ExPetr targets serious business

Major pain: Critical infrastructure objects are among ExPetr’s (also known as NotPetya) victims.

The worst part is that far more critical infrastructure facilities are among the victims of this malware.

We’re witnessing an outbreak of a new breed of cryptomalware. Our experts have named it ExPetr (others call it Petya, PetrWrap, and some other names). The key difference with this new ransomware is that this time, criminals have chosen their targets with greater precision: Most of the victims are businesses, not consumers.

The worst part is that far more critical infrastructure facilities are among the victims of this malware. For example, a few flights were reportedly delayed in Kiev’s Boryspil airport because of the attack. And it gets even worse — the infamous Chernobyl nuclear plant’s radiation-monitoring system was reported to be temporarily down for the same reason.

Why do critical infrastructure systems keep getting hit by cryptomalware? It’s because they either are directly linked with corporate office networks or have direct access to the Internet.

What to do

Just like with WannaCry, we have two distinct problems: initial penetration of malware into a company’s infrastructure and its proliferation within. These two problems should be addressed separately.

Initial penetration

Our experts indicate various routes by which malware penetrates the network. In some cases, it used malicious sites (drive-by infection); users received the malware disguised as system update. In other cases, infection was spread by third-party software updates — for example, through Ukrainian accounting software called M.E.Doc. In other words, there is no single, predictable point of entry to guard.

We have some recommendations for preventing malware from penetrating your infrastructure:

  • Instruct your employees never to open suspicious attachments or click on links in e-mails (sounds obvious, but people just keep doing it);
  • Ensure that all systems connected to the Internet are equipped with up-to-date security solutions incorporating behavioral analysis components;
  • Check that critically important components of security solutions are enabled (for Kaspersky Lab products, ensure cloud-assisted threat intelligence network Kaspersky Security Network and behavioral engine System Watcher are active);
  • Regularly update security solutions;
  • Employ tools for controlling and monitoring security solutions from a single administrative console — and don’t allow employees to play around with their settings.

As an additional measure of protection (especially if you are not using Kaspersky Lab products), you can install our free Kaspersky Anti-Ransomware Tool, which is compatible with most other security solutions.

Proliferation within the network

Once it gets its hooks into a single system, ExPetr is much better than WannaCry at proliferating within a local network. That’s because it has an extended range of capabilities for that specific purpose. First, it uses at least two exploits: a modified EternalBlue (also used by WannaCry) and EternalRomance (another exploit of TCP port 445). Second, when it infects a system on which a user has administrative privileges, it starts disseminating itself using Windows Management Instrumentation technology or with the PsExec remote system control tool.

To prevent malware proliferation within your network (and especially within critical infrastructure systems), you should:

  • Isolate systems that require an active Internet connection in a separate network segment;
  • Split the remaining network into subnets or virtual subnets with restricted connections, connecting only those systems that require it for technology processes;
  • Get to know the advice Kaspersky Lab ICS CERT experts outlined after the WannaCry outbreak (encouraged for industrial companies in particular);
  • Make sure that critical Windows security updates are installed on time. Particularly important and relevant here, MS17-010 closes vulnerabilities exploited by EternalBlue and EternalRomance;
  • Isolate backup servers from the rest of the network and discourage using the connection to remote drives on the backup servers;
  • Prohibit the execution of a file called perfc.dat; using the Application Control feature of the Kaspersky Endpoint Security for Business suite or with the Windows AppLocker system utility;
  • For infrastructures containing multiple embedded systems, deploy specialized security solutions such as Kaspersky Embedded Security Systems;
  • Configure Default Deny mode as an additional protective measure on systems where it’s possible — for example, on utility computers with software that is rarely modified. This can be done within the Application Control component of the Kaspersky Endpoint Security for Business suite.

As always, we strongly recommend employing a multilayered information security approach, incorporating automatic software updates (including for the operating system), an antiransomware component, and a component that monitors all processes within the operating system.

To pay or not to pay

Finally, although we generally do not recommend paying ransom, we understand that some companies feel they have no choice. However, if your data has already been affected by ExPetr ransomware, you should not pay under any circumstances.

Our experts discovered that this malware has no mechanism for saving the installation ID. Without this ID, the threat actor cannot extract the necessary information needed for decryption. In short, they are simply unable to help victims with data recovery.

Emergency Petya/ExPetr webinar

To help businesses understand and defend against the ExPetr malware, our experts held an emergency webinar. Juan Andres Guerrero-Saade, senior security researcher in our Global Research and Analysis Team (GReAT) and Matt Suiche from Comae Technologies presented the very latest information on this threat and explained why it’s not ransomware but a wiper that was used for sabotage.

Tips