All posts by Sarah Hospelhorn

California Consumer Privacy Act (CCPA) vs. GDPR

California Consumer Privacy Act (CCPA) vs. GDPR

Data privacy laws are fast becoming a primary element in any data security conversation: from the EU’s GDPR to the California Consumer Privacy Act to Japan’s Act on the Protection of Personal Information, the ability to protect consumer data is top of mind. For companies that are built around consumer data, consumer trust becomes a vital part of their business model.

On May 25, 2018, the EU General Data Protection Regulation (GDPR) went into effect. And in the wake of the EU’s GDPR came another shift in data privacy — the California Consumer Privacy Act (CCPA). On June 28, 2018, Governor Jerry Brown signed the CCPA, which will enact some of the country’s most powerful consumer data privacy protections into law.

With the devastating series of data breach incidents in the past couple of years, many questions and concerns have arisen about the way consumer data is being handled. 2017 was the year of the data breach with the magnitude of high-profile incidents at companies such as Equifax and Yahoo. Attacks like these make data breaches seem part of normal life— not just in the United States, but around the world.

While the GDPR was created to protect citizens of the EU, its impact spans much farther. The CCPA is an outcome of the GDPR’s reaching influence, shifting government priorities and making them more willing to protect individual privacy. Although the CCPA does not go into effect until January 1, 2020, it’s important to be aware of the policies and processes necessary for compliance, and to analyze the current and future impact it will have in comparison to GDPR.

CCPA Overview

Businesses have a track record of using personal information to benefit their own agenda: the California Consumer Privacy Act (CCPA) will serve to protect California consumer rights and encourage stronger privacy and greater transparency overall. It will give consumers ownership, control, and security over their personal information – and consumers will have the ability to request that any business disclose (and delete) the personal information that it collects, and request that their data not be sold to third parties.

These data protections give Californians the right to:

  • Know what personal information is being collected
  • Access the personal information that is collected, and request it be deleted
  • Know whether their personal information is being shared, and if so, with whom
  • Opt-out of the sale of their personal information
  • Have equal service and price, whether or not they choose to exercise their privacy rights

Businesses will also be prohibited from selling the personal information of consumers ages 13–16 (unless the consumer opts-in). For consumers under the age of 13, consent from a parent or guardian will be required. These new protections not only affect California consumers, but also California businesses.

Who Does the CCPA Apply to?

The California Consumer Privacy Act defines a business as a for-profit entity that collects consumer personal data. So, if you’re a business in the state of California that meets at least one of the following thresholds, you may be subject to compliance:

  • Businesses that earn $25,000,000 or more a year in revenue
  • Businesses that annually buy, receive, sell or share personal information of 50,000 or more consumers, households or devices for commercial purposes
  • Business that derive 50% or more of its annual revenue from selling consumer personal information

Under the CCPA, California citizens will have the ability to bring a civil action lawsuit against companies that do not abide by the law. The state can also bring these charges to a company directly — charging a $7,500 fine for any violation that is not addressed within 30 days.

data in business

Why does California’s new law matter for everyone else? It’s part of a global trend pushing companies toward greater accountability with regard to protecting consumer data. Additionally, it has given other countries and states a push towards the importance of taking personal data and consumer rights to data privacy more seriously. Chief proponent of the CCPA Alastair Mactaggart stated that, “While this law just covers California currently, large companies will soon have to offer similar rights to Americans.”

CCPA vs. GDPR

The European General Data Protection Regulation is an evolution of the EU’s existing data rules, the Data Protection Directive (DPD). It addresses many of the shortcomings in the DPD, including adding requirements for documenting IT procedures, performing risk assessments under certain conditions, notifying the consumer and authorities when there is a breach, and strengthening rules for data minimization. People who are familiar with the GDPR will notice some strong similarities to the CCPA.

The CCPA is said to be a model of the GDPR. And, with the recent passage of the CCPA, many people have been wondering how it compares to the GDPR — with some even calling it the American version of the regulation. No matter how influenced the CCPA may have been by the GDPR, there are some clear differences worth noting in each legislation.

Both the CCPA and the GDPR give individuals certain rights to how their personal information is collected and used, however, there are several important contrasts to be aware of. Because California has a much larger economy than the UK, the implications of penalties may be even more severe than that of the GDPR. Even though the CCPA does not go into effect until 2020, we’re already seeing it influence federal legislation.


Check out our interactive Venn diagram below to better understand the similarities and differences between the GDPR and CCPA.

CCPA vs GDPR CCPA: Who it protects CCPA: Personal Information CCPA: Rights Granted CCPA: Right to deletion CCPA: Who must comply CCPA: Basis for consent CCPA: Time allowed to respond to a request CCPA: Financial penalties GDPR: Who it protects GDPR: Personal Information GDPR: Rights granted GDPR: Right to deletion GDPR: Who must comply GDPR: Basis for consent GDPR: Time allowed to respond to a request GDPR: Financial Penalties Similarities between CCPA and GDPR
X

CCPA

Effective date

January 1, 2020

X

CCPA

Who it protects

“Consumers” who are California residents.

X

CCPA

Personal information

Defined as any information that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked directly or indirectly, with a particular consumer or household.” This includes not only identifiers like name or address, but extends to browsing history, behavioral data, and more.

X

CCPA

Rights granted

Grants consumers five rights:

  1. The right to disclosure.
  2. The right to deletion.
  3. The right to access.
  4. The right to opt-out.
  5. The right to non-discrimination.
X

CCPA

Right to deletion

CCPA right to deletion applies to data collected from and about the consumer.

X

CCPA

Who must comply

“California businesses” of substantial size (with regard to revenue or number of consumers affected) that collect consumer personal data.

X

CCPA

Basis for consent

Allows sites to collect and sell your data if you sign up or make an online purchase and only offers consumers the right to opt-out.

X

CCPA

Time allowed to respond
to a request

Responsible parties have 30 days to respond to a request.

X

CCPA

Financial penalties

Organizations in breach can be fined up to $2,500 per violation for negligent violations and up to $7,500 per violation for intentional violations.

X

CCPA

GDPR

Similarities

  • Encourage transparency in businesses/related entities.
  • Require businesses/related entities to report data breaches to consumers/individuals.
  • Look to better secure and protect the personal information of an individual.
  • Define data processing as “any operations performed on personal data, automated or otherwise.”
X

GDPR

Effective date

May 25, 2018

X

GDPR

Who it protects

“Data subjects” in the European Union.

X

GDPR

Personal information

Defined as any information relating to an identified or identifiable natural person, directly or indirectly. This usually means data like address, license plate numbers, SSN, blood type, bank account information, and more.

X

GDPR

Rights granted

Grants data subjects eight rights:

  1. The right to be informed.
  2. The right of access.
  3. The right to rectification.
  4. The right to erasure.
  5. The right to restrict processing.
  6. The right to data portability.
  7. The right to object.
  8. Rights in relation to automated individual decision making, including profiling.
X

GDPR

Right to deletion

GDPR right to deletion applies to all data collected about the consumer.

X

GDPR

Who must comply

Any “data controllers” (who determine the purpose and means of processing the data) and “data processors” (who process this data for the controller) that holds personal data of EU citizens.

X

GDPR

Basis for consent

Requires consumers to opt-in to data collection by instructing sites to get consent before collecting data.

X

GDPR

Time allowed to respond
to a request

Responsible parties have 40 days to respond to a request.

X

GDPR

Financial penalties

Organizations in breach can be fined up to 4% of annual global turnover or EUR 20 million.

The Big Picture

Governments are beginning to take data privacy very seriously. Like the GDPR, the CCPA iwill have far-reaching impacts across state jurisdictions. And, although the CCPA does not go into effect for another 15 months, we’ve learned from the GDPR that a year and a half isn’t a lot of time to become compliant.

It’s important to start preparing now: being prepared will save your company a lot of headaches (and costly enforcement actions) in the future. Meeting subject access requests – whether for GDPR, CCPA, or another regulation – can be especially difficult to achieve: you need to be able to identify content related to a data subject, classify and protect consumer data, and sometimes even delete upon request.

Don’t expect this to be the last privacy act, either — there are many more on the horizon. Companies should be prepared to meet more stringent data privacy regulations that focus on data discovery, security, and classification.

How Varonis Helps with the California Consumer Privacy Act (CCPA)

How Varonis Helps with the California Consumer Privacy Act (CCPA)

The California Consumer Privacy Act (CCPA) is set to go into effect on January 1, 2020. It not only gives ownership and control of personal data back to the consumer but holds companies accountable for protecting that data.

What is the California Consumer Privacy Act?

The CCPA gives California residents four basic rights in relation to how companies collect and store their personal information:

  • Transparency: the right to know what personal information a company is collecting about them, where that data came from (including 3rd parties), how it’s used, whether or not it’s being sold, and with whom that data is being shared. This will likely be disclosed via privacy policies (that will be updated at minimum once a year) and on-demand via consumer request.
  • Opt-out: the right to refuse a company the ability to sell their personal data to third parties.
  • Right to be forgotten: the right to have a company delete their personal information.
  • No penalties for privacy: the right to receive equal service and pricing from a company, regardless of whether or not they exercise their privacy rights.

The CCPA requires that companies are able to identify what personal data they’re collecting from individuals, define why they’re collecting the data, and disclose how that data is used.

They’ll need to be able to delete or quarantine that information – and in a relatively short amount of time: companies will need to disclose any requested information within 45 days of the original request.

The CCPA underscores that security of consumer data is a priority, requiring companies to “safeguard California consumers’ personal information and holding them accountable if such information is compromised as a result of a security breach arising from the business’s failure to take reasonable steps to protect the security of consumers’ sensitive information.”1

How does the California Consumer Privacy Act define personal information?

The CCPA takes a broader definition of what constitutes personal information than many regulations–including the GDPR–which will likely have significant effects on business models from targeted advertising to data brokerage.

Broadly, it’s defined as information that can be used to identify a specific individual.

That includes not only personal identifiers like name, email address, postal address, IP address, license number, etc., but extends to biometric data, browsing history, geolocation, and more. The CCPA even includes any inferences drawn from any of the aforementioned data in the definition of personal information.

Who will be held accountable?

  • For-profit companies that collect California residents’ personal information
  • Companies that do business in the State of California,
  • and:
    • have annual gross revenues in excess of $25 million;
    • or receive or disclose the personal information of 50,000 or more California residents, households or devices on an annual basis;
    • or derive 50 percent or more of their annual revenues from selling California residents’ personal information.

What are the penalties?

Companies that don’t comply may be liable for penalties enforced by the California attorney general: up to $2,500 per violation that isn’t addressed within a 30-day window, and/or up to $7,500 per intentional violation.

Additionally, consumers have a right of action (private claim or class action) if their personal information is compromised in a data breach, no proof of harm necessary.

How does Varonis help with the CCPA?

In order to comply with the CCPA, companies need to be able to identify and discover personal information, fulfill data subject access requests, and protect consumer data:

  • Automatically discover and classify CCPA affected data
    Varonis can automatically discover, identify, and classify CCPA eligible data on-premises and in the cloud, and gives context around that data – so that you can more easily locate personal information, create reports with advanced classification criteria, and remediate security vulnerabilities.
  • Fulfill data subject access requests
    Search for data related to a data subject to fulfill public access requests: Varonis helps you locate relevant files, pinpoint exactly who has access, and enforce policies to move, quarantine, or delete personal information.
  • Protect consumer data
    Varonis protects data first, not last: combining data classification and access governance with UEBA and security analytics. With Varonis, companies can not only identify and monitor consumer data, but track who’s accessing it, spot unusual activity, and report on suspicious behavior on regulated and sensitive data.
  • Build a CCPA security policy to meet compliance
    Varonis helps companies build and enforce a data-centric security policy to help meet compliance, protect sensitive data, and prepare for the CCPA.

Varonis helps companies meet CCPA compliance requirements and build a unified data security strategy to protect consumer data.

Are you ready for the CCPA? Get a 1:1 demo and see how Varonis can help you discover, manage, and protect your CCPA data.

1https://www.caprivacy.org/

8 Events That Changed Cybersecurity Forever

computer hacker

Those who cannot remember the past are condemned to repeat it.” – George Santayana

The first computer virus was created in the early 1970s and was detected on ARPANET, the predecessor to the internet. In 1988 the first computer worm was distributed, gaining mass mainstream media attention. A quarter of a century later and viruses have evolved to become a pandemic. Viruses have proliferated quickly and malware has become more complex.

Cyber attacks happen daily and are constantly evolving. From computer worms to large data breaches, attacks come in all shapes and sizes. In the past quarter century alone, cyber attacks have evolved from tiny hacks created by high-school students to state-sponsored attacks compromising presidential elections.

While threats continue to develop, so does the defense against them. It’s important to remember these past events in order to combat impending attacks. Milestone incidents are what made cybersecurity what it is today – take a look at the top 8 events that changed cybersecurity, and why they (still) matter.

Events That Changed Cybersecurity Forever

Though new cyber attacks appear each day, these top 8 watershed moments had a major impact on security and have led to where we are today. Here are just a few lessons we can learn from cybersecurity history.

  1. Never assume it won’t happen to you: Anyone and everyone is susceptible when it comes to data – whether it’s stored in the cloud or on premises.
  2. Hackers come from all over: Attacks no longer comes exclusively from hackers in their parents’ basements. They have evolved geographically, advanced in sophistication, and the amount of attacks from overseas has increased drastically.
  3. Insiders are just as dangerous: Vulnerabilities now come from the inside as well. All it takes is one click on a phishing email. Educate your employees on basic cybersecurity terms so that they are able to protect themselves and the company.
  4. Hackers are not going away: With change in technology comes change in crime — and cybercriminals are working harder than ever. It’s important to always be alert and keep up with important trends in order to keep you and your organization as safe as possible.

Unfortunately, the number of cyber attacks is only going to continue increase, and the impact of those attacks is becoming more significant than ever. It’s important to arm ourselves with what we can: learn from the past and protect your data first, not last.

Uncover your biggest security risks with a data risk assessment – and see how Varonis helps protect your data from the next generation of cyber attacks.

Infographic Sources:
Infosecurity, CSO, Verizon Data Breach Report, Wikipedia, TheGuardian

Varonis DatAlert and IBM QRadar

Varonis DatAlert and IBM QRadar

Varonis now integrates with the IBM QRadar Security Intelligence Platform, with the Varonis App for QRadar.

The Varonis App for QRadar adds context and security analytics to simplify investigations, streamline threat detection, and build more context around security alerts and incidents.

How It Works

You can view Varonis alerts directly in IBM QRadar – and can drill down and investigate alerts in the Varonis Web UI for additional insight, accelerating security investigations.

We correlate Varonis alerts with events collected by IBM QRadar, so that you can visualize potential security breaches, misconfigurations, and at-risk data with additional context and security analytics from Varonis.

In QRadar, simply click on the DatAlert link in QRadar to investigate a security threat.

From here, you’ll get visibility and a high-level overview not only of alerts over time, but of top alerted users, top alerted devices, top alerted assets, and top alerted threat models – the alerts on suspicious activity or user behavior that have been triggered the most on your core data stores.

Drill down into the DatAlert web UI to investigate suspicious activity and get additional insight and context into what’s going on.

Together, Varonis and IBM QRadar enable customers to enhance their data security, streamline threat detection, and simplify investigations.

Varonis DataPrivilege and RSA® Identity Governance and Lifecycle

Varonis DataPrivilege and RSA® Identity Governance and Lifecycle

We’re thrilled to announce interoperability between Varonis DataPrivilege and RSA® Identity Governance and Lifecycle, with a new Implementation Blueprint.  This Implementation Blueprint will help the business to quickly detect security and compliance access risks and amend access entitlement issues associated with unstructured data.

How it Works

The Varonis Data Security Platform helps prepare enterprise data for RSA Identity Governance and Lifecycle by finding data owners, correcting inconsistent permissions, removing global security groups, and simplifying and maintaining permissions structures.

Companies that implement Varonis DataPrivilege interoperability with RSA Identity Governance and Lifecycle benefit from:

  • Enhanced visibility and control of unstructured file systems directly within RSA Identity Governance and Lifecycle;
  • Meeting access control policies by helping to ensure that users have appropriate access permissions;
  • Reducing attack surfaces and assisting with compliance by limiting access privileges and deactivating stale/orphaned accounts; and
  • Automating attestations, provisioning and de-provisioning of access permissions.

Learn more

 

Data Classification Labels: Integrating with Microsoft Information Protecti...

Data Classification Labels: Integrating with Microsoft Information Protection (MIP)

We’re thrilled to announce the beta release of Data Classification Labels: integrating with Microsoft Information Protection (MIP) to enable users to better track and secure sensitive files across enterprise data stores.

By integrating with Microsoft Information Protection, customers will be able to automatically apply classification labels and encrypt files that Varonis has identified as sensitive. Users can manually tag documents, and Varonis will ingest this information to provide additional context around the data.

Data Classification Labels utilizes our sophisticated rule capabilities to target specific data, and leverages our extensive pattern repository to build even more labeling rules.

In addition, Varonis can find mislabeled files that contain sensitive data based on our advanced classification engine and re-apply the correct labels. Varonis customers can analyze existing classification results for labeling, intercept existing labels and apply new ones automatically.

Data Classification Labels uses both Azure and AD RMS encryption to protect incoming and outgoing data.

Want to see it in action? Get in touch with your SE and ask for a tour of Data Classification Labels – and test it out on with your own policies.

Benefits Overview:

  • Classify a file based on its MIP label
  • Decrypt and scan the content of MIP encrypted files
  • Automatically apply an MIP label according to the configuration, while skipping any file which was manually labeled
  • Automatically correct (and report on) mislabeled files
  • Automatically perform bulk re-label when a policy is changed
  • Enrich Varonis classification report with classification labels data

Women in Tech: The Anatomy of a Female Cybersecurity Leader

women CISO CIO

Cybersecurity has a gender gap.

According to the 2017 Women in Cybersecurity study, a joint venture between the Center for Cyber Safety and Education and the Executive Women’s Forum on Information Security, women only make up 11 percent of the total cybersecurity workforce.

In addition to occupying a substantially small space in a massive global industry, the few women who are in cybersecurity hold fewer positions of authority and earn a lower annual salary than their male counterparts, on average.

Many think pieces have mused about the causes of the gender gap in cybersecurity, with theories ranging from industry discrimination to socialization differences. It’s a pipeline problem and a retention problem: while there are now more programs designed to encourage girls to get into tech, it remains a difficult field for young women to enter — and stay in.

With the worldwide deficit of qualified cybersecurity professionals projected to reach 3.5 million by 2021, one thing is clear: Cybersecurity needs more women.

So, what does it take to be a leader in an industry notorious for its lack of gender diversity? In an effort to answer this question, we analyzed the current Fortune 500 list to see which companies have female leaders in their top cybersecurity position, including the chief information security officer (CISO), chief information officer (CIO) or VP of information security. Out of the 500 companies we examined, only 13 percent — or 65 companies — had a women working as the corporation’s cybersecurity leader in one of these positions.

Who are these 65 women? Check out the full infographic below to learn more about the women leading the way in cybersecurity.

women leading cybersecurity positions

While the gender gap in cybersecurity remains a real issue, these women — and their contributions to the world of cybersecurity — are paving the way for more gender inclusion in the future.

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Thre...

Introducing Varonis Data Security Platform 6.4.100: Varonis Edge, GDPR Threat Models, Geolocation and More

It’s the beginning of a new year, and we have a huge new beta release to share with you.  The beta release of the Varonis Data Security Platform 6.4.100 dropped earlier this month, and I wanted to share a few highlights:

Varonis Edge

We announced Varonis Edge back in November, and we’re excited for you to try it.  After over a decade of protecting core data stores, we’re extending that same data security approach to the perimeter: analyzing devices like DNS, VPN, and Web Proxy to detect attacks like malware, APT intrusion, and exfiltration.  With Edge, you’ll be able to correlate events and alerts from your perimeter with alerts and events about your data.

We’ve added new threat models for these perimeter devices: so that you can stay ahead of security events like brute force attacks, DNS tunneling, credential stuffing, and more.

Classification

Backed by popular demand, we’ve added new classification categories to our Data Classification Engine (formerly Data Classification Framework).  We’re shipping four predefined categories out of the box, to more easily identify and discover PII, PHI, PCI, and GDPR data.

GDPR Threat Models

With over 250 unique patterns to identify and classify EU data that will fall under the upcoming General Data Protection Regulation (GDPR), we’re making it easier than ever to see what’s happening to that data once it’s identified.  You’ll not only be able to identify regulated data, but monitor and track when suspicious activity occurs on it with specific GDPR threat models: from abnormal service behavior accessing atypical folders containing GDPR data, to global access groups added to a folder with a significant amount of GDPR data, and more.

Geolocation

Everybody likes a map – and DatAlert now tracks cyberattacks to a specific location, alerting when unusual access to your data is coming from a new or unusual physical locations, or geolocation.  New threat models track unreasonable geohopping, activity from a blacklisted geolocation, and activity from  new geolocation.

We’ve added maps and geolocation to the DatAlert web interface – so that you can see what’s going on and where at a glance.

Other updates include:

  • HPE 3PAR support
  • Enhancements to DatAlert search functionality: predefined searches, saved searches, and more
  • Improved performance and support for incremental search results
  • Office 365 Azure AD auditing and collection
  • Enhancements to AD authentication events
  • Automation Engine: support for multiple OU selection for new groups/per filer resolution
  • DataPrivilege request-related and owner-related API now supports both Windows and SharePoint
  • Reporting now supports relative mode for all date filters

Want to see it in action? Get a personalized demo and ask about the latest features today.

 

Announcing Varonis Edge – to the Perimeter and Beyond

Announcing Varonis Edge – to the Perimeter and Beyond

Email, web, and brute force attacks are the primary ways that malware gets through your defenses.  The Yahoo hacker’s favorite technique? VPN. The Sony hack? Phishing emails.  Remote Access Trojans? DNS.

We’ve spent over a decade working on protecting core data stores – we’re now extending that data security to the perimeter by using telemetry from VPN concentrators and DNS servers to spot signs of attack like DNS tunneling, account hijacking, and stolen VPN credentials. With Varonis Edge – coming soon in beta – you can monitor perimeter attacks and put them in context with activity and alerts in your core data stores for the full picture.

Extend your data security to the edge with enhanced security intelligence and additional threat markers, so that you can alert on external attacks, catch malware in its tracks, and defend your data better from insider threats. Find out more about Varonis Edge here.

Interested? Get a demo and be the first in line to try it.

Introducing Our New DataPrivilege API and a Preview of Our Upcoming GDPR Pa...

Introducing Our New DataPrivilege API and a Preview of Our Upcoming GDPR Patterns

GDPR Patterns Preview

We’re less than a year out from EU General Data Protection Regulation (GDPR) becoming law, and hearing that our customers are facing more pressure than ever to get their data security policies ready for the regulation.  To help enterprises quickly meet GDPR, we’re introducing GDPR Patterns with over 150 patterns of specific personal data that falls in the realm of GDPR, starting with patterns for 19 countries currently in the EU (including the UK).

Using the Data Classification Framework as a foundation, GDPR Patterns will enable organizations to discover regulated personal data: from national identification numbers to IBAN to blood type to credit card information. This means that you’ll be able to generate reports on GDPR applicable data: including permissions, open access, and stale data.  These patterns and classifications will help enterprises meet GDPR head on, building out security policy to monitor and alert on GDPR affected data.

Try it today and discover how GDPR Patterns will help prepare you for 2018 and keep your data secure.

IAM & ITSM Integration with DataPrivilege

We’ve been talking a lot lately about unified strategies for data security and management, and the challenge of juggling multiple solutions to meet enterprise security needs.

DataPrivilege puts owners in charge of file shares, SharePoint sites, AD security and distribution groups by automating authorization requests, entitlement reviews and more. DataPrivilege now includes a new API so customers can take advantage of its capabilities by integrating with other technologies in the security ecosystem, like IAM (Identity and Access Management) and ITSM (IT Service Management) Solutions.

Our new DataPrivilege API provides more flexibility for IT and business users so they can unify and customize their user experience and workflows. With the API, you’ll be able to synchronize managed data with your IAM/ITSM solution and return instructions to DataPrivilege to execute and report on requests and access control changes.  You’ll be able to use the integration to externally control DataPrivilege entitlement reviews, self-service access workflows, ownership assignment, and more.

Ask for a demo and see how it works with your current set up.

 

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)

Details

Vulnerabilities

The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links