Kaspersky Lab has revealed that the new wave of ransomware attacks targeting organisations across the world is “not a variant of Petya ransomware, but a new ransomware that has not been seen before,” which has been named ‘ExPetr.’
The company has released the following statement: “Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organisations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr.
“Telemetry data indicates around 2,000 attacked users so far. Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.
“This appears to be a complex attack, which involves several vectors of compromise,” the statement adds. “We can confirm that modified EternalBlue and EternalRomance exploits are used by the criminals for propagation within the corporate network.”
Kaspersky Lab detects the threat as:
The company’s behaviour detection engine SystemWatcher detects the threat as:
Kaspersky Lab experts are continuing to examine the issue to determine whether it is possible to decrypt data locked in the attack – with the intention of “developing a decryption tool as soon as they can.”
The company released the following advice for companies going forward:
“We advise all companies to update their Windows software: Windows XP and Windows 7 users can protect themselves by installing MS17-010 security patch. We also advise all organisations to ensure they have backup. Proper and timely backup of your data may be used to restore original files after a data loss event.”
Kaspersky Lab corporate customers are also advised to:
- Check that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.
- As an additional measure, using the Application Startup Control component of Kaspersky Endpoint Security can prevent the execution of the file with the name perfc.dat, and block the execution of the PS Exec utility (part of the Sysinternals Suite).
- Configure and enable the Default Deny mode of the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce the proactive defence against this, and other attacks.
For those who do not have Kaspersky Lab products on their device, the company has advised users to use the AppLocker feature of Windows OS to disable the execution of any files that carry the name “perfc.dat”.