Ransomware Update

23/05/2017 22:25

The SonicWALL Capture ATP Round-up

Each month Just Firewalls takes a look into what has been happening across the SonicWALL network.

 

Each month, Just Firewall tries to update it’s readers on the latest in ransomware and the cyber criminal worlds from the findings of Capture ATP Sandbox. Last month we look at Cerber (link: www.justfirewalls.com/news/cerver-vs-locky/) which has been found more frequently in the SonicWALL ATP Sandbox recently.

 

This month we are looking at WannaCry which is the ransomware that recently affected over 100 countries including the UK where it took down the NHS.

 

The malware has been created to cause maximum impact by combining a Trojan horse with a worm that used an SMB file sharing protocol which is said to have originally been developed by the USA’s National Security Agency. The protocol is used to exploit Microsoft Windows operating systems, in particular those in end-of-life status.

 

The attack works as a minefield by hiding in many different forms of communication. The ransomware is delivered as Trojan hidden in hyperlinks from email, adverts, webpage or even Dropbox links. Once activated the program spreads through computer locking all the files. The encryption used is the same as that on instant message meaning data cannot be retrieved without a decryption (crack) code.

 

The exploit was leaked to cyber criminals Shadow Brokers in April 2017 and they have wasted no time in creating this ransomware attack to use the flaw in the windows system.

 

SonicWALL have been quick to react since WannaCry has been found in the wild. On 12 May, SonicWALL’s Capture Labs released six new signatures to block all known versions of the ransomware. Since the first version which had a kill switch, the threat has evolved into a more dangerous variant without such a switch.

 

Even without these new signatures, it’s safe to say SonicWALL security services already protect against many components of the code.

 

Well before the first public attack, SonicWALL already had this potential threat on its radar by analysing the EternalBlue attack, rolling out protection across SonicWALL firewall customers.

 

How to prevent from infection

 

They say prevention is better than a cure. In the case of WannaCry it’s essential.

 

There is no cure for WannaCry so the only way to keep you files safe is it not let it in your system. Whilst SonicWALL customers are safe, those that are running, older or less secure security appliances, you need to be extra vigilant.

 

It’s not breaking news that phishing emails are the most common delivery mechanism for ransomware to treating every email, link and image as a potential threat is the way to go. Always ensure emails are from the absolute exact email address you are expecting it to be from.

 

Hackers are clever in the way that they can create similar email address, sometimes just a letter or two out, so the receiver thinks it’s their trusty colleague or supplier.

 

Infected links are very often passed over email. The best way to ensure it isn’t a bad link is to, firstly make sure it’s a reputable sender, then hover the curser over the link (don’t click). This will display the hyperlink to the destination. If the website is something you don’t recognise, or even spelt incorrectly, then don’t follow the link and contact the sender in a separate email thread.

 

 

Posted in News By Just Firewalls