Kaspersky Lab analysis shows that at least half of the ExPetr encryption malware targets were various industrial organizations. The list includes electricity, oil and gas, transportation, logistics and other companies.
ExPetr is a type of encryption malware. Upon infection of victim’s computer it encrypts the hard drive and makes the computer inoperable, showing a message to the victim demanding a ransom.
As Kaspersky Lab researchers have recently discovered, ExPetr is built in a way that means it is completely impossible to decrypt files, even if the ransom is payed. For industrial facilities and critical infrastructure, the consequences of a successful attack using this malware could be devastating.
Figure: The distribution of ExPetr targets based on Kaspersky Lab telemetry as of 28 June.
“At the moment it is hard to say whether ExPetr is specifically targeting any particular industry, or if it has hit so many industrial entities coincidentally. However, the nature of this malware is such that it could easily stop the operation of a production facility for a considerable amount of time. That is why this attack is such a vivid example of why industrial entities should be reliably protected from cyberthreats”, said Kirill Kruglov, security expert at Kaspersky Lab.
The global ExPetr outbreak was unleashed on June 27. The malware attacked at least 2000 targets – mostly organizations in Ukraine and Russia. Attacks have also been registered in Poland, Italy, Germany, United Kingdom, China, France and several other countries.
Kaspersky Lab confirmed that the malware shares some strings with Petya and also uses PsExec tools; but has an entirely different functionality to Petya – that is why it has been named ExPetr.
Kaspersky Lab detects the threat as:
Our behavior detection engine SystemWatcher detects the threat as:
According to Kaspersky Lab experts, cybercriminals are shifting their focus from regular users to attacks on organizations. These attacks pose a particular threat to businesses with critical infrastructure as malware activity can crash and stop the production process. The ExPetr incident is yet another example of this worrying trend.