On 5/12/2017, the world saw a massive cyberattack that spread globally in a only a matter of minutes.
Gizmodo: There’s a Massive Ransomware Attack Spreading Globally Right Now
CNN: Massive ransomware attack hits 99 countries
Time: Cyberattack That Crippled U.K. Hospitals Is Global
The initial attack vector has been email, through spam. These messages are typically fake invoices, job offers and other lures which are sent to random email addresses. Within the email is a .zip file and once clicked, that initiates the WannaCry infection.
The attack is then spreading on internal networks using a P2P exploitation of SMB (Server Message Block) known as EternalBlue. The files are being dropped by a worm which abuses SMB, a network file sharing protocol. Other aspects of the malware leverages file-less exploitation techniques, and the malware is morphing rapidly in the wild with over a dozen variants seen thus far.
The file extension used is .wncry, which drops a ransomware notification named: @Please_Read_Me@.txt in common file and folder locations.
Earlier this month, independent researchers scanned the internet and deemed there were 150,000 internet-accessible computers open to this vulnerability.
HOW TO PROTECT YOURSELF:
Microsoft released a patch for this particular vulnerability in March and we recommend that everyone install this patch immediately.
Click here for more information about the patch and the Windows versions and editions impacted by this exploit.There are various IDS rules available that can also be used to help stop the spread of this attack; install this on your IDS system and watch for its activation.
IDS RULE:
alert tcp
$HOME_NET 445 -> any any (msg:”ET EXPLOIT Possible ETERNALBLUE MS17-010 Echo Response”; flow:from_server,established; content:”|00 00 00 31 ff|SMB|2b 00 00 00 00 98 07 c0|”; depth:16; fast_pattern; content:”|4a 6c 4a 6d 49 68 43 6c 42 73 72 00|”; distance:0; flowbits:isset,ETPRO.ETERNALBLUE; classtype:trojan-activity; sid:2024218; rev:2;)
LESSONS LEARNED:
These new ransomware variants clearly show the critical importance of several fundamental security best practices:
1) Patch management: The vulnerabilities exploited by this ransomware have had patches available for over two weeks, and yet many systems on the internet (and many more in local networks) remain vulnerable. Keep ALL your systems (not just servers) up to date with the latest patches. Your operating systems and browsers will take care of themselves (although you need to monitor them and ensure the patching is working correctly), but many third-party applications will not.
2) Signature-only approaches to anti-virus protection can now be circumvented. This ransomware is evolving and morphing quickly specifically to avoid signature-based detection.
3) Scanning files is no longer enough protection; malware like this can execute key portions of its payload without a separate file to scan.
4) Network protection files is becoming more critical even to small- and mid-sized businesses.
IF YOU ARE INFECTED:
There are no known methods to recover from this ransomware to date. We also recommend backing up your systems early and often (we hope you’ve been doing that already), which you can then restore to recover from this.
Best of luck!
D Designs & Solutions
Security Team
Sunday, May 14, 2017
Powered by WHMCompleteSolution
