New Ransomeware “Nyetya” in the WildTravis N.
Cisco is calling Nyetya “WannaCry’s bad cousin” and it’s no surprise as to why. This ransomware uses PSEXEC, a very legitimate administration tool from Microsoft, and WMIC to execute it’s processes. It steal credentials and spreads through networks using EternalBlue and EternalRomance SMB 1 exploits which were patched by Microsoft in MS17-010
Machines that are patched against these exploits (with security update MS17-010) or have disabled SMBv1 are not affected by this particular spreading mechanism. Please refer to our previous blog for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.
The ransomware spreads through network ports 139 and 445 and the attack can be mitigated by blocking access to these ports or by disabling remote WMI and file sharing.