New Ransomeware “Nyetya” in the Wild

Back to Blog

New Ransomeware “Nyetya” in the Wild

Cisco is calling Nyetya “WannaCry’s bad cousin” and it’s no surprise as to why. This ransomware uses PSEXEC, a very legitimate administration tool from Microsoft, and WMIC to execute it’s processes. It steal credentials and spreads through networks using EternalBlue and EternalRomance SMB 1 exploits which were patched by Microsoft in MS17-010

Machines that are patched against these exploits (with security update MS17-010) or have disabled SMBv1 are not affected by this particular spreading mechanism. Please refer to our previous blog for details on these exploits and how modern Windows 10 mitigations can help to contain similar threats.

The ransomware spreads through network ports 139 and 445 and the attack can be mitigated by blocking access to these ports or by disabling remote WMI and file sharing.

Share this post

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Back to Blog