At the time of writing there hadn’t been any new instances of the infection but computer systems remained crippled.