Note: This blog post discusses active research by Talos into a new threat. This information should be considered preliminary and will be updated throughout the day.
Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of ransomware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.
Today a new malware variant has surfaced. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally.
The identification of the initial vector has proven more challenging. Early reports of an email vector can not be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc. Talos continues to research the initial vector of this malware.
Snort rules that detect attempts to exploit MS17-010 have been available since April of 2017. Additionally, Talos has blacklisted known samples of this new ransomware variant in AMP.
![]()
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
The following NGIPS / Snort rules are also indicators of infection traffic:
![]()
![]()
Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of ransomware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.
Today a new malware variant has surfaced. Our current research leads us to believe that the sample leverages EternalBlue and WMI for lateral movement inside an affected network. This behavior is unlike WannaCry, as there does not appear to be an external scanning component. Additionally, there may also be a psexec vector that is also used to spread internally.
The identification of the initial vector has proven more challenging. Early reports of an email vector can not be confirmed. Based on observed in-the-wild behaviors, the lack of a known, viable external spreading mechanism and other research we believe it is possible that some infections may be associated with software update systems for a Ukrainian tax accounting package called MeDoc. This appears to have been confirmed by MeDoc. Talos continues to research the initial vector of this malware.
Snort rules that detect attempts to exploit MS17-010 have been available since April of 2017. Additionally, Talos has blacklisted known samples of this new ransomware variant in AMP.
Coverage
Open Source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack available for purchase on Snort.org.
NGIPS / Snort Rules
The following NGIPS / Snort rules detect this threat:- 42944 - OS-WINDOWS Microsoft Windows SMB remote code execution attempt
- 42340 - OS-WINDOWS Microsoft Windows SMB anonymous session IPC share access attempt
The following NGIPS / Snort rules are also indicators of infection traffic:
- 5718 - OS-WINDOWS Microsoft Windows SMB-DS Trans unicode Max Param/Count OS-WINDOWS attempt
- 1917 - INDICATOR-SCAN UPnP service discover attempt
- 42231 - FILE-OFFICE RTF url moniker COM file download attempt
- 5730 - OS-WINDOWS Microsoft Windows SMB-DS Trans Max Param OS-WINDOWS attempt
AMP Coverage
- W32.Ransomware.Petya.Talos