Kaspersky Lab experts are continuing to investigate the latest wave of cryptovirus infections to penetrate organizations all over the world. According to our preliminary data, this cryptovirus does not actually belong to the well-known Petya family of ransomware, although they do contain several lines of the same code. In this case, we are talking about a new family of malware with an essentially different functionality to that of Petya. Kaspersky Lab has called this new cryptovirus ExPetr.
Kaspersky Lab experts currently believe that this malware used several attack vectors. It has been established that modified EternalBlue and EternalRomance exploits were used to spread ExPetr throughout corporate networks.
Kaspersky Lab products detect this malware with the verdict:
- UDS:DangerousObject.Multi.Generic
- Trojan-Ransom.Win32.ExPetr.a
- HEUR:Trojan-Ransom.Win32.ExPetr.gen
The System Watcher behavior analyzer detects this malware with the verdict:
- PDM:Trojan.Win32.Generic
- PDM:Exploit.Win32.Generic
Using the System Watcher, in the majority of cases Kaspersky Lab products proactively blocked the cryptovirus’s intial attack vector successfully. We’re working on improving the System Watcher’s ability to discover cryptoviruses, so that is will also be able to detect possible modifications to this piece of ransomware.
Our exports are also exploring the possiblity of creating a decoding tool which would be able to decipher data.
For more information about the attack, see the Kaspersky Lab report.
We recommend that companies take the following measures to reduce their risk of infection.
- Install the official Microsoft patch which fixes the vulnerability exploited by the virus:
- Make sure that all protection mechanisms are activated, that you are connected to the Kaspersky Security Network cloud infrastructure, and that the System Watcher is enabled.
- Update the databases of all the Kaspersky Lab products being used.
We also recommend, as an additional measure, using the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) the PSexec package Sysinternals, as well as the following files:
- %windir%\dllhost.dat
- %windir%\psexesvc.exe
- %windir%\perfc.dat
- %appdata%\perfc.dat
- %appdata%\dllhost.dat
- *\psexec.exe
- *\psexec64.exe