Hello, welcome to the Wednesday, June 28, 2017 edition of the Sands and the Storm Center's Stormcast.

My name is Johannes Ulrich and the day I'm recording from Columbia, Maryland.

Well, you probably heard by now, but there is yet another ransomware strain making the rounds,

taking advantage of the exploits leaked from

the NSA, known as Eternal Blue and Eternal Romance.

Now what distinguishes this latest version from WannaCry is most of all how it enters the network.

WannaCry really relied on scanning the internet for exposed SMB version one hosts.

This latest version apparently got started initially via a malicious upgrade.

A Ukrainian company that makes accounting software apparently got preached and then pushed out the

malware to its customers in the form of an automatic update. Somewhat ironic that this malware,

which still relies a lot on unpatched systems, did get started with a patch, but this particular software company

actually had this happen before.

Apparently back in May, another strain of ransomware was pushed by this company via its

update servers.

Now, of course, once the Malvery entered a particular network, it did use

the Eternal Plu and Eternal Romance exploits to spread. There's also evidence that it does use

WMIC, so essentially if it can get a hold of unprotected shares, it will try to copy itself.

Another difference to Eternal Blue here is how the encryption works.

Eternal Blue did encrypt individual files.

This particular ransomware does actually reboot the system and then attempt to encrypt

the entire disk.

So the system will reboot and then you'll see a check disk message.

...