Over the past year, security companies have witnessed the massive impact that ransomware attacks like SolarWinds and Kaseya have had on businesses. As businesses play catch up to the tactics used by hackers to deploy malware, even more sophisticated approaches are unleashed. As we prepare for 2022, ransomware is one thing it’s safe to say is here to stay. Here’s what companies need to consider as they evaluate their cyber hygiene and prepare for 2022:
Expect Ransomware Attacks to Double, if Not Triple
Next year will likely bring double, if not triple, the number of ransomware incidents we saw in 2021. Hackers have seen success from ransom payments – and the number of companies willing to pay is growing. At the micro level, companies know they lack the resources to reclaim their systems on their own in a timely manner, which leaves them with little to no choice in terms of opening up their wallets to attackers. But if we consider the macro level, paying ransomware exacerbates and accelerates the problem by incentivizing and equipping more numerous, skillful attacks. A growing number of companies are paying; at Kudelski Security we see more and more clients who are paying. Until the incentive structure at the micro level vs. macro level align, we will remain in this ransomware conundrum.
Ransomware is now far beyond a security concern; companies are finding themselves in ethical dilemmas surrounding whether or not they can – or should – pay a ransom. The reality is this: the organization cannot identify who they pay to remove the malware from their systems. Eventually, some company is going to be linked to paying a terrorist, which will refocus the debate on regulation.
Supply Chain Disruptions are Far from Over
Between the proven case that more companies than ever are paying ransomware and the slew of supply chain compromises we can expect to still see well into 2022, a vicious cycle is brewing.
The supply chain has been plastered all over the news the last few months in terms of delayed shipping and worries about out-of-stock items ahead of the holiday season. Beyond these inconveniences, the supply chain – including critical infrastructure like oil pipelines – faces the dangers of ransomware attacks due to the chain-like reaction that it has on companies and their partners. In these breaches, far more companies are impacted than the first to be hit or the even the overall intended victim. These more sophisticated attackers can target multiple companies at a time, disrupting each one’s system as they move through the partner companies along the chain.
Moving forward, we can expect to see more and more companies within a supply chain fall victim to ransomware attacks. We’re also likely to see attackers go after managed security providers and law firms, which enables them to attack the hundreds of clients they’re serving at the same time.
Learn about Kudelski Security’s incident response services here.
The Top Ransomware Targets
Cybersecurity, and the tools that are associated with it, are often perceived as extremely expensive. Small and medium sized businesses are massively exposed to ransomware given their lack of protection and how underserved they are by the security community.
Medical ecosystems will also continue to be a top target. The medical industry drives deeper pressure surrounding the amount of time a company must deliberate on paying the ransom or attempting to remedy the situation on their own. Concerns about physical safety will drive more healthcare organizations to make ransomware payments, which in turn, will drive more attacks.
Further, attacks are unlikely to carried out on actual medical systems or devices but will continue to be straightforward, IT-focused attacks. In general, attackers will continue to target billing systems, patient records and ERPs because attacking the enterprise systems is sufficient to accomplish their objectives. If a hospital’s billing and/or patient system is down, it effectively shuts down the hospital, making IT systems in healthcare a primary target for the foreseeable future.
How to Mitigate Ransomware Attacks
Over the next year, with so much increased incentive for ransomware attacks, now is the time for companies to equip themselves with the proper tools and training to set their employees, customers and company partners up for success. Rather than focusing solely on their ransomware backup strategy, companies should use their resources to evaluate their cyber hygiene and endpoint detection and response strategies. It is crucial to fixate on the root causes, not just the symptoms of the overall problem.
This article was originally featured in VMblog.
The ransomware threat is nothing new. Though it really got going around the mid-2010s, cyberattacks in which malicious actors encrypt files and demand payment to render them accessible again have been launched for over thirty years.
Recently, however, the nature of the battle against ransomware has changed: defenders must contend with greater attack volumes, higher ransom demands, and more sophisticated strategies for disseminating malware across IT environments — as well as more widespread activity. Because ransomware attacks continue to be highly lucrative for criminals, it’s unlikely that this trend will reverse itself anytime soon.
The Evolution of the Current Ransomware Threat
The first known ransomware attack took place in December 1989. Delegates who attended the World Health Organization’s AIDS conference that year were sent floppy disks containing malicious code that installed itself onto MS-DOS systems and eventually encrypted filenames, rendering the affected systems basically unusable. Victims were instructed to mail payment to the “PC Cyborg Corporation” at an address in Panama in order to regain access to their files.
As you might imagine, this early attack wasn’t enormously successful. Not only was postal mail an inefficient means of collecting payment, but the encryption methods used by the trojan were weak, so security researchers were able to develop a decryption tool, which they quickly released to the public.
For all its failures, the AIDS Trojan/PC Cyborg attack did unwittingly provide a blueprint for the next generation of attackers of what to avoid and what to do better, in order to achieve their objectives.
Newer generations of ransomware included public-key cryptography (ensuring that decryption keys didn’t have to be embedded in the malware), effective means of gaining initial access to victim environments, and easily disseminating ransomware across an organization’s I.T systems, and a solid strategy for collecting anonymous cross-border payments.
With the rise of Bitcoin and other cryptocurrencies in the early 2010s, the stage was set for ransomware to become the constant and growing threat that it is today. CryptoLocker, which propagated via spam and phishing attachments, targeted home computer users, used strong public-key cryptography and demanded payments in Bitcoin, began to propagate in 2013. By 2015, the FBI reported that there had been more than 1,000 victims of CyptoLocker, with collective total losses that exceeded $18 million.
The modern ransomware era — in which malware spreads widely, attacks are high-profile, ransoms are often in the millions of dollars, and victims are pressured to pay up right away — arguably began with the WannaCry ransomware attack in 2017. Exploiting a Microsoft Windows vulnerability for which a patch was already available, WannaCry eventually infected more than 230,000 computers in over 150 countries, making Bitcoin payment demands in 20 different languages. WannaCry’s perpetrators demanded only $300 per infected machine. We’ll likely never know if WannaCry was truly intended to collect ransoms from all infected victims, if the malware was released prematurely, or if it was simply intended to cause mass disruption. However, Wannacry was clearly designed by nation-state-level attackers attempting to do damage on a massive scale. Wannacry’s authors incorporate extremely effective and stable remote code execution exploits and wrote the ransomware to spread across networks automatically. Since then, we’ve seen many ransomware actors build these “worm” like functionalities into their malware to effectively infect an entire organization quickly.
Scaling Up: Ransomware-as-a-Service Emerges
Over the last few years, ransomware operators have looked to legitimate software developers for a new business model. As Software-as-a-Service (SaaS) became popular, criminals began supplying access to ransomware toolkits to anyone who wanted to build their own ransomware extortion “business”. These Ransomware-as-a-Service (RaaS) kits made it possible for would-be criminals with little technical skill or expertise to launch ransomware attacks, as long as the RaaS operators get a cut of the ransom. The kits are widely advertised and marketed on the dark web, where everyone from organized cybercriminal groups to individuals can purchase them. Just like regular SaaS, RaaS can include 24×7 user support, additional bundled offers, and access to user reviews and community forums. And the prices for access are relatively low, ranging from $40 to several thousand dollars a month or simply a percentage commission on any ransomware payments received.
With the average ransom demand in late 2020 reaching a new high of $847,344 — and continuing to trend upwards — it’s easy to see how this cost model would be advantageous for criminals. After all, only a small portion of the attacks need to succeed in order for the attacker to generate significant revenue.
The broad global adoption of cryptocurrencies facilitates both the sale of RaaS kits and the collection of payments from victims. Meanwhile, ransomware development is becoming more and more professionalized and is operating on an industrial scale. RaaS operators continue to reinvest their earnings into more reliable exploits, into software developers who are tasked with quickly integrating the latest attack tooling and methods. This enables ransomware cybercriminals to gain initial access to victim environments by leveraging the latest exploits, improved techniques for orchestrating lateral movement, and better ransomware deployment capabilities overall. Criminal groups are also offering pre-established access to a victim’s network in exchange for a percentage of the final ransom payment. This gives less-skilled criminals access to greater numbers of potential victims, and better-resourced groups the advantage of scale.
How to Prevent Ransomware as It Continues to Rise.
Over the coming months and years, it’s all but certain that ransomware attacks will continue to increase in frequency, severity, impact, and economic cost. If the opportunity remains, criminals will take advantage of it. As long as companies continue to pay ransoms rather than face the catastrophic business and operational consequences of extended downtime, there’s no end in sight. Every time that a victim pays up, it feeds the criminals’ incentive to perpetrate further attacks.
Far too many organizations still fail to master the basics of cybersecurity hygiene, including maintaining ongoing visibility into their asset inventory, managing vulnerabilities, and reducing the attack surface. Particularly because RaaS makes it possible for less-sophisticated threat actors to perpetrate large volumes of attacks, it’s very common for attackers to exploit relatively simple mechanisms to gain initial access to the environment where they’ll deploy the ransomware.
What’s more, in today’s world criminal-friendly payment methods are readily available. It’s possible to collect anonymous payments in multi-million-dollar amounts, and cybercriminal groups based in Eastern European countries do so on a regular basis. Though attribution is always a challenge, it appears that some nation-state actors are affiliating themselves with these organized criminal groups as ransomware attacks become part of the global geopolitical cyber battlefront.
Despite the best efforts of law enforcement and government agencies, these criminal groups continue to operate with impunity. Because they’re located in jurisdictions where they have tacit or explicit protection from governments and local authorities, it’s extremely difficult to stop them.
And as growing numbers of high-profile attacks attract media attention, they continue to invite copycats to imitate them. The Colonial Pipeline attack, for instance, drew the entire world’s notice when it successfully brought the fuel supply to the eastern United States to a halt. Soon afterward, the Kaseya supply chain attack demonstrated the enormous scale of the impact that such attacks can have.
In the wake of these events, it’s likely that we’ll see increasing government intervention, including new regulations and disclosure requirements. Meanwhile, insurers are increasingly opting out of covering this risk or demanding high premiums.
It’s incumbent upon all organizations to limit their risk exposure by developing and implementing a cyber risk management program that’s rigorous and quantitative in nature. Without this — and a strong foundation of security hygiene, incident response planning, and putting appropriate controls in place — the financial consequences will eventually become too grave to bear.
2017 has been a pretty “interesting” year from an information security perspective. We have had plenty of big security events such Cloudbleed, the CIA Vault7 leaks, Shadow Broker’s exploits and post-exploitation tools publication, hacking of Macron’s campaign for the French presidency, Equifax, Uber, Deloitte, Nicehash, and even the DoD AWS breaches.
But in this post I want to focus on the main Ransomware cases we saw last year because they were much more impactful than the ones of previous years.
Since 1989 when the AIDS Trojan was released, ransomware has evolved a lot. Specially in the last few years where we can see an exponential evolution for ransomware in terms of complexity and impact that ransomware campaigns have had worldwide.
Legacy ransomware was quite basic and mainly relied on the victim’s lack of a backup, fear and hurry to pay. But in the last few years we’ve seen a trend of rapidly evolving ransomware variants that continue to grow in complexity. To ensure the highest number of paying victims, ransomware authors have begun to adapt the ransom messages to the victim’s language. We’ve also seen ransomware as a service, allowing criminals without the skills or knowledge to stand up successful ransomware campaigns, we’ve even seen ransomware that allows you to avoid the payment if you infect other victims.
On the other hand, society has changed in a way that makes ransomware much more impactful. We rely much more on smart phones and computers. The data these devices store has become more valuable for users and organizations. Additionally, the Internet of Things (IoT) has come to stay, so we’ll see more and more devices affected by ransomware in the future.
But if we look specifically into 2017 we can find a new big trend for ransomware: the capability to automatically spread themselves laterally within the network of their victims. Ransomware authors have successfully automated lateral movement techniques which were previously used by advanced adversaries.
On April 14th, 2017, the Shadow Brokers group published an exploitation framework developed by the Equation Group. This framework included the incredibly effective and advanced EternalBlue and EternalRomance exploits that leveraged vulnerabilities on the windows SMB protocol to gain administrative access into the targeted system. These exploits where a key reason for the success of the most impactful ransomware campaigns from 2017, as we will explore in this post.
On May 12th, 2017, the “WannaCry” (Wanna Cryptor) ransomware became a worldwide issue. It spread quickly and effectively, affecting more than 300,000 systems in at least 150 countries. This ransomware encrypted the files of the victim and spread laterally through an organization’ network by using the EternalBlue exploit. Even considering the huge economic impact that Wannacry resulted in, we were lucky because the ransomware was only capable to propagate laterally on Windows7 and Server 2008 systems, and not in WindowsXP or Windows10.
On the other hand, WannaCry had implemented a “kill switch” mechanism. During the infection phase, it queried DNS for a specific domain and only attempted to move laterally to new systems if the domain was not answering. When Marcus Hutchings (AKA MalwareTech), a security researcher, registered and sinkholed the domain, the WannaCry ransomware stopped spreading as a worm.
The fact that the WannaCry ransomware was buggy, didn’t use unique bitcoin wallet addresses per infection (a key “security” measure used by most ransomware variants today to make it difficult for researchers to track payments made to the authors), and had this “kill switch” mechanism caused some security researchers to speculate about the possibility of WannaCry being a test that started that was accidentally released to the wild. On the other hand, last December, the U.S. assistant to the president for homeland security and counterterrorism attributed this ransomware to North Korea, who vehemently denied being responsible for the cyber attack.
A month and a half after WannaCry, we wake up with a new surprise: Petya/NotPetya. Petya was a ransomware variant in use since April 2016. The Petya ransomware was unique because rather than searching and encrypting specific files (like most ransomware), it replaced the infected machine’s boot loader and encrypts the master file table to lock the access to the computer or the data on it until the ransom is payed. The ransomware strain seen on June 26th, named NotPetya and which original infection vector appears to have been a malicious update from a Ukrainian financial software firm, re-used quite a bit of the Petya ransomware code with significant improvements and differences.
First of all, NotPetya is not truly a functional ransomware strain since even if you pay, you can’t unblock the access to the victim’s system. Due to this, it appears that the purpose of this malware was not to make money but rather to impact the availability of data and services. Second, much like the WannaCry ransomware campaign, NotPetya implemented mechanisms to automatically spread itself by using the EternalBlue exploit. However, NotPetya was also effective against organizations that had already applied patches that prevented the use of the EternalBlue and other Equation Group exploits. The NotPeyta ransomware used common threat actor techniques to retrieve cached passwords from already infected systems to move laterally within the network and infect additional systems by abusing PsExec and WMI protocols.
Because NotPetya appears to have been designed to cause damage to customer systems, it is much more effective than WannaCry, but masquerading as a standard ransomware campaign points to the likelihood that it was developed by a very skilled and resourced group. The potential goal of the campaign becomes clearer when you examine the impact of the Notpetya campaign. Most of the organizations impacted by NotPeyta where located in Ukraine, including airports, public transportation, banks, and Ukrainian government systems. The Security Service of Ukraine point to the involvement of the Russian Federation special services in the attack.
Finally, on October 24th, 2017 BadRabbit made its debut. This ransomware is a variant of NotPetya that leverage hard coded and stolen credentials to spread across the local network. However, the fact that it didn’t use EternalBlue to spread laterally like WannaCry and NotPetya (it used another Equation’s group exploit called EternalRomance instead) and the fact that a vaccine to prevent the infection was quickly available the day of the attack have mitigated much of the impact of this last big wave of 2017’s ransomware.
Looking at the impact those ransomware incidents have had we can realize the importance for organizations to implement some basic security controls such:
- An updated inventory of the computers assets. You can’t protect what you don’t know you have.
- An effective Vulnerability Management Program to ensure systems are correctly patched for critical vulnerabilities.
- Access control and proper network segmentation.
- Do proper Windows hardening and take advantage of the new security controls Microsoft is including on its OS. You can find here a good article from Microsoft on this topic.
- Have an effective backup strategy to be able to recover the important data in case of disaster but also in case of ransomware infection.
- Limit user privileges on the endpoints whenever is possible. Notpetya would not have been as effective if users had not local administrator privileges on the endpoints.
- Limit the internet access from production servers whenever possible.
- Implement and test an Incident Response Plan that includes ransomware scenarios to avoid any improvisation in a crisis scenario.
- Use effective Endpoint security solutions able to identify Indicator of Attack/compromise rather than rely only on signature based detection.
In conclusion, 2017 was the year of the of worm-style ransomware such as WannaCry or Notpetya, which affected organizations all over the world and used advanced lateral movement techniques to enable its spread. I think we should expect this trend to continue and evolve in the near future. I believe it’s important for the organizations to get as prepared as possible to prevent and be able to successfully react to such threats.
If you’re in Switzerland this January, join us at the SIGS Kick Off in Zurich or the ICT Networkingparty 2018 in Bern. Our focus in 2018 throughout the SIGS .series 2018 will be MSS, and both these events promise to bring together the brightest minds in the IT Security industry to share thinking on 2018 trends.
- Microsoft Windows 10 Enterprise includes a feature called “Credential Guard”. This feature can prevent certain attacker tools from compromising administrative credentials using well known techniques such as a Pass the Hash attack. Having this feature enabled would have prevented NotPeya from harvesting local credentials to spread within a local network (one of the methods used by the worm component). More Information: below:
- Microsoft is also releasing a new feature for Windows 10 in September/October which enables certain files and folders and should provide end users and enterprises another tool to protect against ransomware. This feature is being called “Controlled Folder Access”. More Information:
- The malcode used to create the installation ID which would presumably then be used to create a customized decryption key for each victim was randomly generated and useless. Kudelski Security reiterates: DO NOT PAY THE RANSOM.
UPDATE: 5:30 P.M. EST
As we often see in these global outbreak and response scenarios, information can change quickly. The following are a few updates based on what we’ve learned since our initial advisory.
- The ransomware is not actually petya.a. It does use some its components but the malcode used in today’s attacks was built to look like petya instead
- There does appear to be a kill switch in this first variant that stops the local encryption. The malcode looks for a copy of itself in C:\windows. The file name has been identified as perfc.dat. Unfortunately, it still appears to attempt its spread across the network.
- There are reports that “patient zero” is a finance technology company based in Ukraine
- We have seen reports of thousands of devices compromised within a just a few minutes at several different organizations
- CVE-2017-0199 is not part of this malcode. It was mentioned early on as related but was likely a misattribution due to near simultaneous detections of different attacks
- General steps of the infection
- ARP Scan
- Check/Get credentials (mimikatz or similar)
- Psexec to execute WMI
- If psexec fails use eternalblue
- Reboot to encrypt
- If clients can catch the reboot before it completes, it has been reported that files can be saved by not turning on the computer and recovering files offline.
- We urge caution when looking for some the common IOC’s that have been released so far. Some of them will generate high volumes of false positive alerts, in particular those related to CVE-2017-0199 (see #5)
- The malcode used a fake MS certificate and XOR to avoid most of the current AV detection routines.
- DO NOT PAY the ransom. The email associated with the bitcoin wallet is not valid.
- This attack and the code associated with it is far more professional and dangerous than what we saw WannaCry.
- Expect to see new and creative ways that attackers can automate propagation of malcode through an environment.
wCry2 Ransomware spreading via EternalBlue (MS17-010)
Update May 15
Mid-morning (U.S time) Neel Mehta, a security researcher at Google, posted a cryptic tweet with the hashtag “#WannaCryptAttribution”:
The tweet referenced hashes of two examples, one of the current WannaCrypt ransomware campaign, and a sample linked to the Lazarus ATP group from February 2015. Breaches and operations conducted by the Lazarus group, including the Sony wiper attack, had previously been attributed to the government of North Korea (DPRK).
Researchers have reviewed the locations in the binaries mentioned by Neel and identified that both samples share the same code, have similar functions, and very similar modules in several locations. As such, many security researches have attributed the WannaCrypt ransomware campaign to the DPRK. Kudelski Security urges caution when attempting attribution based on similarities in binaries as several state sponsored threat actors often repurpose code in other to obfuscate the true origin of malware and tools.
A word about the Bitcoin wallets used
The Kudelski Security Cyber Fusion Center has continued to monitor the three bitcoin wallets found the various WannaCrypt samples. As of the time of this writing, the three wallets have received a total of 34.9 Bitcoins ($61,153.77 USD at current exchange rates) from 232 unique transactions. That is a large increase from the $27,614 USD observed early this morning.
It is likely that as organizations and users arrived at work this morning, several have chosen to pay the ransom in an attempt to restore access to critical files:
Over the weekend and throughout Monday morning and afternoon Kudelski Security has continued to monitor developments related to the Wana Decrypt0r 2.0 / WannaCrypt ransomware. Since our last update, we’ve seen at least two new variants of the ransomware which include new “kill switch” domains. Luckily, these new samples have been quickly identified and the additional domains have been registered, thus stopping the spread of these new variants.
Over the weekend the Kudelski Security Cyber Fusion Center team examined available WannaCrypt examples and discovered that both the “worm code” and the portions of the malware which deploy the actual ransomware payload are highly modular. The modular nature of these variants means that we can expect to see modified examples that attempt to deploy other ransomware or malware variants. Additionally, the worming code can easily be replaced to leverage other remote code execution (RCE) vulnerabilities as they become available.
Windows 10 not affected
Analysis by Microsoft, Kudelski Security, and several other organizations has also identified that the EternalBlue exploit code leveraged by currently available examples of the WannaCrypt ransomware appear to only target the Windows 7 and Windows Server 2008 (or earlier) platforms. As such, organizations or users with Windows 10 were not affected by this attack.
Decryption is a manual process
Independent security researchers investigating samples of the WannaCrypt ransomware have discovered that the ransomware requires manual intervention from “operators” to provide the decryption keys. Additionally, there has not yet been any independent verification that paying the ransom actually ensures that files are decrypted. Kudelski Security recommends that affected organizations do not pay the ransom.
Initial infection vector still unknown
The initial infection vector that caused the start of the campaign in Europe is still unknown. While most ransomware campaigns spread by either phishing campaigns or by leveraging exploit kits. However, in this case researchers have not yet identified any email examples or exploit kit landing pages which distribute to the WannaCrypt` variants which such havoc over the last 3 days.
Update May 13
Data was coming in very quickly on Friday and while we worked to provide timely and reasonable information we know now more about what happened and how the Wana Decrypt0r 2.0 ransomware outbreak managed to escalate so quickly.
First some good news: The malware, once executed checked for the existence of a randomly generated domain. If the domain did not exist or could not be reached, the execution of malicious code continued. If the domain existed and was accessible, a kill switch was activated and the infection was halted. A malware blogger and reverse engineer from the U.K registered the domain which effectively slowed the malware spread in the U.S. Unfortunately, many anti-virus vendors began to block the domain, unintentionally allowing the installation to continue, realizing the error some of the anti-virus vendors have removed the block and now sinkhole the domain instead.
More information here:
The unfortunate news is that there are now samples emerging that no longer contain the domain based “kill switch”.
An example of this new variant is available here:
Additionally, are further review of the malicious binaries, we’ve identified that all RF1918 (private) netblocks as well as randomly generated internet netblocks are also scanned looking for further propagation avenues. This means that organizations could also potentially be affected by way of site-to-site VPN connection with business partners or vendors. The ransomware has also spread via guest wifi, thus users should be cautious as it is possible they could be affected while connected to an open wifi hotspot.
Researchers have noted that WannaCry 2.0 is not the actual worm. The worm is the MS17-010 “spreader”. WannaCry 2.0 is dropped by the “spreader” which can also be used to drop other binaries and files. Thus, it is extremely critical that organizations apply the MS17-010 patches as quickly as possible.
Mac OS and Linux users running Windows VMs or Wine are also affected if not patched.
Along with the ETERNALBLUE components, the dropper also calls out and downloads DOUBLEPULSAR. Organizations affected will want to check for the existence of DOUBLEPULSAR once the initial attack is remediated. There is a free script available to check for this located here:
The Wana Decrypt0r 2.0 ransomware campaign utilized 3 Bitcoin wallets and as of today they show modest returns. Note: there is no indication that paying the ransom actually provided the user with the keys to decrypt their data and some researchers reported that users had to interact with a human via phone or web chat to negotiate. In the ransom note, the attackers mention that if someone is “too poor” to pay that their files will automatically decrypt in 6 months.
The following Bitcoin wallets have been linked to this ransomware campaign:
The Global response to this campaign has been swift and effective, unfortunately, too late for a large number of European organizations. Microsoft released updates to its malware protection engine to block the malware. Additionally, Microsoft has unexpectedly released security patches for EternalBlue and MS17-010 vulnerabilities for the unsupported Windows XP, Vista, Windows 8, and Windows server 2013 operating systems.
When unfortunate events like this take place, it’s easy for information security practitioners to point fingers and assign blame but the global information security community would be better served by helping organizations understand and avoid these situations in the future.
Moving forward, Kudelski Security expects to see most if not all ransomware and malware families using similar techniques to spread quickly and infect large numbers of users and organizations.
This global ransomware outbreak is a stark reminder that organizations must have the basics covered. Organizations must review and evaluate their vulnerability and patch management programs to ensure confidence, comprehensiveness, and effectiveness. Security patches are a fundamental and critical foundation of any organizations security program and should be tested and applied quickly. Organizations should also perform a “health checkup” and review backup strategies, test backups regularly, and ensure backups are easily accessible while also being protected from encryption and deletion. Also, organizations should review and reevaluate what traffic is allowed to and from the internet.
Once the basics are covered, now is the time to start looking at some of the newer endpoint protection platforms that rely on behavioral indicators that executables could be malicious instead of solely relying on signatures.
Now is the time to take a look at security, review and apply the basics, and then pragmatically strengthen its effectiveness.
On May 12 2017, a widespread cyber-attack utilizing the WCry2 ransomware, also known as Wana Decrypt0r 2.0, began spreading across the globe. At the time of this writing, the Ransomware has currently impacted organizations in 99 countries and continues to spread. Wana Decrypt0r 2.0 uses the EternalBlue exploit (MS17-010), released by the Shadow Brokers in March 2017. This SMB exploit is used to attempt to infect other machines within the same network and to scan for, and infect, potentially vulnerable Windows machines on the internet.
Wana Decrypt0r 2.0 is a highly effective ransomware variant that encrypts several file types, making them inaccessible to the user, and demands a payment of $300 U.S dollars in Bitcoin to decrypt the files.
Additional details on Wana Decrypt0r 2.0 and EternalBlue (MS17-010)
Wana Decrypt0r 2.0 is a variant of the WannaCrypt ransomware family that is currently being spread by exploiting EternalBlue (MS17-010). Wana Decrypt0r 2.0 encrypts several file types on an infected computer demands a ransom of $300 USD in Bitcoin to decrypt the inaccessible files.
ExternalBlue is an exploit that takes advantage of previous vulnerabilities in SMB, a critical protocol for Windows Systems. The exploit allows for the remote execution of malicious code on vulnerable systems without requiring any use interaction. The ExternalBlue exploit requires that the systems be vulnerable and expose the SMB service (enabled by default on Windows systems) to successfully compromise a system and replicate across network infrastructure to other vulnerable Windows systems.
At the time of this writing, this cyber-attack has quickly spread to 99 countries across multiple regions of the world. This global threat arrives in the form of a phishing email with a malicious attachment, once the malicious attachment is opened a dropper begins to download and unpack the actual ransomware code. The ransomware encrypts the user’s files, scans the networks to which the machine is connected, and uses the EternalBlue exploit to spread across organizations with unpatched Windows systems.
Kudelski Security has observed several industries and regions being specifically targeted by this ransomware campaign. Kudelski Security has intelligence that indicates that other ramsomware campaigns are actively integrating more of the Fuzzbunch framework exploits into their code.
As of this writing, according to internet scanning tool Shodan, there are approximately 2.4 million internet exposed systems which may be vulnerable to this exploit.
Mitigation and Response
Microsoft released a patch for the EternalBlue and other critical remote code execution vulnerabilities in March 2017 as part of Microsoft Security Bulletin MS17-010.
Kudelski Security recommends that clients immediately apply the patch for MS17-010. For organizations unable to quickly apply the Microsoft patches, potential mitigations include using a GPO to apply Windows Firewall rules to block inbound SMB connections on all unpatched endpoint systems and limiting SMB connections between servers.
Kudelski Security also recommends limiting all inbound and outbound communication on UDP ports 137 & 138 and TCP ports 139 & 445 on internet firewalls in order to reduce exposure and the slow the propagation of this ransomware.
Kudelski Security recommends backing up all files, including systems already affected by the ransomware in case future decryption tools become available.
Additionally, Kudelski Security recommends that organizations evaluate their vulnerability management programs to ensure that updates and patches are tested and applied quickly once they are released.
The Kudelski Security Cyber Fusion Center has ensured all managed and monitored security devices are updated with detection signatures and methodology to detect the uses of the Wana DeCrypt0r 2.0 ransomware and exploitation with ExternalBlue and other recent Windows exploits.
MS17-010 –Critical security advisory
VirusTotal analysis of malicious PDF:
Ransomware Dropper b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
220.127.116.11:9001 18.104.22.168:443 22.214.171.124:443 126.96.36.199:9001 188.8.131.52:443 184.108.40.206:443 220.127.116.11:9001 18.104.22.168:9004 22.214.171.124:443 126.96.36.199:9001 188.8.131.52:22
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9 ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa 0345782378ee7a8b48c296a120625fd439ed8699ae857c4f84befeb56e727366 78e3f87f31688355c0f398317b2d87d803bd87ee3656c5a7c80f0561ec8606df eeb9cd6a1c4b3949b2ff3134a77d6736b35977f951b9c7c911483b5caeb1c1fb 57c12d8573d2f3883a8a0ba14e3eec02ac1c61dee6b675b6c0d16e221c3777f4 dff26a9a44baa3ce109b8df41ae0a301d9e4a28ad7bd7721bbb7ccd137bfd696 a3900daf137c81ca37a4bf10e9857526d3978be085be265393f98cb075795740 fc626fe1e0f4d77b34851a8c60cdd11172472da3b9325bfe288ac8342f6c710a 201f42080e1c989774d05d5b127a8cd4b4781f1956b78df7c01112436c89b2c9 ca29de1dc8817868c93e54b09f557fe14e40083c0955294df5bd91f52ba469c8
09a46b3e1be080745a6d8d88d6b5bd351b1c7586ae0dc94d0c238ee36421cafa 24d004a104d4d54034dbcffc2a4b19a11f39008a575aa614ea04703480b1022c 2584e1521065e45ec3c17767c065429038fc6291c091097ea8b22c8a502c41dd 4186675cb6706f9d51167fb0f14cd3f8fcfb0065093f62b10a15f7d9a6c8d982 5ad4efd90dcde01d26cc6f32f7ce3ce0b4d4951d4b94a19aa097341aff2acaec 7c465ea7bcccf4f94147add808f24629644be11c0ba4823f16e8c19e0090f0ff c365ddaa345cfcaff3d629505572a484cff5221933d68e4a52130b8bb7badaf9 f8812f1deb8001f3b7672b6fc85640ecb123bc2304b563728e6235ccbe782d85