Kaspersky Lab’s analysts are investigating the new wave of ransomware attacks targeting organizations across the world. Our preliminary findings suggest that it is not a variant of Petya ransomware as publically reported, but a new ransomware that has not been seen before. That is why we have namedit Not Petya.
The company’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia andthe Ukraine are the most affected, and we have also registered hits in Poland, Italy, the UK, Germany,France, the US and several other countries.
This appears to be a complex attack which involves several attack vectors. We can confirm that amodified EternalBlue exploit is used for propagation at least within the corporate network.
Kaspersky Lab detects the threat as UDS: Dangeround Object.Multi.Generic.
Kaspersky Lab experts aim to release new signatures, including for the System Watcher component assoon as possible and to determine whether it is possible to decrypt data locked in the attack – with theintention ofdeveloping a decryption tool as soon as they can.
We advise all companies to update their Windows software, to check their security solution andensure they have back up and ransomware detection in place.
- Kaspersky Lab corporate customers are also advised to:
- Check that all protection is activated as recommended; and that they have enabled theKSN/System Watcher component.
- Use the AppLocker feature to disable the execution of any files that carry the name “perfc.dat”; as well as the
- PSExec utility from Sysinternals Suite.