New Ransomware Variant “Nyetya” Compromises Systems Worldwide

New Ransomware Variant “Nyetya” Compromises Systems Worldwide

Cisco customers are protected against Nyetya. New variant of Ransomware Nyetya compromises systems worldwide.

This article provides information to help detect virus behavior. Cisco Talos studies their behavior and presents tools to mitigate these risks.

Screenshot of a system compromised by Nyetya
Screenshot of a system compromised by Nyetya

Note: This blog entry discusses Talos’ active research into a new threat. This information must be considered preliminary and will be updated throughout the day. At the bottom of this publication is the URL of the source.Ransomware Nyetya.

Update 2017-06-27 6:00 pm EDT: Updated to include some of the technical functionality for the ransomware component of this attack.


Ransomware Nyetya. Since the SamSam attacks that attacked US health agencies in March 2016, Talos has been concerned about the proliferation of ransomware through unpatched network vulnerabilities. In May 2017, WannaCry ransomware exploited a vulnerability in SMBv1 and spread like wildfire through the Internet.

Today a new variant of malware has emerged that is quite different from Petya that people have referred to it by various names like Petrwrap and GoldenEye. Talos is identifying this new variant of malware as Nyetya. Our current research leads us to believe that the sample takes advantage of EternalBlue and WMI for lateral movement within an affected network. This behavior is different from WannaCry, since it does not appear to be an external scan component. In addition, there may also be a psexec vector which is also used to propagate internally.

Identification of the initial vector has been shown to be more challenging. The first reports of an e-mail vector can not be confirmed. Based on the observed behaviors, the lack of a known and viable mechanism of external propagation and other investigations we believe that it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos continues to investigate the initial vector of this malware.

The Snort rules that detect attempts to exploit MS17-010 have been available since April 2017. Additionally, Talos has blacklisted known samples of this new variant of ransomware in AMP.


Malware functionality

In our research on this variant of ransomware, Talos noted that compromised systems have a file called “Perfc.dat”. Perfc.dat contains the functionality required to further compromise the system and contains a single unnamed export function named # 1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows AdjustTokenPrivileges API. If successful, ransomware will overwrite the master boot record (MBR) on the disk drive named PhysicalDrive 0 within Windows. Regardless of whether the malware succeeds in overwriting the MBR or not, it will then proceed to create a scheduled task through schtasks to reboot the system one hour after infection.

As part of the propagation process, malware enumerates all machines visible on the network through NetServerEnum and then searches for an open TCP port 139. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.

The malware has three mechanisms used to propagate once a device is infected:
EternalBlue – the same feat used by WannaCry.
Psexec: A legitimate Windows administration tool.
WMI – Windows Management Instrumentation, a legitimate Windows component.
These mechanisms are used to attempt the installation and execution of perfc.dat on other devices to propagate laterally.

For systems that have not applied MS17-010, the EternalBlue exploit is used to compromise systems. We have written about this previously in our coverage of WannaCry.

Psexec is used to execute the following command (where w.x.y.z is an IP address) using the current user’s Windows token to install the malware on the networked device. Talos continues to investigate methods in which the “current user’s Windows token” is retrieved from the machine.


C:\WINDOWS\dllhost.dat \\w.x.y.z -accepteula -s -d C:\Windows\System32\rundll32.exe C:\Windows\perfc.dat,#1


WMI is used to execute the following command that performs the same function as before, but using the username and password of the current user (such as user name and password). Talos continues to investigate how credentials are retrieved from the machine at this time.


Wbem\wmic.exe /node:”w.x.y.z” /user:”username” /password:”password” “process call create “C:\Windows\System32\rundll32.exe \”C:\Windows\perfc.dat\” #1″


Once a system is successfully committed, malware encrypts the files on the host using 2048-bit RSA encryption. In addition, malware cleans event logs on the compromised device using the following command:


wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:


Cisco customers are protected against Nyetya through the following products and services.
Advanced Malware Protection (AMP) is ideal for preventing the execution of malware used by these threat actors.

Network security devices such as NGFW, NGIPS, and Meraki MX can detect malicious activities associated with this threat.

AMP Threat Grid helps identify malicious binaries and create protection on all Cisco Security products.

Email and web have not been identified as an attack vector at this time. Also, there are no known C2 elements related to this malware at this time.

Customers of the Snort open source subscriber rule set can keep up to date by downloading the latest rule pack available for purchase from

See full original news:


Share this post