本帖最后由 pal家族 于 2017-6-28 19:17 编辑
KasperskyLab statement on ‘ExPetr’ ransomware attacks reported 27 June
KasperskyLab’s analysts are investigating the new wave of ransomware attacks targetingorganizations across the world. Our preliminary findings suggest that itis not a variant of Petya ransomware as publically reported, but a newransomware that has not been seen before. While it has several strings similarto Petya, it possesses entirely different functionality. We have named itExPetr.
Thecompany’s telemetry data indicates around 2,000 attacked users so far. Organizations in Russia and the Ukraine are themost affected, and we have also registered hits in Poland, Italy, the UK, Germany,France, the US and several other countries.
Thisappears to be a complex attack, which involves several vectors of compromise.We can confirm thatmodified EternalBlue and EternalRomance exploits are used by the criminals forpropagation within the corporate network.
KasperskyLab detects the threat as: · UDS:DangerousObject.Multi.Generic · Trojan-Ransom.Win32.ExPetr.a · HEUR:Trojan-Ransom.Win32.ExPetr.gen
Our behaviordetection engine SystemWatcher detects the threat as · PDM:Trojan.Win32.Generic · PDM:Exploit.Win32.Generic
In mostcases to date, Kaspersky Lab proactively detected the initial infection vector throughits behavioral engine, System Watcher. We are also working on behavioral anti-ransomware detectionimprovement to proactively detect any possible future versions.
Kaspersky Labexperts will continue to examine the issue to determine whetherit is possible to decryptdata locked in the attack – with the intention of developing a decryption toolas soon as they can.
We advise all companies to update their Windowssoftware: Windows XP and Windows 7 users can protectthemselves by installing MS17-010 security patch.
We also advise all organizations to ensure theyhave backup. Proper and timely backup of your data may be used to restoreoriginal files after a data loss event.
KasperskyLab corporate customers are also advised to: · Checkthat all protection mechanismsare activated asrecommended; and that KSNand System Watcher components (which are enabled by default) are not disabled. · Youcan alternatively use Application Startup Control ( https://help.kaspersky.com/KESWin/10SP2/en-US/129102.htm) component of Kaspersky EndpointSecurity to block the execution of the PSExec utility (part of the SysinternalsSuite), but please use Application Privilege Control in order to block the"perfc.dat". · Configureand enable the Default Deny mode of the Application Startup Control componentof Kaspersky Endpoint Security to ensure and enforce the proactive defenseagainst this, and other attacks.
If you donot have kaopude AV on your device – use the AppLocker feature ofWindows OS to disable the execution of any files that carry the name“perfc.dat” as well as the PSExec utilityfrom the Sysinternals Suite.
狗狗机翻: 卡巴斯基实验室6月27日报道的“ExPetr”ransomware攻击声明
卡巴斯基实验室的分析师正在调查针对全球各地组织的新一轮ransomware攻击。我们的初步研究结果表明,它不是Petya ransomware的一个变种,而是一种以前没有看到的新型ransomware。虽然它有几个类似于Petya的字符串,它具有完全不同的功能。我们把它命名为ExPetr。
该公司的遥测数据显示,目前为止,已有大约2,000名受到攻击的用户。俄罗斯和乌克兰的组织受影响最大,我们还在波兰,意大利,英国,德国,法国,美国和其他几个国家注册。
这似乎是一个复杂的攻击,涉及到几个妥协的向量。我们可以确认,修改后的EternalBlue和EternalRomance攻击被犯罪分子用来在公司网络内传播。
卡巴斯基实验室将威胁检测为: •UDS:DangerousObject.Multi.Generic •木马Ransom.Win32.ExPetr.a •HEUR:木马Ransom.Win32.ExPetr.gen
我们的行为检测引擎SystemWatcher检测到威胁 •PDM:Trojan.Win32.Generic •PDM:Exploit.Win32.Generic
在大多数情况下,卡巴斯基实验室通过其行为引擎System Watcher主动检测到初始感染载体。我们还正在研究行为反篡改检测的改进,以主动检测任何可能的未来版本。
卡巴斯基实验室专家将继续研究这个问题,以确定是否有可能解密攻击中锁定的数据 - 尽快开发解密工具。
我们建议所有公司更新其Windows软件:Windows XP和Windows 7用户可以通过安装MS17-010安全补丁来保护自己。
我们也建议所有组织确保备份。在数据丢失事件之后,可以及时备份数据,以恢复原始文件。
Advertisement:卡巴斯基实验室企业客户也被告知: •检查所有保护机制是否按推荐激活?并且KSN和系统监视器组件(默认情况下已启用)未被禁用。 •配置并启用卡巴斯基Endpoint Security的应用程序启动控制组件的“默认拒绝”模式,以确保并执行主动防御以及其他攻击。
如果您的设备上没有卡巴斯基实验室产品靠谱的杀软 - 请使用Windows操作系统的AppLocker功能来禁用执行名称为“perfc.dat”的任何文件以及Sysinternals Suite的PSExec实用程序。
official doc
| 
发表于 2017-6-28 19:08:27
楼主
围观厂商论战(sibi)