PoshTip #52 – Mitigate Possible Risk of Petya Ransomware

PowerShell can help you to protect against Petya Ransomware by creating the perfc file automatically.

PS > New-Item C:\Windows\perfc -Type File -Force


    Directory: C:\Windows


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       07/02/2017     15:31              0 perfc


PS > "Do not remove this file" | Out-File -Append "C:\Windows\perfc"
PS > Set-ItemProperty C:\Windows\perfc -name IsReadOnly -value $true

Output:

 

 

Please perform the same steps for perfc.dll and perfc.dat:

PS > New-Item C:\Windows\perfc.dat -Type File -Force


    Directory: C:\Windows


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       07/02/2017     15:41              0 perfc.dat


PS > New-Item C:\Windows\perfc.dll -Type File -Force


    Directory: C:\Windows


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       07/02/2017     15:42              0 perfc.dll

Check if “perfc” file has been created:

PS > Get-Item C:\Windows\perfc | fl *

Output:

You also can use this full script to patch your computers.

Recommendations

Microsoft recommends to customers that have not yet installed security update MS17-010 to do so as soon as possible. Until you can apply the patch, they also recommend two possible workarounds to reduce the attack surface:

 

Thanks for reading! You can follow me on Twitter @PrigentNico

About Nicolas 279 Articles
I work as an IT Production Manager, based in Paris (France) with a primary focus on Microsoft technologies. I have 10 years experience in administering Windows Servers. . I am a Microsoft MVP for Cloud & Datacenter Management. I also received the PowerShell Hero 2016 award by PowerShell.0rg. And finally, I am "MCSE: Cloud Platform and Infrastructure", "MCSA: Windows Servers", "Administering & Deploying SCCM", and CheckPoint CCSA certified.