Inside Out Security Blog   /  

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Contents

    Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

    Here’s What We Know So Far

    Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

    Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

    •  .WRNY
    • .WCRY (+ .WCRYT for temp files>
    • .WNCRY (+ .WNCRYT for temp files)

    The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

    Here’s What You Can Do

    MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

    If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

    DatAlert Customers

    If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

    If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

    Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

    Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)

    Details

    Vulnerabilities

    The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

    Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

    https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

    Ransomware strains

    WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

    This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

    Other helpful links

     

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    We're Varonis.

    We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.

    How it works