Cisco UK & Ireland Blog

Nyetya Ransomware Attack: The ‘House of Cards’ Effect

June 29, 2017

“The seed has been planted”

This is one of the many unnerving lines uttered by Frank Underwood during his infamous ‘fourth wall’ monologues in Netflix’s House of Cards. In this case, he was telling us that his early dabble into a spot of power shifting in Washington DC was beginning taking effect.

In the context of what we’re talking about today, i.e the outbreak of the ‘Nyetya’ malware, it’s also appropriate to talk about ‘seeds having being planted’.

As our expert threat intelligence team Talos write on their blog,

“Since the SamSam attacks that targeted US healthcare entities in March 2016, Talos has been concerned about the proliferation of malware via unpatched network vulnerabilities. In May 2017, WannaCry ransomware took advantage of a vulnerability in SMBv1 and spread like wildfire across the Internet.”

WannaCry and the SAMSAM attack before it, seemingly targeted weaknesses in the network – not just individual endpoints.  This is also now true in the case of Nyetya.

Talos has been able to assess with high confidence that the intent of the actor behind Nyetya was destructive in nature, and not economically or financially motivated.

Although it appeared to look like ransomware, the malware actually wipes data from hard drives rendering attempts to obtain encryption keys fruitless. In any case, Talos recommends that users and organisations decline to pay ransoms for any ransomware.

The ‘Nyetya’ outbreak first hit in Ukraine, with the victims reportedly including its central bank, an international airport, and even the Chernobyl nuclear plant – where workers were forced to manually monitor radiation levels after they were locked out of their computers.

Apparently centred on Ukraine, the attack has affected victims in many countries across the globeinfecting companies in 64 countries across Europe, (including the UK), the United States and Australia.

So what is Nyetya?

Nyetya is nasty because it modifies, and sometimes overwrites, the master boot record (like a table of contents for a hard drive) of a computer.

So, not only is your hard drive encrypted, but the contents are also inaccessible.

For an in-depth analysis on Nyetya, see our blog by Talos, Cisco’s threat intelligence team, covering how it operates, and what security protections will keep you safe against it. This blog is being continually updated with all their latest research.

The ‘House of Cards’ effect

When faced with any attack on the network, it’s crucial to have a good network architecture, and a segregation of networks which allows the threat to be localised and contained.  If not, you may see a ‘house of cards’ effect where one unpatched machine can allow others to be infected.

IPS protection in NGFW can stop threats such as this spreading between network segments. Solutions such as AMP for endpoints prevents malware such as this executing on devices, and allows teams to identify how a malicious executable may have spread within a network.

Additionally, unpatched devices can be surrounded by network security solutions to ensure that only clean and authorised traffic can access the vulnerable device.

What can we learn from this cyber attack?

Organisations need to understand that cyber criminals can and will exploit any weakness they find ruthlessly. And, unfortunately, they have all the time in the world to innovate – it’s their business. Companies must therefore take the time to understand what cyber risks they might be susceptible to.

I’ll leave the last word to the experts – our world class threat intelligence team Talos, who have some handy tips on mitigation for Nyetya:

  • First and foremost, we strongly recommend that customers who have NOT yet already applied MS17-010 to go do so immediately. Given the severity of the vulnerability and the widely available tools that exploit it, leaving this vulnerability unpatched is unwise.
  • Ensure you have anti-malware software deployed on your systems that can detect and block the execution of known malicious executables.
  • Implement a disaster recovery plan that includes backing up and restoring data from backup devices that are kept offline. Adversaries frequently target backup mechanisms to limit the possibilities a user may be able to restore their files.

To learn more about the Nyetya attack, and why it spread so quickly, we held a webinar on with one of our threat intelligence experts, Martin Lee.  Click here to give it a watch. 


Leave a comment