A new Ransomware-as-a-Service called Yatron is being promoted on Twitter that plans on using the EternalBlue and DoublePulsar exploits to spread to other computers on a network. This ransomware will also attempt to delete encrypted files if a payment has not been made in 72 hours.
BleepingComputer was first notified about the Yatron RaaS by a security researcher who goes by the name A Shadow. Since then, the actor behind this ransomware has strangely been promoting the service by tweeting to various ransomware and security researchers.
Yatron contains code to utilise the EternalBlue and DoublePulsar exploits to spread to Windows machines on the same network using SMBv1 vulnerabilities that should have been patched a long time ago.
Maor Hizkiev, CTO and Co-founder at Bitdam:
“We see that the Yatron ransomware is gaining more and more capabilities as it spreads through different networks. This suggests that the attackers are growing confident in its ability to infiltrate its targets.
In this case, the attackers are aware that patching takes time, which allows them to use an old attack form in order to spread the ransomware in target networks. This could also be the reason they are promoting the attack to security researchers; if it was an attack vector unknown to researchers, they would be much less likely to disclose any information about its creation or method.
Email is the main delivery mechanism for spreading this type of ransomware. Therefore, the most effective way of preventing it from entering your organisation is through the application of an advanced content-borne protection solution. In addition, the fact that patching is a difficult and time-consuming task means that attackers can take a stranglehold of an organisation by gaining access to many devices within its network and subsequently increase the ransom.”