Everyone has something to write about ransomware. One can not open a mobile device or a news site without getting notification about some new ransomware-related content. There’s a good reason: The recent events, media attention and to a certain degree, the public’s panic around the WannaCry ransomware attack are driving a lot of interest and even increase the valuation of public security companies. There’s no need to use FUD when the news is worse than any scenario.
At GuardiCore we write a lot about ransomware. We have published more than 10 ransomware related stories during the past two years.
In July 2015, GuardiCore’s Misha Yaverbaum predicted that the future of ransomware includes “a significant threat to enterprises”….and that “ransomware will take control over large data centers”. Later, yours truly (that’s me) wrote about ransomware attacks that are able to shut down the network and data centers, “forcing the hospital to return to pen and paper for its record-keeping”.
Besides taking credit for identifying a problem earlier than others and developing a great solution to protect against it, the recent attack, whether launched by North Korea, or someone else, will be remembered as the last straw that changed the way security practitioners think about internal security behind the perimeter.
This attack was special since it relied less on phishing emails for the initial infection than other attacks. The ‘phishing’ emails should not be blamed at all. Once a certain number of infections was established, the worm was able to use the Microsoft vulnerability to propagate without additional “help”. In some cases, we believe that organizations were infected over open SMB ports directly, without any attempt to send email. Once a windows machine was infected, it took minutes until the entire data center was owned. Similar to the way the GuardiCore Infection Monkey spreads.
GuardiCore Labs reports clear patterns of increased SMB traffic before and during the campaign.
The bottom line: it is not enough to cover the perimeter. One must ensure that he has a way to detect similar attacks, prevent and even mitigate in case of infection in one area of the network. GuardiCore Centra can leverage both its deception and visibility capabilities to detect a vulnerable machine, an already infected machine or malware attempts to propagate across the data center. Having said that, priority should be given to patch machines against the MS17-010 vulnerability. This problem is so severe that that Microsoft has exceptionally published patches for both supported and unsupported operating systems.
The malware communicates with its C&C servers over Tor. Using GuardiCore Reveal one can check whether your network was hit by searching for outgoing connections to internet destinations over TCP port 9001 or 9030. If one infected machine was discovered, you probably want to detect all the machines that were accessed by the infected machine over SMB. Using GuardiCore Reveal, this task will be completed within seconds. Reveal will also allow you to see all data center servers that received SMB connections from the internet. Until these machines are patched you must block any incoming SMB connections to them.
Ransomware incident as seen in GuariCore Centra
As part of the malware’s operation it scans for additional infection targets. In this case, a GuardiCore deception server will be able to cause the malware to try to infect a deception machine. This will trigger an immediate alarm and provide the intelligence required to stop the malware.
Mitigation can be performed in multiple ways including pausing the infected machine, creating a VM snapshot, disconnecting network cards and executing a script that runs on management. What you select on this page appears on the Recommended Actions section of of the incident.