{"id":17314,"date":"2017-06-27T13:42:39","date_gmt":"2017-06-27T17:42:39","guid":{"rendered":"https:\/\/www.kaspersky.com\/blog\/?p=17314"},"modified":"2019-11-15T06:46:27","modified_gmt":"2019-11-15T11:46:27","slug":"new-ransomware-epidemics","status":"publish","type":"post","link":"https:\/\/www.kaspersky.com\/blog\/new-ransomware-epidemics\/17314\/","title":{"rendered":"New Petya \/ NotPetya \/ ExPetr ransomware outbreak"},"content":{"rendered":"<p><b>[Updated June 28, 1:30 PM EDT]<\/b><\/p>\n<p>Yesterday, a global ransomware outbreak began, and it looks to be as big as the <a href=\"https:\/\/www.kaspersky.com\/blog\/wannacry-ransomware\/16518\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">WannaCry story<\/a> that broke not so long ago.<\/p>\n<p>There are numerous reports that several large companies from different countries have been hit, and the magnitude of the epidemic is likely to grow even more.<\/p>\n<p>Some researchers suggested that the new ransomware might be either WannaCry (it\u2019s not), or some variation of <a href=\"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Petya ransomware<\/a> (be it Petya.A, Petya.D, or <a href=\"https:\/\/securelist.ru\/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks\/30388\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PetrWrap<\/a>). Kaspersky Lab experts concluded that the new malware is significantly different from all earlier known versions of Petya, and that\u2019s why we are addressing it as a separate malware family. We\u2019ve named it ExPetr (or NotPetya \u2013 unofficially).<\/p>\n<p>The attack appears to be complex, involving several attack vectors. We can confirm that a modified EternalBlue <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/exploit\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">exploit<\/a> is used for propagation, at least within corporate networks. <a href=\"https:\/\/securelist.com\/schroedingers-petya\/78870\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">More technical info on the attack<\/a>.<\/p>\n<p><a href=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/06\/27133735\/wannamore-ransomware-screenshot.jpg\"><img decoding=\"async\" class=\"aligncenter size-full wp-image-17316\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/92\/2017\/06\/27133735\/wannamore-ransomware-screenshot.jpg\" alt=\"Petya \/ NotPetya \/ ExPetr ransom note\" width=\"1280\" height=\"745\"><\/a><\/p>\n<p>For now, know that Kaspersky Lab\u2019s products detect the new ransomware with the following verdicts:<\/p>\n<ul>\n<li>Trojan-Ransom.Win32.ExPetr.a<\/li>\n<li>HEUR:Trojan-Ransom.Win32.ExPetr.gen<\/li>\n<li>UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network)<\/li>\n<li>PDM:Trojan.Win32.Generic (detected by the System Watcher feature)<\/li>\n<li>PDM:Exploit.Win32.Generic (detected by the System Watcher feature)<\/li>\n<\/ul>\n<h2>Recommendations for our corporate customers<\/h2>\n<ol>\n<li>Make sure that the Kaspersky Security Network and System Watcher features are turned on.<\/li>\n<li>Manually update the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/antivirus-databases\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">antivirus databases<\/a> immediately.<\/li>\n<li>Install all security updates for Windows. The one that fixes bugs exploited by EternalBlue is especially important.<\/li>\n<li>As an additional means of protection you can use <a href=\"https:\/\/help.kaspersky.com\/KESWin\/10SP2\/en-US\/39265.htm\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Application Privilege Control<\/a>, which is a component of Kaspersky Endpoint Security, to <a href=\"http:\/\/support.kaspersky.com\/10905#block1\" target=\"_blank\" rel=\"noopener noreferrer\">deny any access<\/a> (and thus the possibility of interaction or execution) for all groups of applications to the file with the name <i>perfc.dat<\/i> and to prevent the PSExec utility (which is a part of the Sysinternals Suite) from running.<\/li>\n<li>Alternatively, use the <a href=\"https:\/\/help.kaspersky.com\/KESWin\/10SP2\/en-US\/129102.htm\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Application Startup Control<\/a> component of Kaspersky Endpoint Security to block execution of the PSExec utility, but please use Application Privilege Control to block <i>perfc.dat<\/i>.<\/li>\n<li>Configure and enable Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.<\/li>\n<li>You can also use the AppLocker feature to disable execution of the aforementioned <i>perfc.dat<\/i> file and the PSExec utility.<\/li>\n<\/ol>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kart\">\n<h3>Advice for individual customers<\/h3>\n<p>Home users seem to be less affected by this threat; the cybercriminals behind it targeted mostly big enterprises. However, effective protection never hurts. Here\u2019s what you can do:<\/p>\n<ol>\n<li>Back up your data. That\u2019s always a good thing to do in these turbulent times.<\/li>\n<li>If you are using one of our security solutions, make sure the Kaspersky Security Network and System Watcher components are turned on.<\/li>\n<li>Manually update the antivirus databases. Seriously, do it right now; it won\u2019t take much time.<\/li>\n<li>Install all security updates for Windows. The one that fixes bugs exploited by EternalBlue is especially important. <a href=\"https:\/\/www.kaspersky.com\/blog\/wannacry-windows-update\/16593\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Here\u2019s how to do it<\/a>.<\/li>\n<\/ol>\n<input type=\"hidden\" class=\"category_for_banner\" value=\"kis-trial-ransomware\">\n<h3>Do not pay the ransom<\/h3>\n<p>According to an <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/new8xw\/hacker-behind-massive-ransomware-outbreak-cant-get-emails-from-victims-who-paid\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">update seen in Motherboard<\/a>, German e-mail provider Posteo has shut down the e-mail address that victims were supposed to use to contact blackmailers and send bitcoins, and from which they would receive decryption keys. With the e-mail address blocked, victims won\u2019t be able to pay the criminals or get their files back. At Kaspersky Lab, we do not advocate paying the ransom anyway, but in this case, it\u2019s certainly pointless.<\/p>\n<p><b>Update:<\/b> More than that, our experts\u2019 analysis <a href=\"https:\/\/securelist.com\/expetrpetyanotpetya-is-a-wiper-not-ransomware\/78902\/\" target=\"_blank\" rel=\"noopener noreferrer\">indicates there was never much hope for victims to recover their data<\/a>.<\/p>\n<p>Kaspersky Lab researchers have analyzed the high-level code of the <a href=\"https:\/\/encyclopedia.kaspersky.com\/glossary\/encryption\/?utm_source=kdaily&amp;utm_medium=blog&amp;utm_campaign=termin-explanation\" target=\"_blank\" rel=\"noopener\">encryption<\/a> routine and determined that after disk encryption, the threat actor could not decrypt victims\u2019 disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya\/Mischa\/GoldenEye, this installation ID contained the information necessary for key recovery.<\/p>\n<p>ExPetr (aka NotPetya) does not have that installation ID (the \u2018installation key\u2019 shown in the ExPetr ransom note is just a random gibberish), which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.<\/p>\n<p>Don\u2019t pay the ransom. It won\u2019t help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new ransomware outbreak is happening right now. Here&#8217;s what we know so far and what you can do to protect yourself from the threat.<\/p>\n","protected":false},"author":40,"featured_media":17315,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,2683],"tags":[478,1680,2545,574,2544,1511,420,422,723,2510],"class_list":{"0":"post-17314","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-blockers","10":"tag-cryptors","11":"tag-epidemics","12":"tag-news-2","13":"tag-outbreak","14":"tag-petya","15":"tag-ransomware","16":"tag-threats","17":"tag-trojans","18":"tag-wannacry"},"hreflang":[{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/new-ransomware-epidemics\/17314\/"},{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/new-ransomware-epidemics\/8698\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/new-ransomware-epidemics\/4712\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/new-ransomware-epidemics\/11710\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/new-ransomware-epidemics\/11249\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/new-ransomware-epidemics\/10732\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/new-ransomware-epidemics\/13581\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/new-ransomware-epidemics\/13641\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/new-ransomware-epidemics\/17855\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/new-ransomware-epidemics\/3319\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/new-ransomware-epidemics\/9226\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/new-ransomware-epidemics\/9204\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/new-ransomware-epidemics\/6963\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/new-ransomware-epidemics\/16631\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/new-ransomware-epidemics\/17314\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/new-ransomware-epidemics\/17314\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/www.kaspersky.com\/blog\/tag\/threats\/","name":"threats"},"_links":{"self":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17314","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=17314"}],"version-history":[{"count":17,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17314\/revisions"}],"predecessor-version":[{"id":29958,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/17314\/revisions\/29958"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/17315"}],"wp:attachment":[{"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=17314"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=17314"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=17314"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}