A new variant of Ransomware called Nyetya that is also being referred to as Petrwrap and GoldenEye has been identified by Cisco Talos, whose incidence has been on the rise of this malware through unpatched network susceptibilities since the SamSam attacks in March 2016, which targeted US healthcare.
WannaCry ransomware, in May this year, used a vulnerability in SMBv1 to its advantage and disseminated across the Internet. The sample influences EternalBlue, EternalRomance, WMI, and PsExec with respect to lateral movement inside an affected network. Nyetya, unlike WannaCry, does not seem to comprise of an external scanning element.
The initial vector discovery is still being investigated. Talos has not yet identified any email or Office documents as a delivery apparatus for the malware. According to Talos, infections are linked to software update systems for a Ukrainian tax accounting package known as MeDoc.
Provided the situation of these attacks, the motive behind Nyetya has been assessed to be destructive and provoked by uneconomical factors. Talos has advised individuals and companies to refuse to pay any kind of ransom. All efforts to get hold of a decryption key will be unsuccessful as the linked mailbox used for payment confirmation and decryption key sharing has been blocked by the posteo.de.
All successful payments would be rendered ineffective since there are no parameters of communication at the actor’s disposal to confirm payments from the victims or disseminate decryption keys once ransom payments have been received. There is also no way through which the malware can connect to directly control or command for remote unlocking.
To disseminate itself laterally the PsExec and WMI vectors, Nyetya needs user credentials.
There are various ways through which customers can prevent this malware from affecting their environment. One way, recommended by Cisco Talos, is to apply MS17-010 immediately. It would be unwise to leave this vulnerability unpatched, provided the severity of the vulnerability and the widely available tools that exploit it. Another way of preventing it is having anti-malware installed on the system that can detect and shut down any malicious executables.