Search by:
29 June 2017
June 27, 2017. Lots of computers were attacked by a cryptolocker ransomware.
Malicious software instructs its victim how to pay the ransom
According to Kaspersky Lab telemetry, by the end of the day most of the victims were located in Ukraine and Russia.
By the morning of July 28th, we have seen attacks on companies in U.S., Europe and Asia.
The first publications in mass media stated that new malware was connected to well-known malicious programs WannaCry and Petya. However, according to Kaspersky Lab research this is new malware with some slight similarities to PetrWrap (Petya modification), but most likely having no connection with it. We call it “ExPetr”, to emphasize that this is not PetrWrap.
Since reliable encryption algorithms are used by the malware, there are no known ways to decrypt or restore the encrypted files. After an analysis of malware’s encryption routine, our experts have thought that the threat actor cannot decrypt victims’ data, even if a payment was made (the technical details are available from here).
This supports the theory that this malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware.
At the moment, there is information on a few infection vectors.
There are two ways ExPetr (Petya) propagates inside the victim’s local network:
The malicious software saves itself as perfc.dat file in Windows folder as it spreads along the victim’s network.
The malware overwrites the MBR on the victim’s hard drive with its own loader, that shows the ransom payment instructions and encrypts files of the following formats:
.3ds .7z .accdb .ai .asp .aspx .avhd .back .bak .c .cfg .conf .cpp .cs .ctl .dbf .disk .djvu .doc .docx .dwg .eml .fdb .gz .h .hdd .kdbx .mail .mdb .msg .nrg .ora .ost .ova .ovf .pdf .php .pmf .ppt .pptx .pst .pvi .py .pyc .rar .rtf .sln .sql .tar .vbox .vbs .vcb .vdi .vfd .vmc .vmdk .vmsd .vmx .vsdx .vsv .work .xls .xlsx .xvd .zip
As shown above, the list consists of popular office document file extensions, as well as archives, mailboxes, virtual machine images, databases, backups, and files used by Microsoft Visual Studio development suite, as well as C, C++, C#, Python and PHP program sources.
The malware also uses reliable cryptography algorithms. It securely generates a separate AES-128 encryption key for each file being encrypted, and encrypts it using RSA-2048 public key which belongs to malicious actors. Currently, there are no significant mistakes found in the encryption algorithm implementation which would allow one to restore the victim’s encrypted files.
In addition to other commonly known reports being mentioned by Kaspersky Lab and other researchers, Kaspersky has also found another interesting fact to note: If you look closely at the ransom payment instructions text, you’ll see that the use of punctuation (in the case below, commas) is not consistent with proper English grammar.
As Kaspersky lab specialists have emphasised multiple times recently, the malicious actors that are utilizing ransomware attack vectors are switching their focus to companies and organizations rather than home users, and industrial companies are no exception.
Threats like ExPetr (Petya) are extremely dangerous for critical infrastructures and industrial companies because the attack can potentially impact the victim’s technological process automation/control systems. Such an attack could affect not only business production and finances, but also human safety.
According to our telemetry, we see evidence that many industrial companies are being attacked by ExPetr (Petya) malware. While there were examples of actual industrial control systems being affected, in most cases it was only the business networks that were affected.
Below is the ExPetr (Petya) targets by industry spread graph created using Kaspersky Security Network statistics data as of June 28, 2017.
Breakdown of industrial companies attacked by industry
According to our data, at least 50 percent of the companies being attacked are manufacturing and oil & gas enterprises.
IOCs and Yara rules are accessible from here.
Our customers and KL ICS CERT subscribers will immediately be informed of all results and related information.
Note for the Kaspersky Lab product users:
Kaspersky Lab products detect the malware as:
UDS:DangerousObject.Multi.Generic Trojan-Ransom.Win32.ExPetr.a HEUR:Trojan-Ransom.Win32.ExPetr.gen
Our products that have the System Watcher component enabled are able to detect and prevent the initial infection attempts even without anti-malware databases properly updated.
System Watcher detects the malware as:
PDM:Trojan.Win32.Generic PDM:Exploit.Win32.Generic