Petya ransomware looks for and loads a DLL named "wow64log.dll" in Windows\System32. Therefore, we can drop our own DLL to intercept and terminate the malware pre-encryption. The exploit DLL will simply display a Win32API message box and call exit(). The exploit DLL must export the "InterlockedExchange" function or it fails with an error. We do not need to rely on hash signature or third-party products as the malware will do the work for us. Endpoint protection systems and or antivirus can potentially be killed prior to executing malware, but this method cannot as there's nothing to kill the DLL that just lives on disk waiting. From a defensive perspective you can add the DLLs to a specific network share containing important data as a layered approach. All basic tests were conducted successfully in a virtual machine environment.
ff2605c77ee1a143de808be0bf172ffc2beea61f4206bbac09c5de2b270c2ba8
Backdoor.Win32.Ketch.h malware suffers from a buffer overflow vulnerability.
2abc44ddfa9d0b7263959ae5ff30bf3a21837b0e7e1c607d8886493459247df3
Backdoor.Win32.Inject.tyq malware suffers from an insecure permissions vulnerability.
bf6ea50de9c992e63ecd9bb1513eaba793264ba0d8a4f0670e8fd53b8afecfa1
Backdoor.Win32.Bionet.10 malware has an ftp service that allows for anonymous login.
404aa1cc25a484f04ec04f3fcdd9b35295adf133838edc77ca4e63911e3d6bde
Backdoor.Win32.DarkKomet.apcc malware suffers from an insecure permissions vulnerability.
aecb3a0c272436b731621f6bcd2825f3baf0858666fecf06db2f2a9d8b681638
Backdoor.Win32.DarkKomet.bhfh malware suffers from an insecure permissions vulnerability.
5093711b0c6d00b1510fcead1c8a97d6fde81a882fde3001e630e1feeccf901a
Backdoor.Win32.Agent.aak malware suffers from a buffer overflow vulnerability.
ff1a91e588666b3bcb88a08c2db2ac1c04d80eeaa528374423c23c387be8602e
Backdoor.Win32.Agent.aak malware suffers from code execution and cross site request forgery vulnerabilities.
07877b46ba2c779b236c2561cd70d8a9f3b6e327ed86d6f5a164b87adc2a81d0
Backdoor.Win32.Agent.aak malware suffers from a hardcoded credential vulnerability.
d384b41292fe358452a4a3a80b168dead2cf891a7677d24a3838cd59e7e78221
Backdoor.Win32.Burbul.b malware has an ftp service that allows for anonymous login.
eacd817de5297bfb135a0355f799bafec34151bbf8e3f6ea6560cc32d694a5b8
Backdoor.Win32.Indexer.a malware suffers from a denial of service vulnerability.
d48a8459e1ba4c181989347d8c267adcf50e5532c2ce2473ef00b11baab6e68f
Backdoor.Win32.Indexer.a malware has a backdoor with weak hardcoded credentials.
75d07c22ee885ccdb973aa8ca9f378855c5b303ddbc339cb577013a21100e03a
Backdoor.Win32.Bifrose.ahvb malware suffers from an insecure permissions vulnerability.
bb9f15193f65ac95f44d88b0e2811648f4d5f5e78134baf5e273c723603eb732
Backdoor.Win32.Azbreg.aant malware suffers from an insecure permissions vulnerability.
3f3b586377091c5728cc4ed6050e6e4d141deb1e6711e3fc59e9739723b01122
Trojan-Spy.Win32.WinSpy.wlt malware suffers from an insecure permissions vulnerability.
ee41322d396b9353808b98f8ec6e507cafd8ed0f4d9af3255a6d5ef01f3a21ac
Backdoor.Win32.Cabrotor.21 malware suffers from an insecure permissions vulnerability.
c2d956f1d6f57c163208002771f8edd75cfc357f0d3a375becbe49cd2f96dd97
Backdoor.Win32.Cafeini.08.b malware suffers from a missing authentication vulnerability.
42b334aea82507140ecc84d70e3e827069455b64df4111d0bb8d29ceb5e02d14
Backdoor.Win32.Backlash.101 malware suffers from a missing authentication vulnerability.
63843432e1b6f0a7fb44c3fb0f691735a6fa62d448888ba7c921659dbfa6b183
Backdoor.Win32.BackAttack.18 malware suffers from a missing authentication vulnerability that can allow for remote screenshots, system restart, and more.
f1d1181c7b20a45dade4acd19939dbe503d5a1101652d99916a11ccf32e27c23
Backdoor.Win32.Augudor.a malware suffers from a code execution vulnerability.
9ea94d39200a50f8a70a8edc2d711b64cd27c932ffce9d43b1f8d33b414ae1d7
Backdoor.Win32.Aphexdoor.LiteSock malware suffers from a buffer overflow vulnerability.
8b6ccade23d3ec6d18ecf166c4a5516158a541bd323da2a669ba9d7a232ab203
Backdoor.Win32.NetTerrorist malware suffers from bypass and code execution vulnerabilities.
a84e847103256104dc3efdecf379b465270c3106e0b1b1c48f64df43bc8e92b7
Trojan.Win32.Cafelom.bu malware suffers from a heap corruption vulnerability.
c495636b818cd7c3b7660d9376094f54b60fc76dab0d98070462b30ed384dc61
Backdoor.Win32.Wollf.15 malware suffers from a missing authentication vulnerability.
c41d4e61e238652534263ff190da9b31485a2ea670fba91accb2732c0271f2be
Trojan-Spy.Win32.WinSpy.vwl malware suffers from an insecure permissions vulnerability.
026c6b0c349e86e43c5a43835c5941f5db65347448416bb24177660d2b517527
Trojan-Spy.Win32.WebCenter.a malware suffers from an information leakage vulnerability.
bbe687c0905aad324c811b55eb6f7b45bbca79de22771d469b8334329c6242a8