NSA EternalBlue vulnerabilities used to try and spread Yatron ransomware

News by Rene Millman

New ransomware has been discovered, promoted by hackers on Twitter, that uses NSA vulnerabilities EternalBlue and DoublePulsar to infect other systems.

New ransomware has been discovered, promoted by hackers on Twitter, that uses NSA vulnerabilities EternalBlue and DoublePulsar to infect other systems.

The malware was found by a security researcher, only going by the pseudonym "A Shadow". According to reports from Bleeping Computer, the ransomware tries to delete files if payment has not been received within 72 hours.

The malware has been disseminated through Twitter by hackers to ransomware and security researchers. The malware, when executed, scans systems for target files to encrypt. The files are then given the extension ".Yatron". AN encryption password and unique ID is sent to the ransomware’s C2 server.

Victims receive a message that the files have been encrypted and to decrypt them, they need to send a ransom of 0.5 bitcoins to an email address with a .ru domain.

According to the ID ransomware website, the developer of the malware markets it as Ransomware-as-a-Service.

"The developer Yatron sells once access to RaaS for US$ 100 (£76) in bitcoins, and in the future the fee is no longer charged. It can begin to spread by hacking through an unprotected RDP configuration, using email spam and malicious attachments, fraudulent downloads, botnets, exploits, web injections, fake updates, repackaged and infected installers," the website said.

While the malware uses EternalBlue and DoublePAulsar to infect more systems, the code it uses is incomplete and doesn’t include Eternalblue-2.2.0.exe and Doublepulsar-1.3.1.exe executables that it needs. 

Maor Hizkiev, CTO and co-founder at Bitdam, told SC Media UK that the Yatron ransomware is gaining more and more capabilities as it spreads through different networks. He suggested that the attackers are growing confident in its ability to infiltrate its targets.

"In this case, the attackers are aware that patching takes time, which allows them to use an old attack form in order to spread the ransomware in target networks. This could also be the reason they are promoting the attack to security researchers; if it was an attack vector unknown to researchers, they would be much less likely to disclose any information about its creation or method," said Hizkiev.
He added that email is the main delivery mechanism for spreading this type of ransomware.

"Therefore, the most effective way of preventing it from entering your organisation is through the application of an advanced content-borne protection solution. In addition, the fact that patching is a difficult and time-consuming task means that attackers can take a stranglehold of an organisation by gaining access to many devices within its network and subsequently increase the ransom," said Hizkiev.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming event 

Webcast: Understanding this year's biggest adversaries - and how to combat them 

Nation-state activity, versatile, slippery strategies and Big Game Hunting - the threats are real, dangerous and ever changing. 
Brought to you in partnership with Crowdstrike