At least half of the ExPetr encryption malware targets were industrial organisations, including electricity, oil and gas, transportation, logistics and other companies.
ExPetr is a type of encryption malware. Upon infection of victim’s computer, it encrypts the hard drive and makes the computer inoperable, showing a message to the victim demanding a ransom.
As Kaspersky Lab researchers have recently discovered, ExPetr is built in a way that means it is completely impossible to decrypt files, even if the ransom is payed. For industrial facilities and critical infrastructure, the consequences of a successful attack using this malware could be devastating.
“At the moment it is hard to say whether ExPetr is specifically targeting any particular industry, or if it has hit so many industrial entities coincidentally,” says Kirill Kruglov, security expert at Kaspersky Lab. “However, the nature of this malware is such that it could easily stop the operation of a production facility for a considerable amount of time. That is why this attack is such a vivid example of why industrial entities should be reliably protected from cyberthreats.”
The global ExPetr outbreak was unleashed on 27 June. The malware attacked at least 2000 targets – mostly organisations in Ukraine and Russia. Attacks have also been registered in Poland, Italy, Germany, the UK, China, France and several other countries.
Kaspersky Lab confirms that the malware shares some strings with Petya and also uses PsExec tools; but has an entirely different functionality to Petya – that is why it has been named ExPetr.
Kaspersky Lab detects the threat as:
* UDS:DangerousObject.Multi.Generic
* Trojan-Ransom.Win32.ExPetr.a
* HEUR:Trojan-Ransom.Win32.ExPetr.gen
The company’s behaviour detection engine SystemWatcher detects the threat as:
* PDM:Trojan.Win32.Generic
* PDM:Exploit.Win32.Generic
According to Kaspersky Lab experts, cybercriminals are shifting their focus from regular users to attacks on organisations. These attacks pose a particular threat to businesses with critical infrastructure as malware activity can crash and stop the production process. The ExPetr incident is yet another example of this worrying trend.