I have written the following script to deploy Petya vaccination files on all Active Directory domain members. These files are simple text file deployed on the destination system folder C:\Windows. This technic has been discovered by Amit Serper and it is described here.
You can find also the description of this ransomware here
# create the vaccination files
$perfc_file = "c:\temp\perfc"
$perfcdat_file = "c:\temp\perfc.dat"
$perfcdll_file = "c:\temp\perfc.dll"
$perfc_content = "Petya vaccination file - DO NOT REMOVE"
set-content $perfc_content -path $perfc_file
set-content $perfc_content -path $perfcdat_file
set-content $perfc_content -path $perfcdll_file
# set read-only attrib to the vaccination files
set-itemproperty -path $perfc_file -Name IsReadOnly -Value $true
set-itemproperty -path $perfcdat_file -Name IsReadOnly -Value $true
set-itemproperty -path $perfcdll_file -Name IsReadOnly -Value $true
$ping = new-object System.Net.NetworkInformation.Ping
# get all the AD domain members excluding the Cluster Virtual node names
$list = get-adcomputer -filter {servicePrincipalName -notlike "*clustervirtual*"}
ForEach ($b in $list) {
$hostname = $b.DNSHostName
$strQuery = "select * from win32_pingstatus where address = '" + $hostname + "'"
$wmi = Get-WmiObject -Query $strQuery
if ($wmi.statuscode -eq 0) {
if (-not ((Test-Path \\$hostname\c$\windows\perfc) -and (Test-Path \\$hostname\c$\windows\perfc.dat) -and (Test-Path \\$hostname\c$\windows\perfc.dll)) ){
write-host -foreground Green "$hostname : ping success... " -NoNewline
try {
Copy-Item C:\temp\perfc* \\$hostname\c$\windows
write-host -foreground Green "Copy successful"
}
catch {
write-host -foreground yellow "Copy failed > Check the system and if the administrative share C$ is online"
}
}
else {
write-host -foreground Green "$hostname : OK - VACCINATED SYSTEM"
}
}
else {
write-host -foreground red "$hostname : ping failed"
}
}
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Deploy Petya vaccination files on AD domain members