Israeli Discovers How to Block Ransomware Damaging Computers Worldwide

Amit Serper discovers a simple mechanism that prevents the malware from encrypting computers and spreading onwards

Jun 28, 2017 2:20 AM

Cybersecurity experts are nervous following two potential cyber attacks in the space of three days. — Reuters

Amit Serper, an Israeli researcher at the Cybereason company, discovered a way to block the activation of the ransom software that erupted Tuesday across the world, including in Israel.

The software, known as Petya, was first distributed using a software update for tax calculation in Ukraine, and then spread onwards, damaging a long line of organizations and companies in Europe, Israel and the U.S. Ransomware is often used as a means for making profits for hackers.

The most prominent hack until now was the distribution of WannaCry last month. The software made use of EternalBlue, one of the NSA's break-in tools that that was leaked by the ShadowBrokers group. The current ransomware hack also uses a tool leaked from the NSA to spread within Networks, together with another two means.

In contrast to the previous software, the current one doesn’t make to with encrypting specific files, but encrypts computers' Master Boot Record – the first part of the hard-disk to load when opening a computer. It holds information on the structure of the hard-disk and is used to upload the operating system.

Serper discovered that there's a way to stop the ransomware from activating and spreading itself. "When the malware begins working, it actually checks if it's run in the past and encrypted the folders, so not to encrypt them twice," he told Haaretz. "It searches for the name of the file that activated it, without the extension, inside the Windows folder."

According to Serper, if the ransomware finds the file (C:\windows\perfc), it uses it as a sign that the computer has already been attack, and therefore doesn’t activate the encryption.

In the past, in the case of a hack using the WannaCry software, a British researcher discovered that some of the software versions included a "kill switch" – a mechanism that prevents the software from being activated.

Serper said that this wasn’t the case with his discovery. "It's not exactly a 'kill switch,' but more of a vaccine," he said.

Oded Yaron

Haaretz Contributor

Comments

Sort comments by

Israeli Discovers How to Block Ransomware Damaging Computers Worldwide

Comments

ICYMI

To Stay Younger for Longer, Make This Change to Your Diet

Neo-Nazis, Rabbis and Rape: Art Project Got Out of Hand

Basque Ancient Art Changes Understanding of Prehistoric Societies

A Plot Against Islam? Coronavirus and Conspiracies Hit Mideast

Wanted: Arab Prince or King for Photo-op With Netanyahu

Sexual Assault Allegations Rock an Israeli Hasidic Community

Code Name 'Angel': Mossad Agent Who Handled Israel's Greatest Spy Speaks Out

The Real Reason Mizrahim Vote for Netanyahu

Trump Exploited Soleimani's Mistake, and Netanyahu Gains the Most

The Jewish Left's Tragic Problem

Auschwitz, the Director's Cut

Sexual Assault Allegations Rock an Israeli Hasidic Community

Cyprus, Cyberspies and the Dark Side of Israeli Intel

Israeli, Jewish, and Raising My Kids in Ramallah

Why a Wave of Suicides Washed Over Germany After the Nazi Defeat

Israelis Didn't Know They Were Committing a Massacre, and Didn't Care

I Escaped China's Gulags

Climate Change Could Make Russia Great Again

The Jewish Avengers Who Sought to Poison Six Million Germans for the Holocaust

How the Jews Invented the Goy

Keep updated: Sign up to our newsletter

Please wait…

Thank you for signing up.

Oops. Something went wrong.

Thank you,

Comments

Thank you!

ICYMI