I have written the following script to deploy Petya vaccination files on all Active Directory domain members. These files are simple text file deployed on the destination system folder C:\Windows. This technic has been discovered by Amit Serper and it is described here.
You can find also the description of this ransomware here
# create the vaccination files $perfc_file = "c:\temp\perfc" $perfcdat_file = "c:\temp\perfc.dat" $perfcdll_file = "c:\temp\perfc.dll" $perfc_content = "Petya vaccination file - DO NOT REMOVE" set-content $perfc_content -path $perfc_file set-content $perfc_content -path $perfcdat_file set-content $perfc_content -path $perfcdll_file # set read-only attrib to the vaccination files set-itemproperty -path $perfc_file -Name IsReadOnly -Value $true set-itemproperty -path $perfcdat_file -Name IsReadOnly -Value $true set-itemproperty -path $perfcdll_file -Name IsReadOnly -Value $true $ping = new-object System.Net.NetworkInformation.Ping # get all the AD domain members excluding the Cluster Virtual node names $list = get-adcomputer -filter {servicePrincipalName -notlike "*clustervirtual*"} ForEach ($b in $list) { $hostname = $b.DNSHostName $strQuery = "select * from win32_pingstatus where address = '" + $hostname + "'" $wmi = Get-WmiObject -Query $strQuery if ($wmi.statuscode -eq 0) { if (-not ((Test-Path \\$hostname\c$\windows\perfc) -and (Test-Path \\$hostname\c$\windows\perfc.dat) -and (Test-Path \\$hostname\c$\windows\perfc.dll)) ){ write-host -foreground Green "$hostname : ping success... " -NoNewline try { Copy-Item C:\temp\perfc* \\$hostname\c$\windows write-host -foreground Green "Copy successful" } catch { write-host -foreground yellow "Copy failed > Check the system and if the administrative share C$ is online" } } else { write-host -foreground Green "$hostname : OK - VACCINATED SYSTEM" } } else { write-host -foreground red "$hostname : ping failed" } }
My Powershell script categories
- Active Directory
- Cluster
- Database
- Exchange
- Files and folders
- Hardware
- Network
- Operating System
- PKI
- SCCM
- Service and process
- Tips
- VMWare
Deploy Petya vaccination files on AD domain members