How to protect yourself against ExPetr virus attacks if you use Kaspersky Lab products for business


Safety 101: Protection tips


How to protect yourself against ExPetr virus attacks if you use Kaspersky Lab products for business

Back to "Protection tips"
2018 Jan 24 ID: 13753

Kaspersky Lab experts are continuing to investigate the latest wave of cryptovirus infections to penetrate organizations all over the world. According to our preliminary data, this cryptovirus does not actually belong to the well-known Petya family of ransomware, although they do contain several lines of the same code. In this case, we are talking about a new family of malware with an essentially different functionality to that of Petya. Kaspersky Lab has called this new cryptovirus ExPetr.

Kaspersky Lab experts currently believe that this malware used several attack vectors. It has been established that modified EternalBlue and EternalRomance exploits were used to spread ExPetr throughout corporate networks.

Kaspersky Lab products detect this malware with the verdict:

  • UDS:DangerousObject.Multi.Generic
  • Trojan-Ransom.Win32.ExPetr.a
  • HEUR:Trojan-Ransom.Win32.ExPetr.gen

The System Watcher behavior analyzer detects this malware with the verdict:

  • PDM:Trojan.Win32.Generic
  • PDM:Exploit.Win32.Generic

Using the System Watcher, in the majority of cases Kaspersky Lab products proactively blocked the cryptovirus’s intial attack vector successfully. We’re working on improving the System Watcher’s ability to discover cryptoviruses, so that is will also be able to detect possible modifications to this piece of ransomware.

Our experts are also exploring the possibility of creating a decoding tool which would be able to decrypt data.

For more information about the attack, see the Kaspersky Lab report

We recommend that companies take the following measures to reduce their risk of infection.

  1. Install the official Microsoft patch which fixes the vulnerability exploited by the virus:
  2. Make sure that all protection mechanisms are activated, that you are connected to the Kaspersky Security Network cloud infrastructure, and that the System Watcher is enabled.
  3. Update the databases of all the Kaspersky Lab products being used.

We also recommend, as an additional measure, using the Application Privilege Control component to prevent all application groups from accessing (and, accordingly, executing) the PSexec package Sysinternals, as well as the following files:

  • %windir%\dllhost.dat
  • %windir%\psexesvc.exe
  • %windir%\perfc.dat
  • %appdata%\perfc.dat
  • %appdata%\dllhost.dat
  • *\psexec.exe
  • *\psexec64.exe

Configuring the settings via Kaspersky Security Center 10


How to configure the settings locally


If you don’t use kaspersky Lab products, we recommend that you prohibit the execution of the files mentioned above, as well as the PSExec utility from the Sysinternals package. You can do this by using the AppLocker feature included in the Windows operating system.

Was this information helpful?
Yes No
Thank you


How can we improve this article?

Your feedback will be used for content improvement purposes only. If you need assistance, please contact technical support.

Submit Submit

Thank you for your feedback!

Your suggestions will help improve this article.