Step-by-Step Guide: Installing the Petya Immunizer Kill Switch
The 2017 NotPetya cyberattack remains one of the most destructive ransomware campaigns in history. Unlike standard ransomware, NotPetya was designed to destroy data rather than just hold it for ransom. Security researchers discovered a critical flaw in the malware’s initialization routine: it looks for a specific local file on the hard drive before executing. If that file is present, the malware terminates its encryption process. Creating this file acts as a local “kill switch” or immunizer.
This guide provides the exact steps to manually immunize a Windows system against the Petya/NotPetya malware. Understanding the Mechanism
Before execution, the Petya malware checks the Windows directory (C:\Windows) for a specific per-file marker. It looks for a read-only file named perfc (with no file extension). If the file exists and cannot be modified, the encryption routine is blocked. This script-based immunization mimics that file’s existence to safeguard the operating system. Prerequisites
Administrator Privileges: You must log into Windows with an administrator account to write files directly to the system root.
Operating System: This method applies to Windows-based environments vulnerable to the standard NotPetya strain. Step 1: Reveal File Extensions
Windows hides known file extensions by default. You must disable this setting to ensure the immunizer file does not accidentally end up with a hidden .txt extension. Open File Explorer (Windows Key + E). Click on the View tab in the top menu. Check the box next to File name extensions. Step 2: Create the Immunizer File Open Notepad or any basic text editor.
Leave the document completely blank. Do not type any characters. Click File > Save As. In the “Save as type” dropdown, select All Files (.). In the “File name” box, type exactly: perfc Navigate to the C:\Windows directory.
Click Save. If prompted for administrator permission, click Continue. Step 3: Configure File Permissions
The malware must fail to modify this file for the kill switch to work effectively. Making the file read-only ensures its permanence. Navigate to C:\Windows in File Explorer. Locate the newly created perfc file. Right-click the file and select Properties. In the General tab, check the box for Read-only. Click Apply, then click OK. Step 4: Optional Automation via Command Prompt
For advanced users or network administrators deployment, this entire process can be executed rapidly using the Windows Command Prompt. Type cmd in the Windows start menu. Right-click Command Prompt and select Run as administrator.
Copy and paste the following commands, pressing Enter after each line:
echo Windows Registry Editor Version 5.00 > %windir%\perfc attrib +R %windir%\perfc Use code with caution.
The first command creates the file with minimal placeholder text inside the Windows directory, and the second command instantly applies the read-only attribute. Limitations of the Kill Switch
While this local immunizer is highly effective against the specific 2017 NotPetya strain, it is not a comprehensive cybersecurity solution.
Strain Specificity: This fix only works if the malware looks for the exact filename perfc. Modified variations or newer strains of Petya can easily bypass this file check.
No Network Protection: This step stops local encryption on the specific machine but does not prevent the malware from attempting to spread to other vulnerable computers on the same network via EternalBlue or PsExec.
To ensure total protection, combine this immunization strategy with disabled SMBv1 protocols, up-to-date Windows security patches (specifically MS17-010), and robust endpoint detection software.
To help tailor further security recommendations, let me know:
Leave a Reply