Kaspersky Lab says the current global ransomware attack is not a variant of Petya, but rather a new ransomware that’s never been seen before.
In a statement, the security firm says: “Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organisations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publicly reported, but a new ransomware that has not been seen before. While it has several strings similar to Petya, it possesses entirely different functionality. We have named it ExPetr. “The company’s telemetry data indicates around 2,000 attacked users so far. Organisations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries. “This appears to be a complex attack, which involves several vectors of compromise. We can confirm that modified EternalBlue and EternalRomance exploits are used by the criminals for propagation within the corporate network.” Kaspersky Lab detects the threat as:• UDS:DangerousObject.Multi.Generic• Trojan-Ransom.Win32.ExPetr.a• HEUR:Trojan-Ransom.Win32.ExPetr.gen Its behaviour detection engine SystemWatcher detects the threat as • PDM:Trojan.Win32.Generic• PDM:Exploit.Win32.Generic In most cases to date, Kaspersky Lab proactively detected the initial infection vector through its behavioural engine, System Watcher. We are also working on behavioural anti-ransomware detection improvement to proactively detect any possible future versions. Kaspersky Lab experts will continue to examine the issue to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can. “We advise all companies to update their Windows software: Windows XP and Windows 7 users can protect themselves by installing MS17-010 security patch,” the company says. “We also advise all organisations to ensure they have backup. Proper and timely backup of your data may be used to restore original files after a data loss event.”
In an updated statement, the company adds: “Our analysis indicates there is little hope for victims to recover their data. We have analysed the high level code of the encryption routine and we have figured out that after disk encryption, the threat actor could not decrypt victims’ disks. To decrypt a victim’s disk threat actors need the installation ID. In previous versions of “similar” ransomware like Petya/Mischa/GoldenEye this installation ID contained the information necessary for key recovery. ExPetr does not have that, which means that the threat actor could not extract the necessary information needed for decryption. In short, victims could not recover their data”.
