As Lab researchers have recently discovered, ExPetr is built in a way that means it is completely impossible to decrypt files, even if the ransom is payed. For industrial facilities and critical infrastructure, the consequences of a successful attack using this malware could be devastating.
“At the moment it is hard to say whether ExPetr is specifically targeting any particular industry, or if it has hit so many industrial entities coincidentally. However, the nature of this malware is such that it could easily stop the operation of a production facility for a considerable amount of time. That is why this attack is such avivid example of why industrial entities should be reliably protected from cyberthreats”, said Kirill Kruglov, security expert at Kaspersky Lab.
The global ExPetr outbreak was unleashed on June 27. The malware attacked at least 2000 targets – mostly organisations in Ukraine and Russia. Attacks have also been registered in Poland, Italy, Germany, United Kingdom, China, France and several other countries.
Kaspersky Lab confirmed that the malware shares some strings with Petya and also uses PsExec tools; but has an entirely different functionality to Petya – that is why it has been named ExPetr.
Kaspersky Lab detects the threat as: UDS:DangerousObject.Multi.Generic, Trojan-Ransom.Win32.ExPetr.a and HEUR:Trojan-Ransom.Win32.ExPetr.gen.
Our behaviour detection engine SystemWatcher detects the threat as: PDM:Trojan.Win32.Generic and PDM:Exploit.Win32.Generic.
According to Kaspersky Lab experts, cybercriminals are shifting their focus from regular users to attacks on organisations. These attacks pose a particular threat to businesses with critical infrastructure as malware activity can crash and stop the production process. The ExPetr incident is yet another example of this worrying trend.