Talos Blog - New Ransomware Variant Compromises Systems Worldwide |
|
Posted: 27 Jun 2017 11:02 AM PDT
Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated throughout the day.
Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of ransomware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet. Today a new malware variant has surfaced. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally. The identification of the initial vector has proven more challenging. Early reports of an email vector can not be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc. Talos continues to research the initial vector of this malware. Snort rules that detect attempts to exploit MS17-010 have been available since April of 2017. Additionally, Talos has blacklisted known samples of this new ransomware variant in AMP. Coverage |
