Petya Ransomware Patcher

Tuesday, June 27, 2017 @ 5:23 pm

I’ve created a simple patch which protects your computer from the Petya ransomware. This patch works because the ransomware checks to see if a certain file or files exist on the computer in order to avoid “re-infecting” it (credits to @0xAmit). Patch confirmed to work.

Download: PetyaPatcher.bat (right-click, save file as), or PetyaPatcher.zip if your firewall/antivirus freaks out

  1. Download the above file. If you downloaded the zip file, extract the .bat file from it before proceeding to the next step.
  2. Right-click on the PetyaPatcher.bat file you downloaded onto your computer and run it as administrator
  3. You should see the success message as shown in the screenshot above

(to undo the patch, download and run PetyaUnpatcher.bat (right-click, save file as), or PetyaUnpatcher.zip)

In addition to the above patch, I recommend following the same protection methods I mentioned in my Protection Against WannaCry Ransomware post.

How the Patch Works

What my patch does is create empty harmless files that the ransomware looks for (perfc, perfc.dat, and perfc.dll in %windir%, where %windir% is usually C:\Windows\), and sets them to read-only access to prevent them being written to. I went one step further and made it so the patch creates backups of existing files just in case they are valid files generated and used by other legitimate programs.

One could do this manually, but I figured a script would be more convenient especially if you want to patch more than one computer. An added benefit is that it is deploy-friendly, if any system admins are reading this.

Most people say you only need a perfc file (no extension), but I decided to also create .dat and .dll variations just to be complete.

Important note from @0xAmit: “If the ORIGINAL dll name is perfc.dll then windir\perfc will kill it. name.dll->windir\name.

In other words, this patch will not protect your computer against new strains of Petya if they use different dll names.

Why is this important?

The email account that the creator of the Petya ransomware set up to receive ransom payment confirmation from victims and to send decryption keys to victims who paid the $300 ransom was shut down by the provider (Posteo.de).

In other words: if you get infected by Petya, there is no way of receiving a decryption key even if you do pay the ransom.

Patch Source Code

I decided on creating a batch script to leverage the %windir% variable, as well as for the source code to be as transparent/readable as possible (i.e. not compiled).

Source code for my two files follows.

PetyaPatcher.bat

@echo off
ECHO * Petya PATCHER by andryou (killswitch discovered by @0xAmit)
ECHO.
ECHO * Creating backup of any existing killswitch files...
if exist %windir%\perfc-backup del /F %windir%\perfc-backup
if exist %windir%\perfc-backup.dat del /F %windir%\perfc-backup.dat
if exist %windir%\perfc-backup.dll del /F %windir%\perfc-backup.dll
if exist %windir%\perfc copy /Y %windir%\perfc %windir%\perfc-backup
if exist %windir%\perfc.dat copy /Y %windir%\perfc.dat %windir%\perfc-backup.dat
if exist %windir%\perfc.dll copy /Y %windir%\perfc.dll %windir%\perfc-backup.dll
if exist %windir%\perfc del /F %windir%\perfc
if exist %windir%\perfc.dat del /F %windir%\perfc.dat
if exist %windir%\perfc.dll del /F %windir%\perfc.dll
ECHO.
ECHO * Creating killswitch files (perfc, perfc.dat, and perfc.dll in %windir%)...
type nul>%windir%\perfc
type nul>%windir%\perfc.dat
type nul>%windir%\perfc.dll
attrib +R %windir%\perfc
attrib +R %windir%\perfc.dat
attrib +R %windir%\perfc.dll
ECHO.
if exist %windir%\perfc ECHO * SUCCESS: computer now protected against Petya ransomware.
if not exist %windir%\perfc ECHO * ERROR: something went wrong. Please make sure you're running this as administrator.
ECHO.
pause

PetyaUnpatcher.bat

@echo off
ECHO * Petya UNPATCHER by andryou (killswitch discovered by @0xAmit)
ECHO.
ECHO * Deleting killswitch files (perfc, perfc.dat, and perfc.dll in %windir%)...
ECHO.
if exist %windir%\perfc del /F %windir%\perfc
if exist %windir%\perfc.dat del /F %windir%\perfc.dat
if exist %windir%\perfc.dll del /F %windir%\perfc.dll
ECHO * Checking if any backups exist...
if exist %windir%\perfc-backup goto askrestore
if exist %windir%\perfc-backup.dat goto askrestore
if exist %windir%\perfc-backup.dll goto askrestore
ECHO ** No backups found...
goto end
:askrestore
ECHO.
ECHO ** Backups of perfc, perfc.dat, or perfc.dll found.
set /P confirmrestore="-- Type in "yes" if you want to restore them. If not just press ENTER: "
if /I "%confirmrestore%" neq "yes" goto end
ECHO.
if exist %windir%\perfc-backup move /Y %windir%\perfc-backup %windir%\perfc
if exist %windir%\perfc-backup.dat move /Y %windir%\perfc-backup.dat %windir%\perfc.dat
if exist %windir%\perfc-backup.dll move /Y %windir%\perfc-backup.dll %windir%\perfc.dll
ECHO.
ECHO * Backups successfully restored...
:end
ECHO.
ECHO * SUCCESS: patch against Petya ransomware removed.
ECHO.
pause