{"id":8698,"date":"2017-06-28T02:26:46","date_gmt":"2017-06-28T06:26:46","guid":{"rendered":"https:\/\/me-en.kaspersky.com\/blog\/?p=8698"},"modified":"2019-11-15T15:23:51","modified_gmt":"2019-11-15T11:23:51","slug":"new-ransomware-epidemics","status":"publish","type":"post","link":"https:\/\/me-en.kaspersky.com\/blog\/new-ransomware-epidemics\/8698\/","title":{"rendered":"New Petya \/ NotPetya \/ ExPetr ransomware outbreak"},"content":{"rendered":"<p><b>[Updated June 28, 1:30 PM EDT]<\/b><\/p>\n<p>Just a few hours ago, a global ransomware outbreak began, and it looks to be as big as the <a href=\"https:\/\/me-en.kaspersky.com\/blog\/wannacry-for-b2b\/6024\/\" target=\"_blank\" rel=\"noopener\">WannaCry <\/a>story that broke not so long ago.<\/p>\n<p>\u00a0<\/p>\n<p>Those few hours were enough for several large companies from different countries to report infection, and the magnitude of the epidemic is likely to grow even more.<\/p>\n<p>It\u2019s not yet clear what exactly the new ransomware is. Some thought it might be either some variation of\u00a0<a href=\"https:\/\/www.kaspersky.com\/blog\/petya-ransomware\/11715\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Petya<\/a>\u00a0(be it Petya.A, Petya.D, or\u00a0<a href=\"https:\/\/securelist.ru\/petrwrap-the-new-petya-based-ransomware-used-in-targeted-attacks\/30388\/\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">PetrWrap<\/a>), or that it could be WannaCry (it\u2019s not). Kaspersky Lab experts are now investigating this new threat, and as soon they come up with solid facts, we\u2019ll update this post.<\/p>\n<p>This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within corporate networks.\u00a0<a href=\"https:\/\/securelist.com\/schroedingers-petya\/78870\/\" target=\"_blank\" rel=\"noopener noreferrer\">More technical info on the attack<\/a>.<\/p>\n<p>\u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-8700 alignleft\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/06\/28021733\/wannamore-ransomware-screenshot.jpg\" alt=\"\" width=\"1280\" height=\"745\"><\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>\u00a0<\/p>\n<p>For now, know that Kaspersky Lab\u2019s products detect the new ransomware with the following verdicts:<\/p>\n<ul>\n<li>Trojan-Ransom.Win32.ExPetr.a<\/li>\n<li>HEUR:Trojan-Ransom.Win32.ExPetr.gen<\/li>\n<li>UDS:DangerousObject.Multi.Generic (detected by Kaspersky Security Network)<\/li>\n<li>PDM:Trojan.Win32.Generic (detected by the System Watcher feature)<\/li>\n<li>PDM:Exploit.Win32.Generic (detected by the System Watcher feature)<br>\n<h2><\/h2>\n<\/li>\n<\/ul>\n<h2>Recommendations for our corporate customers<\/h2>\n<ol>\n<li>Make sure that the Kaspersky Security Network and System Watcher features are turned on.<\/li>\n<li>Manually update the antivirus databases immediately.<\/li>\n<li>Install all security updates for Windows. The one that fixes bugs exploited by EternalBlue is especially important.<\/li>\n<li>As an additional means of protection you can use\u00a0<a href=\"https:\/\/help.kaspersky.com\/KESWin\/10SP2\/en-US\/39265.htm\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Application Privilege Control<\/a>, which is a component of Kaspersky Endpoint Security, to\u00a0<a href=\"http:\/\/support.kaspersky.com\/10905#block1\" target=\"_blank\" rel=\"noopener noreferrer\">deny any access<\/a>\u00a0(and thus the possibility of interaction or execution) for all groups of applications to the file with the name\u00a0<i>perfc.dat<\/i>\u00a0and to prevent the PSExec utility (which is a part of the Sysinternals Suite) from running.<\/li>\n<li>Alternatively, use the\u00a0<a href=\"https:\/\/help.kaspersky.com\/KESWin\/10SP2\/en-US\/129102.htm\" target=\"_blank\" rel=\"noopener noreferrer nofollow\">Application Startup Control<\/a>\u00a0component of Kaspersky Endpoint Security to block execution of the PSExec utility, but please use Application Privilege Control to block\u00a0<i>perfc.dat<\/i>.<\/li>\n<li>Configure and enable Default Deny mode in the Application Startup Control component of Kaspersky Endpoint Security to ensure and enforce proactive defense against this and other attacks.<\/li>\n<li>You can also use the AppLocker feature to disable execution of the aforementioned\u00a0<i>perfc.dat<\/i>file and the PSExec utility.<\/li>\n<\/ol>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone wp-image-8708 size-full\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/06\/28132128\/Banner_1460x300_B2B_EN.jpg\" alt=\"\" width=\"1460\" height=\"300\"><\/p>\n<p>\u00a0<\/p>\n<h3>Advice for individual customers<\/h3>\n<p>Home users seem to be less affected by this threat; the cybercriminals behind it targeted mostly big enterprises. However, effective protection never hurts. Here\u2019s what you can do:<\/p>\n<ol>\n<li>Back up your data. That\u2019s always a good thing to do in these turbulent times.<\/li>\n<li>If you are using one of our security solutions, make sure the Kaspersky Security Network and System Watcher components are turned on.<\/li>\n<li>Manually update the antivirus databases. Seriously, do it right now; it won\u2019t take much time.<\/li>\n<li>Install all security updates for Windows. The one that fixes bugs exploited by EternalBlue is especially important. \u00a0<a href=\"https:\/\/me-en.kaspersky.com\/blog\/wannacry-windows-update\/7824\/\" target=\"_blank\" rel=\"noopener\">Here we explain how to do it<\/a>.<\/li>\n<\/ol>\n<p>\u00a0<\/p>\n<p><a href=\"https:\/\/me-en.kaspersky.com\/downloads\/thank-you\/internet-security-free-trial\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-8701\" src=\"https:\/\/media.kasperskydaily.com\/wp-content\/uploads\/sites\/37\/2017\/06\/28022110\/ransomware_EN-1.png\" alt=\"\" width=\"1280\" height=\"270\"><\/a><\/p>\n<p>\u00a0<\/p>\n<h3>Do not pay the ransom<\/h3>\n<p>According to an <a href=\"https:\/\/motherboard.vice.com\/en_us\/article\/new8xw\/hacker-behind-massive-ransomware-outbreak-cant-get-emails-from-victims-who-paid\" target=\"_blank\" rel=\"noopener nofollow\">update seen in Motherboard<\/a>, German email provider Posteo has shut down the e-mail address that was supposed to be used by victims to contact blackmailers, confirm bitcoin transactions and receive decryption keys. What this means is that victims who would look to pay the criminals can no longer get their files back. At Kaspersky Lab, we do not advocate paying the ransom, and in this case it seems to be pointless anyway.<\/p>\n<p><b>Update:<\/b>\u00a0More than that, our experts\u2019 analysis indicates there was never much hope for victims to recover their data.<\/p>\n<p>Kaspersky Lab researchers have analyzed the high-level code of the encryption routine and determined that after disk encryption, the threat actor could not decrypt victims\u2019 disks. To decrypt, the threat actors need the installation ID. In previous versions of seemingly similar ransomware such as Petya\/Mischa\/GoldenEye, this installation ID contained the information necessary for key recovery.<\/p>\n<p>ExPetr (aka NotPetya) does not have that installation ID, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data.<\/p>\n<p>Don\u2019t pay the ransom. It won\u2019t help.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Just a few hours ago, a global ransomware outbreak began, and it looks to be as big as the WannaCry story that broke not so long ago.<\/p>\n","protected":false},"author":40,"featured_media":8699,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[5,1486],"tags":[543,1167,433,521],"class_list":{"0":"post-8698","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-news","8":"category-threats","9":"tag-news-2","10":"tag-patya-ransomware","11":"tag-ransomware","12":"tag-threats"},"hreflang":[{"hreflang":"en-ae","url":"https:\/\/me-en.kaspersky.com\/blog\/new-ransomware-epidemics\/8698\/"},{"hreflang":"ar","url":"https:\/\/me.kaspersky.com\/blog\/new-ransomware-epidemics\/4712\/"},{"hreflang":"en-us","url":"https:\/\/usa.kaspersky.com\/blog\/new-ransomware-epidemics\/11710\/"},{"hreflang":"en-gb","url":"https:\/\/www.kaspersky.co.uk\/blog\/new-ransomware-epidemics\/11249\/"},{"hreflang":"es-mx","url":"https:\/\/latam.kaspersky.com\/blog\/new-ransomware-epidemics\/10732\/"},{"hreflang":"es","url":"https:\/\/www.kaspersky.es\/blog\/new-ransomware-epidemics\/13581\/"},{"hreflang":"it","url":"https:\/\/www.kaspersky.it\/blog\/new-ransomware-epidemics\/13641\/"},{"hreflang":"ru","url":"https:\/\/www.kaspersky.ru\/blog\/new-ransomware-epidemics\/17855\/"},{"hreflang":"tr","url":"https:\/\/www.kaspersky.com.tr\/blog\/new-ransomware-epidemics\/3319\/"},{"hreflang":"x-default","url":"https:\/\/www.kaspersky.com\/blog\/new-ransomware-epidemics\/17314\/"},{"hreflang":"fr","url":"https:\/\/www.kaspersky.fr\/blog\/new-ransomware-epidemics\/9226\/"},{"hreflang":"pt-br","url":"https:\/\/www.kaspersky.com.br\/blog\/new-ransomware-epidemics\/9204\/"},{"hreflang":"pl","url":"https:\/\/plblog.kaspersky.com\/new-ransomware-epidemics\/6963\/"},{"hreflang":"ja","url":"https:\/\/blog.kaspersky.co.jp\/new-ransomware-epidemics\/16631\/"},{"hreflang":"en-au","url":"https:\/\/www.kaspersky.com.au\/blog\/new-ransomware-epidemics\/17314\/"},{"hreflang":"en-za","url":"https:\/\/www.kaspersky.co.za\/blog\/new-ransomware-epidemics\/17314\/"}],"acf":[],"banners":"","maintag":{"url":"https:\/\/me-en.kaspersky.com\/blog\/tag\/threats\/","name":"threats"},"_links":{"self":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/8698","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/users\/40"}],"replies":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/comments?post=8698"}],"version-history":[{"count":7,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/8698\/revisions"}],"predecessor-version":[{"id":14826,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/posts\/8698\/revisions\/14826"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media\/8699"}],"wp:attachment":[{"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/media?parent=8698"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/categories?post=8698"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/me-en.kaspersky.com\/blog\/wp-json\/wp\/v2\/tags?post=8698"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}