The recent WannaCry ransomware attack, that has hit 99+ countries, would have been much larger had it not been for the early actions of both a UK cybersecurity researcher who blogs for Malwaretech and two Proofpoint researchers. In this attack, a powerful Microsoft exploit turned into a very nasty worm. As part of their initial effort, the researchers found and sinkholed a domain name hardcoded in the malware, for $10.69 during the early stages of the attack.
By sinkholing the domain, they stopped the worm from spreading itself even more widely. While the identification occurred after the initial wave hit Europe and Asia, it significantly slowed the spread of this worm and aggressive ransomware worldwide. The malware author(s) appear to have originally inserted the domain as a kill switch so that they could turn off the ransomware spread if they chose to do so, but failed to register the domain.
We believe it was just a matter of time for an attack like this to occur because this Microsoft exploit was tailor made for malware that spread within an organization’s network—and ransomware is so profitable for cybercriminals.
While Microsoft issued a patch for the vulnerability, which was detailed in the recent Shadow Brokers release of NSA hacking tools, the type of patch issued was not something that every organization was able to roll out or included in shorter patching windows. Legacy systems in particular appear to be disproportionally impacted including systems running older operating systems that couldn’t be patched before Microsoft took the extraordinary step of releasing a patch today.
It remains absolutely critical that organizations worldwide ensure their systems have the latest patches installed and have backups tested ready for restoration in the event of a ransomware attack. According to our research, new ransomware variants have appeared every 2-3 days for the last 18 months. In Q1 2017, over four times as many new ransomware variants hit the market versus Q1 2016.
Ransomware Prevention, Detection and Recovery
Organizations need to take a multi-pronged approach to the ransomware issue—and not assume the threat is slowing down. Now more than ever, the barrier to entry is very low when it comes to buying malware from the dark web, and ransomware remains quite easy to write. One of the biggest drivers is the consumer use of cybercurrencies such as Bitcoin and how easy it is to use. Several major banks will let users get a hold of such currencies reasonably quickly, and it’s not a widely legislated currency, thus escaping a lot of potential prosecution for currency law violation.
The best security strategy against ransomware is a mix of prevention, detection, and recovery capabilities. As the bulk of ransomware is spread via malicious emails, organizations should invest in solutions that block the delivery of potentially harmful emails. The second prevention measure requires configuring your IT environment to deter one of the most common ways ransomware is spread - through malicious macros in documents. Most organizations can block users from enabling macros in documents received from outside the network without interrupting any business processes.
Detection controls also help as endpoint and network security tools can often stop ransomware from encrypting user files or downloading the encryption key from the ransomware’s command and control infrastructure. Finally, a proactive recovery strategy can do wonders to combat ransomware. Larger organizations with solid backup processes are often able to avoid paying ransoms, as they can simply restore the compromised user’s data, even if the user may lose a few hours’ worth of work. In response to that, some ransomware now tries to encrypt backups first, so proper security configurations are essential for the backup infrastructure itself.
For more information on combatting ransomware, join our team on Thursday, May 18 at 3 p.m. ET/12Noon PT during a “Ransomware – The Billion Dollar Thief” webinar to discuss this issue and how to proactively stop it. You can also download our Ransomware Survival Guide with tips on before, during and after an attack.
Subscribe to the Proofpoint Blog