Vaccine from the New Ransomware

Symantec Discovered a ‘Vaccine’ from the New Ransomware

On Tuesday, organizations across the world suffered just another huge cyber-attack. But, the problem with this ransomware nicknamed ‘Misha’, is that the victims can’t pay the ransom fee: the culprits provided an invalid email address, which was shut down by the hosting provider. The Bitcoin wallet, where ransom money should be deposited, hasn’t been touched at all. For the moment, the wallet contains about $8,000-worth of Bitcoin, a ridiculous prize for a significant and widespread attack.

That’s why this attack is viewed upon as politically motivated attack on Ukraine, since it started on the Constitution Day.

HOW IT SPREADS

Cisco’s Talos experts believe the attack may have been carried out by exploiting vulnerable accounting software. Specifically, by software update systems for a Ukrainian tax accounting package, called MeDoc.

MeDoc posted an update to its website on Tuesday, saying in Russian, “Attention! Our server made a virus attack” but later removed it and is now denying the fact that its software was exploited.

Regardless if it was politically motivated or not, ‘Misha’ has affected systems across the world. It inflicted computer networks in Russia enterprises and is detected in Europe as well as the USA. Russian oil giant Rosneft, British advertising firm WPP, DLA Piper law firm and at least one hospital in the US city of Pittsburgh suffered the attack as well.

WHAT IS THE ‘VACCINE’ SYMANTEC DISCOVERED

Since the attack started, many security experts have been searching for a method to stop the epidemic. As with the latest virus WannaCry, the solution is simple and unexpected enough. The Symantec experts have discovered that ‘Misha’ looks for a file called perfec.dll on an attacked computer. This file signals that the system is infected. So, the answer is to create a faked file in order to trick the malware.

HOW TO CREATE THE ‘VACCINE’

1. Open WordPad.
2. Save the empty file on a desktop under the name of perfec.dll
3. Right-click the file and click Properties in the drop-down menu.
4. Tick the Read Only box and save the changes.
5. Copy it into the C:/Windows. You have to have an admin access to do this.

Disclaimer: It’s an emergency measure, but it will give you some time to update your antivirus and protect your system thoroughly. Please, check your antivirus provider for a patch against ‘Misha’ immediately.The

experts also state that updating the OS on a regular basis is all a private user needs to do in order to stay on the safe side. Still, many users forget to update or do not update the system deliberately, to avoid the hardware conflicts Windows 10 is so notorious for.

DISADVANTAGES

Though the ransomware won’t be able to harm your system, it can use it as an ‘infected’ platform all the same. We stress again, that you use this cure only when you aren’t able to get any updates soon, but strongly suspect that your system may be in danger. For instance, if you used the public hotspot. So, remember to remove the fake perfec.dll file after you update your OS and antivirus!

THE DANGERS OF TOMORROW

Ransomwares have become not only criminal, but political tools as well. Because of the high security standards in governmental offices and facilities, hackers use the official software sites to inflict the computers with impunity. A mouse and a keyboard are now as dangerous as nuclear weapons and even more. The Western powers need to face the challenge at once, and assign means for building a hack-proof, sandboxed network for governments and public facilities.

Though, it’s impossible to create a 100% hack-proof network, the scale and number of cyber-attacks can be diminished significantly.

We’d like to add one more advice to the list of precautions we’ve shared with our readers.

Always check the software manufacturers’ sites to see if they’re secure. The virus can sneak in with the legal update.