Deploy Petya vaccination files on AD domain members
Deploy Petya vaccination files on AD domain members

I have written the following script to deploy Petya vaccination files on all Active Directory domain members. These files are simple text file deployed on the destination system folder C:\Windows. This technic has been discovered by Amit Serper and it is described here.

You can find also the description of this ransomware here

# create the vaccination files
$perfc_file = "c:\temp\perfc"
$perfcdat_file = "c:\temp\perfc.dat"
$perfcdll_file = "c:\temp\perfc.dll"

$perfc_content = "Petya vaccination file - DO NOT REMOVE"

set-content $perfc_content -path $perfc_file
set-content $perfc_content -path $perfcdat_file
set-content $perfc_content -path $perfcdll_file

# set read-only attrib to the vaccination files
set-itemproperty -path $perfc_file -Name IsReadOnly -Value $true
set-itemproperty -path $perfcdat_file -Name IsReadOnly -Value $true
set-itemproperty -path $perfcdll_file -Name IsReadOnly -Value $true

$ping = new-object System.Net.NetworkInformation.Ping

# get all the AD domain members excluding the Cluster Virtual node names
$list = get-adcomputer -filter {servicePrincipalName -notlike "*clustervirtual*"}

ForEach ($b in $list) {
	$hostname = $b.DNSHostName
	$strQuery = "select * from win32_pingstatus where address = '" + $hostname + "'"
	$wmi = Get-WmiObject -Query $strQuery
	if ($wmi.statuscode -eq 0) {
		if (-not ((Test-Path \\$hostname\c$\windows\perfc) -and (Test-Path \\$hostname\c$\windows\perfc.dat) -and (Test-Path \\$hostname\c$\windows\perfc.dll)) ){
			write-host -foreground Green "$hostname : ping success... " -NoNewline
			try {
				Copy-Item C:\temp\perfc* \\$hostname\c$\windows
				write-host -foreground Green "Copy successful"
			}
			catch {
				write-host -foreground yellow "Copy failed > Check the system and if the administrative share C$ is online"
			}
		}
		else {
			write-host -foreground Green "$hostname : OK - VACCINATED SYSTEM"
		}
	}
	else {
		write-host -foreground red "$hostname : ping failed"
	}
}

<>

My Powershell script categories

Deploy Petya vaccination files on AD domain members

Leave a Reply

Your email address will not be published.