Ransomware: First WannaCry, now Nyetya
[Editor’s note] Join us for a webinar hosted by Martin Lee, technical lead on Cisco’s Talos threat research team, to understand the latest in the new malware variant, Nyetya. Webinar will be on Friday, June 30, 2017 at 7 am PDT / 3 pm BST / 4 pm CEST. Hear the latest on the attack and steps you can take to strengthen your security.
Manufacturers are still just getting their hands around WannaCry, with one major automaker having to shut down its operations just last week from the virus. Today news has hit that another virus, currently being dubbed “Nyetya,” is waging a campaign against a variety of computer systems.
This time around we see a similar attack to WannaCry that seems to have started in Europe and has taken out systems supporting banks, shipping, and oil operations. It has also spread to U.S. companies, with a pharmaceutical company confirming they have been affected.
Here’s what we know from our Cisco team over at Talos, which monitors global security threats:
“Today a new malware variant has surfaced that is distinct enough from Petya that people have referred to it by various names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally.
The identification of the initial vector has proven more challenging. Early reports of an email vector can not be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. Talos continues to research the initial vector of this malware..”
Updates to this article will happen as more information comes through. I highly recommend checking back for information.
How to reduce risk in your factory
In my blog about WannaCry, I laid out five ways to reduce risk. These same concepts apply when dealing with ransomware and are outlined here. Also, we have valuable information on Nyetya and how to protect yourself from ransomware here.
For more on Cisco IoT Threat Defense, check out the Cisco IoT Threat Defense at-a-glance.
To learn more about ransomware and how to defend yourself against it, take a look at our Ransomware Defense eBook.
And for guidance in assessing risk and setting a security strategy, visit our interactive security experience for manufacturing.