Cisco customers are protected against Nyetya. New “Nyetya” Ransomware Variant Compromises Systems Worldwide
This article provides information to help detect virus behavior. Cisco Talos studies virus behavior and presents tools to mitigate these risks.
align=”alignnone” ]
Screenshot of a system compromised by Nyetya
Note: This blog post discusses Talos’ active investigation into a new threat. This information should be considered preliminary and will be updated throughout the day. The source URL appears at the bottom of this post. Nyetya Ransomware.
Update 2017-06-27 6:00 pm EDT: Updated to include some of the technical functionality for the ransomware component of this attack.
Nyetya Ransomware. Since the SamSam ransomware attacks that targeted U.S. health entities in March 2016, Talos has been concerned about the proliferation of ransomware through unpatched network vulnerabilities. In May 2017, the WannaCry ransomware exploited a vulnerability in SMBv1 and spread like wildfire across the Internet.
Today a new malware variant has emerged that is quite different from Petya which people have referred to by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement within an affected network. This behavior is different from WannaCry, as it does not appear to be an external scanning component. In addition, there may also be a psexec vector that is also used to propagate internally.
Identification of the initial vector has proven to be more challenging. Early reports of an email vector cannot be confirmed. Based on the observed behaviors, the lack of a known and viable external propagation mechanism, and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos continues to investigate the initial vector of this malware.
Snort rules that detect attempts to exploit MS17-010 have been available since April 2017. Additionally, Talos has blacklisted known samples of this new ransomware variant in AMP.
Malware functionality
In our research on this ransomware variant, Talos observed that compromised systems have a file named “Perfc.dat”. Perfc.dat contains the functionality needed to further compromise the system and contains a single unnamed export function named #1. The library attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current user via the Windows AdjustTokenPrivileges API. If successful, the ransomware will overwrite the master boot record (MBR) on the drive named PhysicalDrive 0 inside Windows. Regardless of whether the malware succeeds in overwriting the MBR or not, it will then proceed to create a scheduled task via schtasks to reboot the system one hour after infection.
As part of the propagation process, the malware enumerates all machines visible on the network via NetServerEnum and then looks for an open TCP 139 port. This is done to compile a list of devices that expose this port and may possibly be susceptible to compromise.
The malware has three mechanisms used to spread once a device is infected:
EternalBlue – the same exploit used by WannaCry.
Psexec – a legitimate Windows management tool.
WMI – Windows Management Instrumentation, a legitimate Windows component.
These mechanisms are used to attempt to install and execute perfc.dat on other devices to spread laterally.
For systems that have not applied MS17-010, the EternalBlue exploit is leveraged to compromise systems. We have written about this previously in our WannaCry coverage.
Psexec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user’s Windows token to install the malware on the networked device. Talos continues to investigate methods in which the “current user’s Windows token” is retrieved from the machine.
C:WINDOWSdllhost.dat w.x.y.z -accepteula -s -d C:WindowsSystem32rundll32.exe C:Windowsperfc.dat,#1
WMI is used to execute the following command which performs the same function as above, but using the current user’s username and password (as username and password). Talos is still investigating how to retrieve the machine’s credentials at this point.
Wbemwmic.exe /node: “w.x.y.z” /user: “username” /password: “password” /process call create “C:WindowsSystem32rundll32.exe “C:Windowsperfc.dat” #1″
Once a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA encryption. In addition, the malware wipes the event logs on the compromised device using the following command:
wevtutil cl Setup & wevtutil cl System & wevtutil cl Security & wevtutil cl Application & fsutil usn deletejournal /D %c:
Coverage
Cisco customers are protected against Nyetya through the following products and services.
Advanced Malware Protection (AMP) is ideal for preventing the execution of malware used by these threat actors.
Network security appliances such as NGFW, NGIPS and Meraki MX can detect malicious activity associated with this threat.
AMP Threat Grid helps identify malicious binaries and create protection across all Cisco Security products.
Email and web have not been identified as an attack vector at this time. In addition, there are no known C2 elements related to this malware at this time.
Customers of Snort’s open source subscriber ruleset can keep up to date by downloading the latest rules package available for purchase at Snort.org.
See the complete original article:
http://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html
