Category Archives: Data Security

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Last night, Varonis’ Brian Vecci, Technical Evangelist, sat down with Andrea Day of CNBC’s Nightly Business Report to discuss the recent WannaCry outbreak, where it goes from here and lessons to be learned. You can watch the full clip here.

“We’re playing catch up because of how much data and how much complexity and how blind we’ve been to these kinds of attacks.”

  • What’s the latest on the attack: We know how to prevent WannaCry right now, but it’s the canary in the coal mine – it’s showing everyone just how critical file security is and how much damage can be done.
  • Lessons for health care industry: It’s not just patient records or other regulated data that can cause problems – it’s all files. Basic security best practices would have made a big difference: patching systems that store files, making sure they’re not open to everyone, and close monitoring so you know when something goes wrong.
  • Can other industries be affected? Absolutely – everyone has files, and what we’re seeing with WannaCry is that it’s not just the regulated data that industries like finance and healthcare need to worry about, it’s everything. If holding files hostage can stop a hospital from working, the same thing can happen to a bank, a law firm, a police network or a power plant, or anyone else.
  • How companies can protect themselves: Start with the basics – keep your systems up to date and patched. Make sure files aren’t open to everyone, and monitor everything so you know when something goes wrong.

Read more about the WannaCry outbreak, its evolution and what you need to know in this blog post (with a list of additional helpful links).

[Podcast] Our Post WannaCry World

[Podcast] Our Post WannaCry World

After WannaCry, US lawmakers introduced the Protecting Our Ability to Counter Hacking Act of 2017, or PATCH Act. If the bill gets passed, it would create a Vulnerabilities Equities Process Review Board where they would decide if a vulnerability, known by the government, would be disclosed to a non-government entity. It won’t be an easy law to iron out as they’ll need to find the right balance between vulnerability disclosure and national security.

Meanwhile Shadow Brokers, the hacking group that leaked the SMBv1 exploit that led to WannaCry, announced that they would create a subscription-based business that would give paying members a monthly data dump of zero-days and exploits.

Grounded in our post WannaCry world, the Inside Out Security Show panelists – Mike Thompson and Kilian Englert – mulled over a popular philosophical keynote by Cory Doctorow, The Coming War on General Purpose Computing.

We closed out the show by discussing another potentially deadly attack, Adylkuzz and whether not they’d prefer an attack like ransomware that notifies them or a cryptocurrency miner that consumes resources from their system and they wouldn’t even know it.

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

Is a ransomware attack a data breach?

Is a ransomware attack a data breach?

Ransomware is a loss of control

Most IT people equate exfiltration of data from their network as the point at which control is lost and a data breach has occurred. They think of it like “where are the bits” and if your user database is being passed around the internet via bittorrent and sold off for a .0001 BTC an account you clearly have lost control.

What’s not so obvious is that ransomware (or any form of malware infection) represents a loss of control of the data within your network and that constitutes a data breach.

The proper way to consider it is if a malicious person wandered into your office, walked past the receptionist and security guard, got on the elevator down to the basement, unlocked the door to the server room, logged into your main file server with some stolen admin credentials, encrypted 10,000 random files that your users rely upon for their work and then walked out.

If someone were to perpetrate the above physical attack on your facility it would clearly represent a loss of data control. However, too many sysadmins wrongly consider a ransomware attack as purely internal and not a data breach.

A good conceptual way to think about it as a breach of your control systems, not a breach of the network itself.

Most of the per state data breach response guidelines clearly are modeled after HIPAA regulations which explicitly classify ransomware as a data breach:

The presence of ransomware (or any malware) on a covered entity’s or business associate’s computer systems is a security incident under the HIPAA Security Rule. A security incident is defined as the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.


A ransomware attack is a data breach and organizations should treat it as such.

EternalRocks leaves backdoor trojan for remote access to infected machines

EternalRocks leaves backdoor trojan for remote access to infected machines

What we know so far

The WannaCry ransomware worm outbreak from last Friday week used just one of the leaked NSA exploit tools, ETERNALBLUE, which exploits vulnerabilities in the SMBv1 file sharing protocol.

On Wednesday security researcher Miroslav Stampar, member of the Croatian Government CERT, who created infamous sqlmap (SQL injection pentesting tool), detected a new self-replicating worm which also spreads via several SMB vulnerabilities. This worm, dubbed EternalRocks uses seven leaked NSA hacking tools to infect a computer via SMB ports exposed online.

Unlike WannaCry, EternalRocks has no kill switch to stop the code from executing. It uses some files with the same names as WannaCry to try to fool security researchers into thinking it is WannaCry.

EternalRocks analysis

  • Spreads via SMB ports exposed online
  • SMB reconnaissance tools SMBTOUCH and/or ARCHITOUCH are used to scan for open SMB ports on the public internet
  •  If open ports are found then one of 4 SMB exploit tools, which target different vulnerabilities in the Microsoft SMB file sharing protocol, are used to get inside the network:
    • ETERNALBLUE (SMBv1 exploit tool)
    • ETERNALCHAMPION (SMBv2 exploit tool)
    • ETERNALROMANCE (SMBv1 exploit tool)
    • ETERNALSYNERGY (SMBv3 exploit tool)
  • Once inside EternalRocks downloads the Tor web browser, which supposedly*allows you to browse the web anonymously and access sites hosted on the Dark Web which cannot be accessed from normal web browsers like Chrome, IE, or Firefox.
  • Downloads .net components which will be used later
  • Tor connects to a C&C server on the Dark Web
  • After a delay, currently set to 24 hours, the C&C server responds and an archive containing the 7 SMB exploits are downloaded. This delay is likely to avoid sandboxing techniques
  • Next the worm scans the internet for open SMB ports – to spread the infection to other organizations.

*It is questionable just how anonymous Tor really is considering that almost everyone involved in developing Tor was funded by the US Government.

The Good News

EternalRocks does not appear to have been weaponized (yet). No malicious payload – like ransomware – is unleashed after infecting a computer.

The Bad News

Even if SMB patches are retroactively applied machines infected by the EternalRocks worm are left remotely accessible via the DOUBLEPULSAR backdoor trojan. The DOUBLEPULSAR (backdoor trojan) installation left behind by EternalRocks is wide open. Whether on purpose or not the result is that other hackers could use DOUBLEPULSAR to access machines infected by EternalRocks.

What you should do

Block external access to SMB ports on the public internet\

  • Patch all SMB vulnerabilities
  • Block access to C&C servers (ubgdgno5eswkhmpy.onion) and block access to while you are at it
  • Monitor for any newly added scheduled tasks
  • A DOUBLEPULSAR detection script is available on Github
  • Make sure DatAlert Analytics is up to date monitoring your organization for insider threats

For detailed information on EternalRocks check out the repository setup by Stampar a few days ago on GitHub.


Discover Sensitive Data with a Data Risk Assessment

Discover Sensitive Data with a Data Risk Assessment

In our recent 2017 Data Risk Report, we discovered that 47% of organizations had at least 1,000 sensitive files open to every employee.

Our latest video shows what a data risk assessment is, why it matters, and how it works.  Check out a sample data risk assessment for a sneak peak of what you might find.

A Varonis Data Risk Assessment doesn’t take long – a 90-minute software install lets you map access to your data and directory services, classify files to discover what’s sensitive, and start monitoring and analyzing user behavior.

Want to see what’s hiding in your data? Click here to get your own (free) risk assessment.


Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Th...

Image: Canadian Institute of Mining, CC-BY

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too much employee access to files. As disruptive as WannaCry has been to vulnerable organizations, this is their canary in the coal mine moment that should alert them to more deadly attacks that don’t announce their presence, like the cryptocurrency miner Adylkuzz.

Researchers at Proofpoint have identified an attack that is larger and sneakier than WannaCry, and one that may have slowed WannaCry’s spread. Adylkuzz is a malware that uses the same exploits designed by the NSA and utilized in the WannaCry attack, but instead of announcing itself, it quietly installs a hidden program to mine for cryptocurrency that the attackers can then use. Even more interesting, Adylkuzz then blocks the SMB port to avoid further infection, such as a WannaCry infection.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Adylkuzz has over 20 hosts designed to scan and launch attacks, and more than a dozen command and control (C&C) servers at any given time. Within 20 minutes of connecting a test computer with the known vulnerability to the Internet, it was infected with Adylkuzz.

In this instance, instead of your files being held hostage, your processing power is drained and you’re out a few thousand Moneros.  But none of this compares to the hacker who decides to play the long game with DoublePulsar and EternalBlue and stealthily survey and exfiltrate all the health records, student records, intellectual property and incriminating emails they can get their hands on.

WannaCry changed the world and proved that the bad guys will find their way past any perimeter security.  Defense-in-depth should be on your mind. The value of information and the systems that store it is clear – very few organizations can function when their data is inaccessible – no one can function when their data is stolen and their organizational reputation destroyed. If you don’t address the vulnerabilities surrounding your data and your systems you will lose. Obviously you need to patch, but you can’t stop there – you need to continually question your layers of defense: What if a user’s account or system gets compromised? What data can that account access? How would I see abuse? What would it mean if this data was lost or stolen?

No one can prepare for every possible scenario, but organizations need to raise their game. If an organization is patched, restricts employee access to data and systems, and monitors and alerts on unusual activity, they should be in reasonably good shape to withstand this and other attacks.

Varonis stops ransomware by, 1) reducing what normal employee accounts can access (pruning privileges they don’t need), 2) watching how users use data to spot attacks like ransomware in progress, and 3) automatically locking out offending accounts.

Learn how we’re helping out customers spot and stop ransomware and other insider threats:

Image: Canadian Institute of Mining, CC-BY

[Podcast] Pick Up Music, Pick Up Technology

[Podcast] Pick Up Music, Pick Up Technology

Last week, when the world experienced the largest ransomware outbreak in history, it also reminded me of our cybersecurity workforce shortage. When events like WannaCry happen, we can never have too many security heroes!

There was an idea floating around that suggested individuals with a music background might have a promising future in security. The thinking is: if you can pick up music, you can also pick up technology.

The Inside Out Security panelists – Mike Thompson, Forrest Template and Mike Buckbee – are in agreement. Their sentiments expanded to all artists and added that creative thinking along with attention to detail can go a long way.

Other articles discussed:

  • Intel Warns of Active Management Technology Vulnerability
  • Besides Netflix’s Orange is the New Black threat, hackers also helped ourselves to copies of titles from other companies
  • IoT companies keep building devices with security flaws
  • What nuclear security officers (and infosec pros) can learn from casino managers
  • IBM sends USBs with malware to customers

Tool of the week: Pi hole

Subscribe Now

- Leave a review for our podcast & we'll put you in the running for a pack of cards

- Follow the Inside Out Security Show panel on Twitter @infosec_podcast

- Add us to your favorite podcasting app:

How to use PowerShell for WannaCry / WannaCrypt cleanup and prevention

How to use PowerShell for WannaCry / WannaCrypt cleanup and prevention

Explosive ransomware infection rates of WannaCrypt/WannaCry have IT groups trying to mass diagnose, update and protect their machines. Thing is, that’s just not practical to do manually – for pretty much any but the smallest of organizations.

While there are a number of different PowerShell scripts that have been open sourced in the last three days to automate this (we link to the best one below), it’s quite likely that they won’t necessarily cover exactly what you need them to do on your network.

Further, it’s guaranteed that there will be multiple variants, mutations and other forms of Wannacrypt that will continue to appear in the coming months. Being able to build your own script or to tweak one to your needs may be essential in keeping your network secure.

To help, we’ve collected all of the different Powershell utilities needed to help with WannaCrypt / WannaCry:

  • Use PowerShell to check if a particular Hotfix is installed
  • How to import TCP/IP functionality into your script to check which ports are open or closed (such as SMBv1’s port 445)
  • How to check if a domain resolves properly with PowerShell (like the Wannacrypt killswitch domain)
  • How to disable SMBv1 functionality with Powershell

First: use the following script from Github User Kiernanwalsh to check for missing patches. The script is a collective effort as multiple members of the community are submitting missing KBs, and offering suggestions.

How to use PowerShell to check if a hotfix is installed

Get-Hotfix tests the local machine (by default) or a remote workstation or server for the presence of a specified hotfix (referenced by it’s KB designation).

For reference, the KB’s per operating system to patch MS17-010 are:

Windows Server 2008


Windows Server 2012

KB4012217, KB4015551, KB4019216

Windows Server 2012 R2

KB4012216, KB4015550, KB4019215

Windows Server 2016

KB4013429, KB4019472, KB4015217, KB4015438, KB4016635


The examples below check for KB4012212 which is the Windows Server 2008 patch for MS17-010.


get-hotfix -id KB4012212


get-hotfix -id KB4012212 -computername <remote-computer-name>

PowerShell Port Checking

Use the Test-NetConnection cmdlet to test if a port is open on a remote computer. In the example below, we’re testing if 445 (command and control port for Wannacrypt) is open on the local interface.

Test-NetConnection -ComputerName -Port 445

Several important things to note:

  • The port being closed doesn’t prevent the infection of that machine, just prevents infecting other hosts.
  • Test-NetConnection doesn’t default to the local machine – but to a designated test server run by Microsoft. You MUST specify the `-ComputerName` parameter.

Testing if a domain resolves with PowerShell

The first version of Wannacrypt/WannaCry contained a killswitch which shut it down if the script was able to successfully connect to a previously unregistered domain.

A security researcher registered the domain and was able to stop a large number of the infected machines from spreading further.

Even after the domain was registered, however, many networks were unable to connect due to outbound filtering, DNS caching issues, or other network restrictions.

To test if a machine is properly resolving a domain use the Resolve-DnsName cmdlet:


How to disable SMBv1 with PowerShell

As of right now, having SMBv1 enabled is the key exploitable aspect of pre Windows 10 machines. While you should still endeavor to install the appropriate patch to handle MS-17-010, disabling SMBv1 immediately can help prevent infection.

On Windows 8 and Windows Server 2012

Set-SmbServerConfiguration -EnableSMB1Protocol $false

Will take effect immediately, no restart required.

On Windows 7, Windows Server 2008 R2, Windows Vista, and Windows Server 2008

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" SMB1 -Type DWORD -Value 0 -Force

This will require a restart to take effect.


WannaCrypt is a mess for everyone involved. But! The cleanup is a great place to polish your PowerShell skills and make process and infrastructure investments to prevent issues in the future.

Why did last Friday’s ransomware infection spread globally so fast?

Why did last Friday’s ransomware infection spread globally so fast?

Quick ransomware background

Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the ransom be paid in Bitcoins: the #1 cryptocurrency (basically a distributed ledger) which can be used to buy and sell goods. By nature, Bitcoin transactions (e.g. ransom payments) are very difficult to trace.

Historically, most ransomware infections use the attack vector – how they get in – of social engineering (like clickbait from a social media platform – think cute kitty pics on Facebook or Twitter) or email phishing campaigns, which contain attachments or links to a website. The end result is that a malicious payload gets a foothold on a machine inside a corporate network. Unfortunately, all of those next generation perimeter defenses that organizations spend good money on are not that difficult to bypass in order to get inside.

Once inside, most ransomware will scan the internal network to see which servers host file shares, attempts to connect to each share, encrypt its contents, and then demand a ransom be paid to regain access to the now encrypted files. End users can usually access way more data than they should be able to: either through wide open permissions or by accumulating permissions over the course of their employment at their company. Think for a minute just often you’ve stumbled across a folder or files which you know you shouldn’t be able to access. Access controls are out of control. In this case, IT is typically blind because of the sheer complexity of file system permissions.

Good to know, but what was different last week?

Without going too much into the technical details, I can tell you that the code behind the biggest ransomware outbreak in history isn’t actually all that special. It’s a type of cryptoworm: a self-propagating malicious form of malware. That means that once it gets a foothold, it can spread autonomously without the need for someone to remote control it.

Normally, ransomware targets unstructured data hosted on file shares – this ransomware, however, did not discriminate.

In April, several hacking tools created by the NSA were leaked online. These hacking tools exploit vulnerabilities in hardware and software so that they can hack into or move laterally around a computer network.

WannaCry ransomware (also known as WCry / WanaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r) – the type responsible for last Friday’s attack – went a few steps further: once it got onto even a single machine within a corporate network, it did the following:

  • Looped through any open RDP (Remote Desktop) sessions, to encrypt data on the remote machine
  • Sought out any vulnerable* Windows machines – endpoints (laptops/desktops/tablets) and servers using Microsoft vulnerabilities
  • Used the traditional approach of going after file shares directly from the endpoint

*The particular vulnerability that made the difference last week was in the Microsoft SMBv1 file sharing protocol, which was used to hop from machine to machine encrypting data – like a spider web effect. Most internal servers are separated on internal networks so that end users can’t access them. The cryptoworm would need to hit just one internal server (e.g. a file server) and from there it would target whatever vulnerable servers that file server can access. This allowed it to quickly traverse entire networks, effectively crippling many of them. Like many cryptoworms, it’s self-propagating and so replicates itself and searches out to other vulnerable hosts/computer networks worldwide.

The truth is that the worldwide infection could have been much worse if not for the quick thinking of a security researcher. @MalwareTechBlog spotted that the malware code was connecting out to a nonsensical domain, which was not registered. This call out was hard-coded in case the creator wanted to stop it and likely also to help avoid IDS/IPS sandboxing techniques. If the request comes back showing that the domain is live, the “kill switch” kicks in to stop the malicious part of the code from executing – effectively stopping the malware in its tracks. @MalwareTechBlog, acting on a hunch, registered the domain name and was immediately registering thousands of connections every second. The result was that he stopped what could have been a much wider spread infection.

The bad news is that new versions of the code are already in development:

Lessons Learned

Microsoft released a patch (software code update to fix vulnerabilities) for this particular SMBv1 vulnerability back in March. The sad truth of the matter is that proper vulnerability patch management processes would mean that most organizations would not have been so badly affected.

That’s not to say that vulnerability patch management processes are enough coverage for ransomware. Nor are backups, since some ransomware will hide in your backups so that after you restore files they will simply attack again.

There is no one stop shop for stopping ransomware infections or any cyber security threat for that matter. Security is all about risk reduction – and requires a layered approach with controls in place at each layer while leveraging solutions to automate processes wherever possible. If any organization says that they’re 100% safe from cyber-attacks, then they’re either delusional or telling you porky pies!

WannaCry’s Accidental Hero

WannaCry’s Accidental Hero

Quick update on the massive #WannaCry cyber attack. Before I begin, this is going to SOUND like good news, and it is, but please realize that the propagation of this malware can be restarted VERY easily, so please follow the instructions we laid out here to patch.

Apparently there was a kill switch built into the malware. It attempts a HTTP GET on iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea[.]com. If the request succeeds, it stops propagating, as noted by Talos Intellgience:

Earlier today, @MalwareTechBlog observed the traffic to the fake domain, registered it, and sinkholed it, thus stopping the bleeding in a major way. Funny enough, he didn’t realize the domain check kill switch existed. It was sort of dumb luck:

There you have it. @MalwareTechBlog: #WannaCry’s accidental hero.

UPDATE: As Didier Stevens points out, the kill switch is NOT proxy aware. Won’t work for companies that have a proxy.

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here:

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)



The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links