Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
bat: Stop BadRabbit Ransomeware
@echo off
:: This is not my code, the BadRabbit Ransomeware was posted on a following video:
:: https://www.youtube.com/watch?v=Y6WOpE92vKc
:: Idea for Petya Ransomeware was given on:
:: https://www.bleepingcomputer.com/news/security/vaccine-not-killswitch-found-for-petya-notpetya-ransomware-outbreak/
:: I just made this to make it available easily.
:: For BadRabbit
type NUL > %windir%\cscc.dat
type NUL > %windir%\infpub.dat
icacls "%windir%\cscc.dat" /inheritance:r /remove Administrators
icacls "%windir%\infpub.dat" /inheritance:r /remove Administrators
:: For Petya/NotPetya/SortaPetya
type NUL > %windir%\perfc.dll
type NUL > %windir%\perfc.dat
type NUL > %windir%\perfc
icacls "%windir%\perfc.dll" /inheritance:r /remove Administrators
icacls "%windir%\perfc.dat" /inheritance:r /remove Administrators
icacls "%windir%\perfc" /inheritance:r /remove Administrators
@pquerner

This comment has been minimized.

Copy link

pquerner commented Nov 10, 2017

This assumes Windows is installed on C drive. Maybe the Systemvariable %windir% can be used instead to help cases where this is not the case.

@Phoenix1747

This comment has been minimized.

Copy link

Phoenix1747 commented Nov 11, 2017

Hi, thanks for this script! I took the liberty of using and updating this and uploaded it all as an independent repository at https://github.com/Phoenix1747/ransom-prevention hope this is ok for you 😃

@bantya

This comment has been minimized.

Copy link
Owner Author

bantya commented Jan 21, 2018

Thanks @pquerner for the %windir% suggestion.
And @Phoenix1747, its perfectly OK for me. I too used someone else's idea and modified it.
👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.