Israeli Discovers How to Block Ransomware Damaging Computers Worldwide

Amit Serper discovers a simple mechanism that prevents the malware from encrypting computers and spreading onwards

Reuters

Amit Serper, an Israeli researcher at the Cybereason company, discovered a way to block the activation of the ransom software that erupted Tuesday across the world, including in Israel.

The software, known as Petya, was first distributed using a software update for tax calculation in Ukraine, and then spread onwards, damaging a long line of organizations and companies in Europe, Israel and the U.S. Ransomware is often used as a means for making profits for hackers.

The most prominent hack until now was the distribution of WannaCry last month. The software made use of EternalBlue, one of the NSA's break-in tools that that was leaked by the ShadowBrokers group. The current ransomware hack also uses a tool leaked from the NSA to spread within Networks, together with another two means.

In contrast to the previous software, the current one doesn’t make to with encrypting specific files, but encrypts computers' Master Boot Record – the first part of the hard-disk to load when opening a computer. It holds information on the structure of the hard-disk and is used to upload the operating system.

Serper discovered that there's a way to stop the ransomware from activating and spreading itself. "When the malware begins working, it actually checks if it's run in the past and encrypted the folders, so not to encrypt them twice," he told Haaretz. "It searches for the name of the file that activated it, without the extension, inside the Windows folder."

According to Serper, if the ransomware finds the file (C:\windows\perfc), it uses it as a sign that the computer has already been attack, and therefore doesn’t activate the encryption.

In the past, in the case of a hack using the WannaCry software, a British researcher discovered that some of the software versions included a "kill switch" – a mechanism that prevents the software from being activated.

Serper said that this wasn’t the case with his discovery. "It's not exactly a 'kill switch,' but more of a vaccine," he said.