Cisco Blogs

What the Nyetya Ransomware Attack Means for Banks

July 1, 2017 - 2 Comments

Today the world is still reeling from the global mayhem created by yet another ransomware attack – the bigger, more ruthless brother of the WannaCry attack that took place only six weeks ago. The ransomware has been referred to as Petya, NotPetya, Petrwrap, and GoldenEye. Cisco’s Talos Threat Intelligence Team has identified this new variant of malware that brought industrial giants, governments, and central banks to a grinding halt as Nyetya. Talos Security is regularly updating their Nyetya blog with new information.

Nyetya vs. WannaCry: What’s the difference?

Like WannaCry, Nyetya victims receive a message demanding payment via Bitcoin and are asked to send confirmation of payment to an email address included in the ransom note. Both versions of ransomware attack computers by entering through a “hole,” or vulnerability in Windows. However, several factors are making the Nyetya attack worse:

  • In addition to this known vulnerability, Nyetya employs two more methods to attack computers laterally. None of the three methods require the user to take an action such as downloading a file or clicking a link.
  • Nyetya encrypts both the data and the master boot record (like a table of contents for a hard drive), which makes the computer unresponsive and impossible to use.
  • So far, no “kill switch” has been discovered for Nyetya like the one that stopped WannaCry, which means that no one knows how to stop this attack from spreading.
  • There is no longer an option for people to contact the attackers for a decryption key to unlock their computer after paying the ransom. Shortly after the attack began, the email provider Posteo shut down the email address.


Does Nyetya have political connections?

According to Cisco’s Talos Threat Intelligence Team, some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. MeDoc is popular across various industries in Ukraine, including financial institutions.

The infection occurred during an automatic update of the software on June 22. The virus spread throughout Ukraine and around the world for five days before the ransomware was launched on June 27, prior to a national holiday.

“Last night in Ukraine, the night before Constitution Day, someone pushed the detonate button,” said Craig Williams, head of Cisco’s Talos threat intelligence unit. “That makes this more of a political statement than just a piece of ransomware. It’s very clear that whoever was behind this would somehow benefit from causing a significant amount of negative business impact on Constitution Day,” Williams added.

Talos Nyetya

Ransomware and Banks

Nyetya hit the National Bank of Ukraine and another national central bank hard. It also crippled many branches and lenders as financial institutions in Ukraine and Russia reported significant system outages early on during the ransomware attack. Many ATMs in the Ukraine were out of order or displayed Nyetya’s ransomware message on their screens.

“The National Bank of Ukraine has warned banks… about an external hacker attack on the websites of some Ukrainian banks… which was carried out today,” Ukraine’s central bank said in a statement on June 27, 2017. “As a result of these cyber attacks these banks are having difficulties with client services and carrying out banking operations.”

How can banks protect themselves from ransomware?

Aside from making sure that all systems are updated, this event underscores the need for financial services firms to take a closer look at their infrastructure. Hackers get smarter every day and networks should too.

It’s critical to have a secure, intelligent network that constantly learns and evolves to detect issues before they happen and find ways to resolve them automatically. Today’s fully integrated, intelligent, highly secure networks can identify immediately what’s trustworthy and what isn’t–even seemingly benign and routine processes like software updates from trusted accounting software vendors.

Learn more

  • Listen to a recorded webinar from Friday, June 30, hosted by Martin Lee, technical lead on Cisco’s Talos threat research team, to understand the latest in the new malware variant, Nyetya.  Hear the latest on the attack and steps you can take to strengthen your security.


In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.


  1. I have left a major US credit card company and refuse to do any business with them or a subsidiary because they are constantly being compromised. My CCs have been compromised three times over several years, and all of them were owned by the single company. Good article pointing out the sources of these threats.

    • Thank you Peter. I am sorry to hear about your issues with credit card compromises. I have dealt with it myself as a consumer and it certainly can be a headache to get that straightened out!

      I am thankful that as a consumer in the U.S. I am protected from liability for unauthorized credit card transactions by a combination of federal law and the card issuer policy. So financial institutions and merchants assume responsibility for most of the money lost as a result of fraud. I looked it up out of curiosity and card issuers bore a 72% share of fraudulent losses in 2015 and merchants and ATM acquirers assumed the other 28% of liability, according to the Nilson Report, October 2016.

      The reason that all of the merchants you shop with converted their card payment processing devices at the checkout lines to “chip card ” or EMV reader technology in the last few years, and the card issuers sent you new “chip”/ EMV cards, is due to a change in this liability. Although other parts of the world had already been using this chip technology for years, in the US we were slow to convert.

      What finally prompted the changeover was a date late last year wherein responsibility for fraudulent transactions shift to the merchant – your local gas station or grocery store – if the new EMV technology is not used for additional security, instead of the card issuer – Visa or Mastercard for example. No change for the consumer except a new card and hopefully better security.

      Payment solutions is a really interesting and quickly evolving line of business.