Israeli Discovers How to Block Ransomware Damaging Computers Worldwide

Amit Serper discovers a simple mechanism that prevents the malware from encrypting computers and spreading onwards

Jun 28, 2017 2:20 AM

Cybersecurity experts are nervous following two potential cyber attacks in the space of three days. — Reuters

Amit Serper, an Israeli researcher at the Cybereason company, discovered a way to block the activation of the ransom software that erupted Tuesday across the world, including in Israel.

>> Subscribe for just $1 now

The software, known as Petya, was first distributed using a software update for tax calculation in Ukraine, and then spread onwards, damaging a long line of organizations and companies in Europe, Israel and the U.S. Ransomware is often used as a means for making profits for hackers.

The most prominent hack until now was the distribution of WannaCry last month. The software made use of EternalBlue, one of the NSA's break-in tools that that was leaked by the ShadowBrokers group. The current ransomware hack also uses a tool leaked from the NSA to spread within Networks, together with another two means.

In contrast to the previous software, the current one doesn’t make to with encrypting specific files, but encrypts computers' Master Boot Record – the first part of the hard-disk to load when opening a computer. It holds information on the structure of the hard-disk and is used to upload the operating system.

Serper discovered that there's a way to stop the ransomware from activating and spreading itself. "When the malware begins working, it actually checks if it's run in the past and encrypted the folders, so not to encrypt them twice," he told Haaretz. "It searches for the name of the file that activated it, without the extension, inside the Windows folder."

According to Serper, if the ransomware finds the file (C:\windows\perfc), it uses it as a sign that the computer has already been attack, and therefore doesn’t activate the encryption.

In the past, in the case of a hack using the WannaCry software, a British researcher discovered that some of the software versions included a "kill switch" – a mechanism that prevents the software from being activated.

Serper said that this wasn’t the case with his discovery. "It's not exactly a 'kill switch,' but more of a vaccine," he said.

Oded Yaron

Haaretz Contributor

Comments

Sort comments by

Israeli Discovers How to Block Ransomware Damaging Computers Worldwide

Comments

ICYMI

Trump and Netanyahu Just Broke the Special Relationship Between America and Israel

This Tel Aviv Sex Shop Is Keeping It Kosher

This Israeli Park Is Heaven on Earth

Returning to Morocco, Israeli Finds Bubbling Culture and Missing Identity

Earliest Form of Writing May Have Been Found in Israel

Iran, Saudi Arabia's Proxy Wars Have a New Battlefield

Red Sea Diving Resort' Hits Netflix. Here's the Amazing Mossad Op Behind It

How Israel Systematically Hides Evidence of Brutal 1948 Expulsion of Arabs

Israel's Most Beautiful Mosaic Reveals Ancient Liberal Judaism

Jared Kushner's Plan for Palestine Is Even Crazier Than You Thought

How Christians Invented 'Judaism'

Haaretz 2019 Rich List Meet the Wealthiest People in Israel

Fleeing Iran's Modesty Police, Lingerie Model Ends Up on Paris Streets

A New Alliance Is Emerging in the Middle East, and What's Behind Trump's Tweet?

Who Decided What Books the Hebrew Bible Would Contain?

Nazis Experimented on These Women. They Told the World, in Brilliant Code

How El Al's 747 Connected Israel and the Jewish World

Nasrallah Reveals New Details About Ambush, Killing of 12 Israeli Commandos

Israeli Soldiers Shoot Bound, Blindfolded Palestinian Teen Trying to Flee

Move Over, Moses: A Pharaoh May Have Created the Ancient Kingdom of Israel

Keep updated: Sign up to our newsletter

Please wait…

Thank you for signing up.

Oops. Something went wrong.

Thank you,

Comments

Thank you!

ICYMI