{
	"id": "8cdf7927-cadf-4fb5-be91-387eefdcdaed",
	"created_at": "2026-04-06T03:36:03.525674Z",
	"updated_at": "2026-04-10T03:26:53.344961Z",
	"deleted_at": null,
	"sha1_hash": "2680208b08bfc47367056e72cbda1643708bcd51",
	"title": "New Ransomware Variant \"Nyetya\" Compromises Systems Worldwide",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 207755,
	"plain_text": "New Ransomware Variant \"Nyetya\" Compromises Systems\r\nWorldwide\r\nBy Cisco Talos\r\nPublished: 2017-06-27 · Archived: 2026-04-06 03:09:27 UTC\r\nTuesday, June 27, 2017 14:02\r\nNote: This blog post discusses active research by Talos into a new threat. This information should be considered\r\npreliminary and will be updated as research continues.\r\nUpdate 2017-07-06 12:30 EDT: Updated to explain the modified DoublePulsar backdoor.\r\nSince the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the\r\nproliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took\r\nadvantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.\r\nToday a new malware variant has surfaced that is distinct enough from Petya that people have referred to it by\r\nvarious names such as Petrwrap and GoldenEye. Talos is identifying this new malware variant as Nyetya. The\r\nsample leverages EternalBlue, EternalRomance, WMI, and PsExec for lateral movement inside an affected\r\nnetwork. This behavior is detailed later in the blog under \"Malware Functionality\". Unlike WannaCry, Nyetya\r\ndoes not appear to contain an external scanning component.\r\nThe identification of the initial vector is still under investigation. We have observed no use of email or Office\r\ndocuments as a delivery mechanism for this malware. We believe that infections are associated with software\r\nupdate systems for a Ukrainian tax accounting package called MeDoc. Talos is investigating this currently.\r\nGiven the circumstances of this attack, Talos assesses with high confidence that the intent of the actor behind\r\nNyetya was destructive in nature and not economically motivated. Talos strongly recommends users and\r\norganizations decline to pay the ransom. Any attempts to obtain a decryption key will be fruitless as the associated\r\nmailbox used for payment verification and decryption key sharing has been shut down by the posteo.de. This\r\nrenders any successful payment as useless as there is no method of communication available for this actor to use\r\nto verify payments from victims or distribute decryption keys once ransom payments have been received. There is\r\nalso no method used by the malware to directly connect to command and control for remote unlocking.\r\nRecovery of User Credentials\r\nNyetya requires user credentials to spread itself laterally via the PsExec and WMI vectors (which are detailed in\r\nthe \"Malware Functionality\" section). Talos has identified three ways Nyetya can obtain these credentials.\r\nFirst, credentials can be manually passed in via a command line argument. Here is the syntax:\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 1 of 7\n\nrundll32.exe C:\\Windows\\perfc.dat,#1 60 \"username:password\"\r\nA second method consists to use the CredEnumerateW Windows API.\r\nFinally, Perfc.dat contains three embedded executables in its resource section which are compressed with zlib.\r\nTwo of the executables are used to recover user credentials (32 and 64 bits) while the third one is the PsExec\r\nbinary. The executables related to credential recovery are dropped as a temporary files in the user’s %TEMP%\r\nfolder and run with a named pipe parameter (containing a GUID). The main executable communicates with the\r\ndropped executable using this named pipe.  For example:\r\nC:\\WINDOWS\\TEMP\\561D.tmp, \\\\.\\pipe\\{C1F0BF2D-8C17-4550-AF5A-65A22C61739C}\r\nThe dropped .tmp executable seems to be based on Mimikatz, a popular open source tool used for recovery of user\r\ncredentials from computer memory using several different techniques. However, Talos has confirmed that the\r\nexecutable is not specifically the Mimikatz tool.\r\nThe recovered credentials are then used for launching malware on the remote system using WMIC and PsExec.\r\nThis is detailed below.\r\nMalware Functionality  \r\nPerfc.dat contains the functionality needed to further compromise the system and contains a single unnamed\r\nexport function referred to as #1. As part of the propagation process, the malware enumerates all visible machines\r\non the network via the NetServerEnum API call and then scans for an open TCP 139 port. This is done to compile\r\na list of devices that expose this port and may possibly be susceptible to compromise.\r\nNyetya has several mechanisms that are used to propagate once a device is infected:\r\n1. EternalBlue - the same exploit used by WannaCry.\r\n2. EternalRomance - an SMBv1 exploit leaked by \"ShadowBrokers\"\r\n3. PsExec - a legitimate Windows administration tool.\r\n4. WMI - Windows Management Instrumentation, a legitimate Windows component. These mechanisms are\r\nused to attempt installation and execution of perfc.dat on other devices to spread laterally.\r\nFor systems that have not had MS17-010 applied, the EternalBlue and EternalRomance exploits are leveraged to\r\ncompromise systems. The exploit launched against the victim system depends on the operating system of the\r\nintended target.\r\nEternalBlue\r\nWindows Server 2008 R2\r\nWindows Server 2008\r\nWindows 7\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 2 of 7\n\nEternalRomance\r\nWindows XP\r\nWindows Server 2003\r\nWindows Vista  The two exploits drop a modified version of DoublePulsar which is a persistent backdoor\r\nrunning in kernel space of the compromised system. The developer modified only few bytes from the\r\noriginal version but this modification allowed it to evade network detection and the open source\r\nDoublePulsar scanning tools available on the Internet. The modification can be divided in 3 parts:\r\nThe attacker modified the command codes:\r\nOriginal Command Code Nyetya Command Code Purpose\r\n0x23 0xF0 PING\r\n0x77 0xF1 KILL\r\n0xC8 0xF2 EXEC\r\nThe attacker modified the response codes:\r\nOriginal Response Code Nyetya Response Code Purpose\r\n0x10 0x11 OK\r\n0x20 0x21 CMD_INVALID\r\n0x30 0x31 ALLOCATION_FAILURE\r\nThe attacker modified where the response code is stored in the SMB response packet. In the original\r\nversion of DouplePulsar, the code was stored in the MultiplexID field (offset 0x1E). In the Nyetya version,\r\nthe response code is stored in a reserved field (offset 0x16) which is normally set to 0x0000 We\r\nimplemented a specific NGIPS / Snort rule to detect this DoublePulsar variant: 43459.\r\nPsExec is used to execute the following instruction (where w.x.y.z is an IP address) using the current user's\r\nwindows token (from the \"Recovery of User Credentials\" section above) to install the malware on the networked\r\ndevice.\r\nC:\\WINDOWS\\dllhost.dat \\\\w.x.y.z -accepteula -s -d C:\\Windows\\System32\\rundll32.exe C:\\Windows\\perfc.dat,#1 60\r\nWMI is used to execute the following command which performs the same function as above, but using the current\r\nuser's username and password (as username and password), retrieved from the \"Recovery of User Credentials\"\r\nsection above.\r\nWbem\\wmic.exe /node:\"w.x.y.z\" /user:\"username\" /password:\"password\" \"process call create \"C:\\Windows\\System32\\r\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 3 of 7\n\nOnce a system is successfully compromised, the malware encrypts files on the host using 2048-bit RSA\r\nencryption. Additionally, the malware cleans event logs on the compromised device using the following\r\ncommand:\r\nwevtutil cl Setup \u0026 wevtutil cl System \u0026 wevtutil cl Security \u0026 wevtutil cl Application \u0026 fsutil usn deletejour\r\nNytetya attempts to obtain administrative privileges (SeShutdowPrivilege and SeDebugPrivilege) for the current\r\nuser through the Windows API AdjustTokenPrivileges. If successful, Nyetya overwrites the boot sector on\r\nPhysicalDrive0 without first saving a copy. If overwriting the boot sector fails, Nyetya instead wipes the first ten\r\nsectors of the disk drive. Additionally, if Nyetya finds a process file name hash of 2E214B44 on the system, it will\r\nalso wipe the first ten sectors of the disk drive. Talos has identified that this hash is referring to avp.exe, which\r\ncorresponds to Kaspersky Anti-virus. Systems that have the boot sector overwritten will see this message when\r\nrestarting their systems.\r\nScreenshot of a system compromised by Nyetya.\r\nNote that regardless of whether Nyetya is successful in overwriting the boot sector or not, it will proceed to create\r\na scheduled task via schtasks to reboot the system one hour after infection.\r\nWithout analyzing the key generation or key storage components, Talos believes that the actors behind Nyetya did\r\nnot intended for the boot sector or the ten sectors that are wiped to be restorable. Thus, Nyetya is intended to be\r\ndestructive rather than as a tool for financial gain.\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 4 of 7\n\nMitigation and Prevention There are several ways customers can mitigate and\r\nprevent Nyetya from impacting your environment.\r\nFirst and foremost, we strongly recommend that customers who have NOT yet already applied MS17-010\r\nto go do so immediately. Given the severity of the vulnerability and the widely available tools that exploit\r\nit, leaving this vulnerability unpatched is unwise.\r\nEnsure you have anti-malware software deployed on your systems that can detect and block the execution\r\nof known malicious executables.\r\nImplement a disaster recovery plan that includes backing up and restoring data from backup devices that\r\nare kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be\r\nable to restore their files without paying the ransom.\r\nDisable SMBv1, if possible, on networks and move to a more updated version of SMB. (SMBv2 was\r\nintroduced with Microsoft Vista)\r\nOrganizing your networks in a number of well-defined logical segments, and allowing access to network\r\nassets only to those users and systems within a segment may help with containing outbreaks of self-spreading worms such as Nyetya.\r\nAs Nyetya attempts to overwrite the boot sector on an infected machine, Talos tested using MBRFilter to\r\nprevent any changes being allowed to the system boot sector. This test proved successful and the machine\r\nboot sector remained intact in a good state.  For users or enterprises that can do so, we recommend using\r\nMBRFilter.  Note that MBRFilter is an open source project from Talos and no warranties or guarantees are\r\nprovided.\r\nCoverage\r\nCisco customers are protected from Nyetya via the following products and services.\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 5 of 7\n\nAdvanced Malware Protection (AMP) is ideally suited to prevent the execution of the malware used by these\r\nthreat actors.\r\nNetwork Security appliances such as NGFW, NGIPS, and Meraki MX can detect malicious activity associated\r\nwith this threat.\r\nAMP Threat Grid helps identify malicious binaries and build protection into all Cisco Security products.\r\nEmail and web have not been identified as attack vectors at this time. Additionally, there are no known C2\r\nelements related to this malware at this time. The malware, if transferred across these systems on your networks,\r\nwill be blocked.\r\nOpen Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org.\r\nNGIPS / Snort Rules The following NGIPS / Snort rules detect this threat:\r\n42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt\r\n42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt\r\n41984 - OS-WINDOWS Microsoft Windows SMBv1 identical MID and FID type confusion attempt\r\n43459 - MALWARE-CNC Win.Trojan.Doublepulsar variant successful ping response\r\nThe following NGIPS / Snort rules are also indicators of infection traffic:\r\n5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS\r\nattempt\r\n1917 - INDICATOR-SCAN UPnP service discover attempt\r\n5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt\r\n26385 - FILE-EXECUTABLE Microsoft Windows executable file save onto SMB share attempt\r\n43370 - NETBIOS DCERPC possible wmi remote process launch\r\nIndicators of Compromise (IOCs)\r\nAMP Coverage\r\nW32.Ransomware.Nyetya.Talos\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 6 of 7\n\nSHA256\r\n027cc450ef5f8c5f653329641ec1fed91f694e0d229928963b30f6b0d7d3a745\r\neae9771e2eeb7ea3c6059485da39e77b8c0c369232f01334954fbac1c186c998 (password stealer)\r\nSource: https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nhttps://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html"
	],
	"report_names": [
		"worldwide-ransomware-variant.html"
	],
	"threat_actors": [
		{
			"id": "171b85f2-8f6f-46c0-92e0-c591f61ea167",
			"created_at": "2023-01-06T13:46:38.830188Z",
			"updated_at": "2026-04-10T02:00:03.114926Z",
			"deleted_at": null,
			"main_name": "The Shadow Brokers",
			"aliases": [
				"Shadow Brokers",
				"ShadowBrokers",
				"The ShadowBrokers",
				"TSB"
			],
			"source_name": "MISPGALAXY:The Shadow Brokers",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775446563,
	"ts_updated_at": 1775791613,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2680208b08bfc47367056e72cbda1643708bcd51.pdf",
		"text": "https://archive.orkl.eu/2680208b08bfc47367056e72cbda1643708bcd51.txt",
		"img": "https://archive.orkl.eu/2680208b08bfc47367056e72cbda1643708bcd51.jpg"
	}
}