Most of us know what ransomware is: that thing that encrypts files, holds them for ransom, and (hopefully) decrypts them once the ransom is paid. If ransoms aren’t paid, however, files may be lost. It’s scary when the life of your organisation is in the hands of someone else, especially when you don’t have a recovery plan. But, that’s part of the problem. By discussing ransomware (and malware) attacks before they happen, organisations will be more prepared if or when an incident occurs.
It’s time to review several mitigation strategies that will not only help protect the business, they will also help combat threats posed by other malware families.
To start, let’s take a look at the most recent series of ransomware attacks: WannaCry. This strain of ransomware made headlines for leveraging a leaked NSA-grade exploit to infiltrate networks and hold them for ransom. The vulnerability targeted by WannaCry, known as MS17-010, had been patched and made universally available as part of a routine Microsoft software update several weeks before the ransomware was released, giving organisations ample time to implement a security patch.
Despite the fact that MS17-010 was rated as critical, in the wild, and being exploited — which is essentially the highest level of “that needs to be patched yesterday” — many organisations didn’t implement it in time. Thankfully for some organisations, basic-yet-effective security precautions were taken years before WannaCry’s conception.
How, you might ask?
The worms of yesteryear provide some insight. In 2004, Sasser wreaked havoc using MS04-011, an exploit in the LSASS process, via remote code execution. The worm spread like a wildfire via port 445 (sound familiar?) and crippled networks worldwide. Just one year prior, MS-Blast behaved similarly, worming into networks and spreading via phishing attachments and exploits. Systems and organisations were knocked offline due to the traffic, causing global damages. We should have learned our lessons then, but unfortunately, history repeats itself.
In 2008, computer worm Conficker hit millions of computers using MS08-067, a remote exploit targeting Windows systems and how they handle certain requests over port 445. (Again, sound familiar?) This attack was enough of a wake-up call for many organisations and ISPs to start blocking unnecessary inbound ports.
Learning from our — and others’ — oversights is exactly why it’s so important to conduct an after-action analysis following any cyber-attack or compromise. By looking back at WannaCry, we can see that a simple firewall block for inbound port 445 would have prevented most of the attacks.
One of the most common questions organisations are seeking to address in WannaCry’s aftermath is this: how does malware spread? While WannaCry used port 445 to propagate through networks from the internet, malware often spreads via phishing emails, so there’s a chance it could have been packaged inside of a zip file or remotely pulled down via a dropper of some sort. Attackers have also been known to put Javascript files into zip archives in order to bypass some security measures.
Microsoft Word documents containing macros are another type of dropper common among attackers. While some organisations may allow macros, doing so creates yet another “low-hanging-fruit” situation that many attackers have long been known to target.
Ultimately, these types of after-action exercises can enable organisations to maintain a defence-in-depth approach to security – even when other points may fail.
Written by Ronnie Tokazowski, Senior Malware Analyst, Flashpoint
