Kaspersky Lab on NotPetya global ransomware attacks

Petaling Jaya, 28 June 2017: Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have named it NotPetya.

The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany, France, the US and several other countries.

This appears to be a complex attack which involves several attack vectors. We can confirm that a modified EternalBlue exploit is used for propagation at least within the corporate network.

Kaspersky Lab detects the threat as UDS:DangeroundObject.Multi.Generic.

Kaspersky Lab experts aim to release new signatures, including for the System Watcher component as soon as possible and to determine whether it is possible to decrypt data locked in the attack – with the intention of developing a decryption tool as soon as they can.

Kaspersky Lab advises all companies to update their Windows software, to check their security solution and ensure they have back up and ransomware detection in place.

Kaspersky Lab corporate customers are also advised to:

• Check that all protection is activated as recommended; and that they have enabled the KSN/System Watcher component.
• Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the
• PSExec utility from Sysinternals Suite.