Jump to content
  • Announcements

    • Rodion Nagornov

      Долгое сохранение сообщений || Delays while posting (click here to read the full text RU/EN)   09/20/2017

      По техническим причинам возможно визуально долгое отправление сообщений на форуме. Фактически ваше сообщение публикуется мгновенно - долго отрабатывает графика. В случае подобной ситуации, пожалуйста, сначала обновите страницу (F5) и проверьте, появилось ли ваше сообщение. Не пытайтесь сразу отправить его заново.  || Due to some technical reasons visual delays are possible while message sending. Actually your message is published immediately - just interface works long. In such case, please, do not re-send your message immediately! Press F5 to reload the page and check if your message/topic is published.
Sign in to follow this  

Communiqué Kaspersky Lab - Attaque ExPetr

Recommended Posts


Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr.


The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.


This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits are used by the criminals for propagation within the corporate network.


Kaspersky Lab detects the threat as:

• UDS:DangerousObject.Multi.Generic

• Trojan-Ransom.Win32.ExPetr.a

• HEUR:Trojan-Ransom.Win32.ExPetr.gen


Our behavior detection engine SystemWatcher detects the threat as

• PDM:Trojan.Win32.Generic

• PDM:Exploit.Win32.Generic


In most cases to date, Kaspersky Lab proactively detected the initial infection vector through its behavioral engine, System Watcher. We are also working on behavioral anti-ransomware detection improvement to proactively detect any possible future versions.


Kaspersky Lab experts will continue to examine the issue to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.


We advise all companies to update their Windows software: Windows XP and Windows 7 users can protect themselves by installing MS17-010 security patch.


We also advise all organizations to ensure they have backup. Proper and timely backup of your data may be used to restore original files after a data loss event.


Kaspersky Lab corporate customers are also advised to:

• Check that all protection mechanisms are activated as recommended; and that KSN and System Watcher components (which are enabled by default) are not disabled.

• As an additional measure for corporate customers is to use Application Privilege Control to deny any access (and thus possibility of interaction or execution) for all the groups of applications to the file with the name "perfc.dat" and PSexec utility (part of the Sysinternals Suite) (https://help.kaspersky.com/KESWin/10SP2/en-US/39265.htm and http://support.kaspersky.com/10905)

• Configure and enable the Default Deny mode of the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce the proactive defense against this, and other attacks.


If you do not have Kaspersky Lab products on your device – use the AppLocker feature of Windows OS to disable the execution of any files that carry the name “perfc.dat” as well as the PSExec utility from the Sysinternals Suite.

Share this post

Link to post
Share on other sites
This topic is now closed to further replies.
Sign in to follow this