We’re witnessing an outbreak of a new breed of cryptomalware. Our experts have named it ExPetr (others call it Petya, PetrWrap, and some other names). The key difference with this new ransomware is that this time, criminals have chosen their targets with greater precision: Most of the victims are businesses, not consumers.
The worst part is that far more critical infrastructure facilities are among the victims of this malware. For example, a few flights were reportedly delayed in Kiev’s Boryspil airport because of the attack. And it gets even worse — the infamous Chernobyl nuclear plant’s radiation-monitoring system was reported to be temporarily down for the same reason.
Why do critical infrastructure systems keep getting hit by cryptomalware? It’s because they either are directly linked with corporate office networks or have direct access to the Internet.
What to do
Just like with WannaCry, we have two distinct problems: initial penetration of malware into a company’s infrastructure and its proliferation within. These two problems should be addressed separately.
Our experts indicate various routes by which malware penetrates the network. In some cases, it used malicious sites (drive-by infection); users received the malware disguised as system update. In other cases, infection was spread by third-party software updates — for example, through Ukrainian accounting software called M.E.Doc. In other words, there is no single, predictable point of entry to guard.
We have some recommendations for preventing malware from penetrating your infrastructure:
As an additional measure of protection (especially if you are not using Kaspersky Lab products), you can install our free Kaspersky Anti-Ransomware Tool, which is compatible with most other security solutions.
Proliferation within the network
Once it gets its hooks into a single system, ExPetr is much better than WannaCry at proliferating within a local network. That’s because it has an extended range of capabilities for that specific purpose. First, it uses at least two exploits: a modified EternalBlue (also used by WannaCry) and EternalRomance (another exploit of TCP port 445). Second, when it infects a system on which a user has administrative privileges, it starts disseminating itself using Windows Management Instrumentation technology or with the PsExec remote system control tool.
To prevent malware proliferation within your network (and especially within critical infrastructure systems), you should:
As always, we strongly recommend employing a multilayered information security approach, incorporating automatic software updates (including for the operating system), an antiransomware component, and a component that monitors all processes within the operating system.
To pay or not to pay
Finally, although we generally do not recommend paying ransom, we understand that some companies feel they have no choice. However, if your data has already been affected by ExPetr ransomware, you should not pay under any circumstances.
Our experts discovered that this malware has no mechanism for saving the installation ID. Without this ID, the threat actor cannot extract the necessary information needed for decryption. In short, they are simply unable to help victims with data recovery.
Emergency Petya/ExPetr webinar
To help businesses understand and defend against the ExPetr malware, our experts held an emergency webinar. Juan Andres Guerrero-Saade, senior security researcher in our Global Research and Analysis Team (GReAT) and Matt Suiche from Comae Technologies presented the very latest information on this threat and explained why it’s not ransomware but a wiper that was used for sabotage.