New variant of “Nyetya” Ransomware compromises systems worldwide

Clients of Cisco they are protected against Nyetya. New variant of "Nyetya" Ransomware compromises systems worldwide

This article provides information to help detect virus behavior. Cisco Talos studies their behavior and presents the tools to mitigate these risks.
Screenshot of a system compromised by Nyetya
Screenshot of a system compromised by Nyetya
Note: This blog post discusses Talos' active investigation into a new threat. This information should be considered preliminary and will be updated throughout the day. The source URL appears at the bottom of this post. Nyetya ransomware . Update 2017-06-27 6:00 pm EDT: Updated to include some of the technical functionality for the ransomware component of this attack.   Nyetya ransomware . Since SamSam ramsomware attacks  which attacked US healthcare entities in March 2016, Talos has been concerned about the proliferation of ransomware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware exploited a vulnerability in SMBv1 and spread like wildfire across the Internet. Today a new malware variant has emerged that is so different from Petya that people have referred to it by various names like Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement within an affected network. This behavior is different from WannaCry in that it does not appear to be an external scanning component. In addition, there may also be a psexec vector that is also used to propagate internally. Identifying the initial vector has proven to be more challenging. The first reports of an email vector cannot be confirmed. Based on the observed behaviors, the lack of a known and viable external propagation mechanism and other research we believe that it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos continues to investigate the initial vector of this malware. Snort's rules that detect attempts to exploit MS17-010 have been available since April 2017. Additionally, Talos has blacklisted known samples of this new ransomware variant in AMP.  

Malware functionality

In our research on this ransomware variant, Talos observed that compromised systems have a file called "Perfc.dat". Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function named # 1. The library tries to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user through the Windows API AdjustTokenPrivileges. If successful, the ransomware will overwrite the Master Boot Record (MBR) on the disk drive named PhysicalDrive 0 within Windows. Regardless of whether the malware succeeds in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection. As part of the propagation process, the malware enumerates all machines visible on the network through NetServerEnum and then looks for an open TCP port 139. This is done to compile a list of devices that expose this port and can possibly be compromised. Malware has three mechanisms used to spread once a device is infected: EternalBlue - the same feat used by WannaCry. Psexec - A legitimate Windows administration tool. WMI - Windows Management Instrumentation, a legitimate Windows component. These mechanisms are used to try to install and run perfc.dat on other devices to spread laterally. For systems that have not applied MS17-010, the EternalBlue exploit is exploited to compromise systems. We have written about this previously in our WannaCry coverage. Psexec is used to execute the following statement (where wxyz is an IP address) using the Windows token of the current user to install the malware on the network device. Talos is still investigating the methods by which the "current user's Windows token" is retrieved from the machine.   C: \ WINDOWS \ dllhost.dat \\ wxyz -accepteula -s -d C: \ Windows \ System32 \ rundll32.exe C: \ Windows \ perfc.dat, # 1   WMI is used to run the following command that performs the same function as above, but using the username and password of the current user (such as username and password). Talos is still investigating how credentials are retrieved from the machine at this time.   Wbem \ wmic.exe / node: "wxyz" / user: "username" / password: "password" "process call create" C: \ Windows \ System32 \ rundll32.exe \ "C: \ Windows \ perfc.dat \" #1"   After a system is successfully compromised, the malware encrypts files on the host using RSA 2048-bit encryption. Additionally, the malware cleans up the event logs on the compromised device using the following command:   wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal / D% c:  


Clients of Cisco are protected against Nyetya through the following products and services. Advanced Malware Protection (AMP) it is ideal for preventing the execution of the malware used by these threat actors. Network security devices such as NGFW, NGIPS, and Meraki MX can detect malicious activities associated with this threat. AMP Threat Grid helps identify malicious binaries and build protection across all Cisco Security products. Email and the web have not been identified as an attacking vector at this time. Also, there are no known C2 items related to this malware at this time. Customers of the Snort Open Source Subscriber Ruleset can stay up-to-date by downloading the latest rule pack available for purchase at   See the full original news:

Share this post