How to defend against ExPetr malware attacks if you use Kaspersky products for business


Safety 101: Protection tips


How to defend against ExPetr malware attacks if you use Kaspersky products for business

Back to "Protection tips"
Latest update: November 01, 2019 ID: 13753

Kaspersky experts are continuing to investigate the latest wave of file-encrypting malware attacks at organizations all over the world. According to our preliminary data, this file-encrypting malware does not actually belong to the well-known Petya family of ransomware, although they do contain several lines of the same code. In this case, we are talking about a new family of malware with an essentially different functionality to that of Petya. Kaspersky has called this new file-encrypting malware ExPetr.

Kaspersky experts currently believe that this malware used several attack vectors. It has been established that modified EternalBlue and EternalRomance exploits were used to spread ExPetr throughout corporate networks.

Kaspersky products detect this malware with the verdict:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.ExPetr.a
  • HEUR:Trojan-Ransom.Win32.ExPetr.gen

The System Watcher behavior analyzer detects this malware with the verdict:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Using the System Watcher, in the majority of cases Kaspersky products proactively blocked the initial attack vector of file-encrypting malware. We’re working on improving the System Watcher’s ability to discover file-encrypting malware, so that is will also be able to detect possible modifications to this piece of ransomware.

Our experts are also exploring the possibility of creating a decoding tool which would be able to decrypt data.

For more information about the attack, see the Kaspersky report

We recommend that companies take the following measures to reduce their risk of infection.

  1. Install the official Microsoft patch which fixes the vulnerability exploited by the malware:
  2. Make sure that all protection mechanisms are activated, that you are connected to the Kaspersky Security Network cloud infrastructure, and that the System Watcher is enabled.
  3. Update the databases of all the Kaspersky products being used.

We also recommend, as an additional measure, using the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) the PSexec package Sysinternals, as well as the following files:

  • %windir%\dllhost.dat
  • %windir%\psexesvc.exe
  • %windir%\perfc.dat
  • %appdata%\perfc.dat
  • %appdata%\dllhost.dat
  • *\psexec.exe
  • *\psexec64.exe

Configuring the settings via Kaspersky Security Center 10


How to configure the settings locally


If you don’t use Kaspersky products, we recommend that you prohibit the execution of the files mentioned above, as well as the PSExec utility from the Sysinternals package. You can do this by using the AppLocker feature included in the Windows operating system.

Was this information helpful?
Yes No
Thank you


How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.