How to protect yourself against ExPetr virus attacks if you use Kaspersky Lab products for business

 

 

General articles: Common for products

 
 
 

How to protect yourself against ExPetr virus attacks if you use Kaspersky Lab products for business

Back to "Common for products"
2017 Oct 30 ID: 13753
 
 
 
 

Kaspersky Lab experts are continuing to investigate the latest wave of cryptovirus infections to penetrate organizations all over the world. According to our preliminary data, this cryptovirus does not actually belong to the well-known Petya family of ransomware, although they do contain several lines of the same code. In this case, we are talking about a new family of malware with an essentially different functionality to that of Petya. Kaspersky Lab has called this new cryptovirus ExPetr.

Kaspersky Lab experts currently believe that this malware used several attack vectors. It has been established that modified EternalBlue and EternalRomance exploits were used to spread ExPetr throughout corporate networks.

Kaspersky Lab products detect this malware with the verdict:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.ExPetr.a
  • HEUR:Trojan-Ransom.Win32.ExPetr.gen

The System Watcher behavior analyzer detects this malware with the verdict:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Using the System Watcher, in the majority of cases Kaspersky Lab products proactively blocked the cryptovirus’s intial attack vector successfully. We’re working on improving the System Watcher’s ability to discover cryptoviruses, so that is will also be able to detect possible modifications to this piece of ransomware.

Our experts are also exploring the possibility of creating a decoding tool which would be able to decrypt data.

For more information about the attack, see the Kaspersky Lab report

We recommend that companies take the following measures to reduce their risk of infection.

  1. Install the official Microsoft patch which fixes the vulnerability exploited by the virus:
  2. Make sure that all protection mechanisms are activated, that you are connected to the Kaspersky Security Network cloud infrastructure, and that the System Watcher is enabled.
  3. Update the databases of all the Kaspersky Lab products being used.

We also recommend, as an additional measure, using the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) the PSexec package Sysinternals, as well as the following files:

  • %windir%\dllhost.dat
  • %windir%\psexesvc.exe
  • %windir%\perfc.dat
  • %appdata%\perfc.dat
  • %appdata%\dllhost.dat
  • *\psexec.exe
  • *\psexec64.exe
 
 
 
 
 

Configuring the settings via Kaspersky Security Center 10

 
 
 
 
 

How to configure the settings locally

 
 
 
 

If you don’t use kaspersky Lab products, we recommend that you prohibit the execution of the files mentioned above, as well as the PSExec utility from the Sysinternals package. You can do this by using the AppLocker feature included in the Windows operating system.

 
 
 
 
Was this information helpful?
Yes No
 

 
 

Feedback on Technical Support Site

Please let us know what you think about the site design, improvements we could add and any errors we need to eliminate

Send My Website Feedback Send My Website Feedback

Thank you!

Thank you for submitting your feedback.
We will review your feedback shortly.