Ransomware is one of the most sophisticated and feared attacks in the modern threat landscape. A specialized form of malware, ransomware is designed to forcibly encrypt a victim’s files. The attacker then demands a payment from the victim in exchange for the decryption key to restore access to the data upon payment. Costs can range from a few hundred dollars to millions, in addition to the disruption suffered while data remained inaccessible.

Notable ransomware attacks of 2022

1. Costa Rica ransomware attack (government)

In May 2022 President Rodrigo Chaves of Costa Rica declared a national emergency due to  Conti ransomware attacking numerous government institutions including the Ministry of Finance, Ministry of Science, and the Costa Rican Social Security Fund (CCSS).

Conti, a ransomware-as-a-service, has been wreaking havoc since 2020. Conti ransomware has several unique features not seen before, including the ability to run 32 encryption threads simultaneously, and remote control through command-line options.

2. Puma ransomware attack (enterprise)

Puma was alerted to a security breach on 10 January, caused by a ransomware attack on Kronos, their workforce management solutions provider. With ransomware and data exfiltration, the goal, personal data of over 6,600 employees, including Social Security numbers, were taken and encrypted, but no customer information was compromised. Kronos regained access to their data soon after, issuing two years of complimentary Experian Identity Works to affected Puma employees as compensation, including credit monitoring, insurance, and restoration.

3. French hospitals targeted with ransomware (healthcare)

In August, hackers used LockBit ransomware and targeted French hospital Centre Hospitalier Sud Francilien with data exfiltration. In retaliation for not paying a ransom, the attackers leaked patient data, including laboratory analyses, radiology reports, and more. The attack caused disruption of all health services, forcing transfer of patients to other facilities and postponement of surgeries.

Another French hospital, André Mignot hospital in Versailles, was also hit with ransomware in December. They had to shut down their network as a security measure.

What was the prevailing ransomware variant of 2022?

According to a Mawarebytes report, LockBit (formerly “ABCD” ransomware) was the main ransomware variant of the year. LockBit ransomware scans for targets of value, propagates itself, and encrypts any computers that are connected to the network.

“LockBit is a subclass of ransomware known as a ‘crypto virus’ due to forming its ransom requests around financial payment in exchange for decryption. It focuses mostly on enterprises and government organizations rather than individuals.”

– Source: Kapersky Lab’s article LockBit ransomware — What You Need to Know 

How do ransomware attacks work?

Ransomware attacks can be initiated in many ways. One of the most common is a phishing exploit, in which an email delivers an attachment disguised as a legitimate business file. Once it has been downloaded and opened—often by a victim with good intentions and no awareness of the threat it contains—the malware takes over the victim’s computer, and can even use built-in social engineering tools to gain administrative access. At this point, the ransomware can spread laterally from one computer to another and ultimately infect the entire network.

Once the malware has taken over the victim’s computer, the typical next social engineering toolsstep is to encrypt some or all of the user’s sensitive files and forcibly reboot the user’s system. The user is then informed of the exploit and notified of the ransom being demanded, usually in the form of an untraceable Bitcoin payment, as well as a deadline for payment.

The post 2022 Ransomware Attacks and Evolution of Data Exfiltration appeared first on The Integrator.

Ransomware as a trend will continue to affect businesses across the world – with attack types and tactics from cybercriminals evolving all the time. As attacks get more sophisticated, so do the consequences of falling victim to ransomware and the complexity of the clean-up.

The stakes are therefore higher than ever for businesses when it comes to protecting against ransomware attacks. Organizations need to understand the emerging trends that we will see gather speed, and prepare their defenses for the ransomware onslaught.

Make Your Business Insurable: The tension between insurers and businesses affected by ransomware is mounting. In EMEA we have already seen global insurance giant AXA announce that it will stop writing cyber-insurance policies in France that reimburse customers for extortion payments made to ransomware criminals. With insurers overwhelmed and frustrated by ransomware claims, underwriters will tighten up their policies to ensure clients are meeting predetermined conditions such as investing in appropriate cybersecurity and employee training before paying out.

Watch Out for Triple Extortion: This technique designed to make businesses pay more and pay faster involves extending the attack to the victim’s customers and partners. Triple extortion involves a third element – directing the attack beyond its initial target, using multi-layered extortion techniques to harm the victim’s customers and partners.

Minimize the Threat Within: Various studies suggest that over 60% of data breaches and cybersecurity incidents are caused by insider threats. hygiene is the first line of defense for an organization. Using two-factor authentication and restricting file access to only those who need it are ways of limiting the amount of damage a single user can do if security is compromised intentionally or unintentionally. Furthermore, training and education are vital to making sure employees are confident in identifying and reporting potential attacks.

Enforce the Law: Law enforcers are trying to bridge the imbalance between risk and reward for cybercriminals. Cybercriminals can make huge sums of money with little or no threat of prosecution. This will and has to change. However, given the borderless nature of cybercrime, governments must agree on an international legal framework for punishing cybercrime. Until then legal action will mainly be directed toward the victims rather than the criminals. Many governments are debating whether they should make ransomware payments illegal, so businesses resist the temptation to pay ransoms – cutting off cybercriminals’ income supply. Moreover, cryptocurrencies such as Bitcoin, commonly viewed as a hacker’s dream, actually have the potential to help law enforcers bring criminals to justice. Digital ledgers like Blockchain make it easier to ‘follow the money as records cannot be altered or deleted. Therefore, once criminals turn their cryptocurrency into “real money,” the digital ledger can theoretically unmask them.

Protect Your Data: Organisations must consult with their technology partners about deploying modern data protection solutions that can detect, mitigate and remediate ransomware attacks. Data must be backed up and recoverable across physical, virtual, cloud, SaaS, and Kubernetes so that in the event of a ransomware attack, businesses can remediate and recover quickly rather than being forced into paying the ransom.

As well as implementing modern data protection solutions, businesses must prioritize improving digital hygiene levels across their entire employee base. Employee education and awareness training can help to create a more digitally secure culture across the organization. A ‘human firewall’ combined with the right technology can help organizations prepare themselves for the ransomware attacks that will inevitably come their way this year and beyond.

The post The Next Wave of Ransomware appeared first on The Integrator.

Meet the Nemesis: Ransomware

Cybersecurity Ventures predicts that ransomware will cost its victims around $265 billion (USD) annually by 2031. Businesses will face a new attack every 2 seconds as ransomware perpetrators progressively refine their malware payloads and related extortion activities. The data suggests that it is not the question of if, but when a business is attacked by ransomware.

Shared storage has been an especially rich target for cybercriminals to hijack valuable customer, financial or sensitive information and extort payment in return for access to the data. Hence, revving up ransomware defense is a top priority for CIOs and other business leaders who are actively looking for storage security strategies against malicious cyber-attacks.

Tuhina Goel – Director of Product Marketing, Nutanix

Ransomware is a type of malware that attacks storage systems by encrypting user file shares and volumes. Victims are denied access to the encrypted data and make the data unrecoverable without paying a ransom for a decryption key. There is substantial uncertainty that even if the ransom is paid that the data will be restored or that the attack is ended.

Ransomware attacks cannot be detected by antivirus software or firewalls and cause tremendous losses, including lost productivity costs, forensic investigation costs, data restoration costs from backup, and the costs of hiring emergency consultants and crisis managers.

What businesses need is a cyber-security and ransomware protection plan that is integrated with the storage system to detect, prevent, recover, and analyze cyber-attacks so that structured and unstructured data is protected, no matter where the data resides.

Nutanix Files Offers Integrated Ransomware Protection

The Nutanix Files software-defined storage solution has integrated ransomware protection to help customers secure unstructured data. The latest version, Files 4.1, offers improved network isolation with network segmentation, better resource management with enhanced multi-network support, enhanced security with WORM support, and ransomware detection.

When combined with our Nutanix Data Lens SaaS-based data management and governance application, Nutanix Files delivers a full spectrum of ransomware protection aligned to key defense-in-depth and critical cybersecurity initiatives like a zero-trust architecture (ZTA) spanning the NIST cybersecurity frameworks of identify, protect, detect, respond, and recover.

The post Create a Data Fortress for Protection against Ransomware Attacks appeared first on The Integrator.

Yanlouwang was first discovered in October 2021. Its name is a reference to the Chinese deity, Yanluo Wang, one of the ten kings of hell. According to Kaspersky telemetry, Yanlouwang has been attacking large businesses in the United States, Turkey, Brazil and other countries.

An attack using Yanluowang begins with an operator manually launching encryption. While encrypting the victims’ files, this ransomware changes file extensions to “.Yanlouwang.” After attacking the computer, an open-access file is left with a ransom note. Cybercriminals threaten the victim that if they go to the police all files on the infected computer will be deleted. Even after deletion of all files, they will still not be left alone: Yanluowang’s authors threaten to then attack the entire company with DDoS attacks and ransomware infections on the company’s employee computers.

Kaspersky experts analyzed the ransomware and found a vulnerability that allows victims to decrypt files on an infected computer. The user needs to have one or more original files and download a specially designed decryption tool. The victim is then able to decrypt the affected files independently.

“While Yangluowang is not a widespread ransomware threat, it still hurts users and, in the fight against ransomware, every defeated malicious program counts. Ransomware is an international threat, and that is why it is important for the cyber community to cooperate in the fight against ransomware. We hope our contribution helps organizations attacked by Yanlouwang,” comments Yanis Zinchenko, security researcher at Kaspersky.

To protect yourself from ransomware attacks, Kaspersky recommends you:

• Do not expose remote desktop services, (such as RDP), to public networks unless absolutely necessary and always use strong passwords for them
• Promptly install available patches for commercial VPN solutions that provide access for remote employees and act as gateways into your network
• Always keep software updated on all devices you use to prevent ransomware from exploiting vulnerabilities
• Focus your defense strategy on detecting lateral movements and data exfiltration to the Internet. Pay special attention to outgoing traffic to detect cybercriminals’ connections
• Back up data regularly and make sure you can access it quickly in an emergency.
• Use the latest Threat Intelligence to stay on top of current TTPs used by threat actors
• Use solutions like Kaspersky Endpoint Detection and Response and Kaspersky Managed Detection and Response, which help identify and stop an attack during its early stages before attackers are able to achieve their final goals
• Protect the corporate environment by educating your employees. Dedicated training courses, such as the ones provided on the Kaspersky Automated Security Awareness Platform, can help
• Use a reliable endpoint security solution, such as Kaspersky Endpoint Security for Business, that is powered by exploit prevention, behavior detection and a remediation engine capable of rolling back malicious actions. KESB also has self-defense mechanisms to prevent cybercriminals from removing it

The Yanluowang decryptor has been added to the “No Ransom Kaspersky Rannoh Decryptor” tool. It can be downloaded from the No Ransom website – a project launched by Kaspersky to share solutions and stop the scourge of ransomware.

The post Kaspersky Experts Release Decryption Tool for Yanluowang Ransomware appeared first on The Integrator.

Following are the highlights of the prediction report made by FortiGuard Labs:

• Ransomware will get more destructive: There will continue to be a crimeware expansion and ransomware will remain a focus going forward. Ransomware attacks could be a concern for emerging edge environments, critical infrastructure, and supply chains.
• Cybercriminals use ai to master deep fakes: Cybercriminals are also leveraging AI to thwart the complicated algorithms used to detect their abnormal activity. Going forward, this will evolve as deep fakes become a growing concern because they leverage AI to mimic human activities and can be used to enhance social engineering attacks.
• More attacks against lesser targeted systems in the supply chain: In many networks, Linux runs many of the back-end computing systems, and until recently, it has not been a primary target of the cybercriminal community. Recently, new malicious binaries have been detected targeting Microsoft’s WSL (Windows Subsystem for Linux). This further expands the attack surface into the core of the network and increases the threats that need to be defended in general. This has ramifications for operational technology (OT) devices and supply chains in general that run on Linux platforms.
• Cybercrime targets space: FortiGuard Labs expects to see new proof-of-concept (POC) threats targeting satellite networks over the next year as satellite-based internet access continues to grow. The biggest targets will be organizations that rely on satellite-based connectivity to support low-latency activities, such as online gaming or delivering critical services to remote locations, as well as remote field offices, pipelines, or cruises and airlines.
• Cybercriminals thrive living off the land at the edge: A new edge-based threat is emerging. Edge malware could monitor edge activities and data and then steal, hijack, or even ransom critical systems, applications, and information while avoiding being detected.

The post Fortinet Predicts Cyberattacks Aimed at Everything From Crypto Wallets to Satellite Internet appeared first on The Integrator.

Fighting cybercrime is a collaborative effort, with cybersecurity experts, law enforcement, and policymakers teaming up with industries and the public to fight the war on cybercrime. Most people will agree that combatting cybercrime is critical to our society’s digital and structural health, so the opportunity to help has always been there. However, those bad actors know cybercrime is a trillion-dollar business, and the odds of getting caught are low since cybercrime overall has no borders as countries do.

As today’s cyberthreats become more sophisticated and aggressive, with ransomware attacks moving to an affiliate-based, as-a-service model, working together is the only way to get ahead of it. Interestingly, according to a Fortinet ransomware survey, ransomware has become a top threat concern for global organizations. This is just one threat type. Recent episodes have caused massive supply chain infections from just a single intrusion point.

Derek Manky, Chief, Security Insights & Global Threat Alliances at Fortinet’s FortiGuard Labs

And cybercriminals are becoming more well-funded the more advanced they become, with growing business models and supply chains of their own. So how do we create action and execute on the knowledge we’ve amassed studying cybercrime? Simply nodding in agreement is just not enough. Goodwill is one thing, but the time to act is now. The answer is by working together with global partners to raise resiliency, disrupt, and ultimately take down these criminal empires.

A Needle in a Haystack

Cybercrime is now a criminal empire that functions like any other criminal organization, with bosses, managers, and money mules. But the world of cybercrime is a bit more complicated. Take, for example, the number one reason these adversaries don’t get caught: jurisdiction. Many cybercriminals operate from countries that don’t extradite to the U.S., making it harder to pinpoint them, let alone find, charge, and prosecute them.

There is a ton of data around ransomware and other types of cybercrime. Still, accurate data on the number of incidents is hard to come by because a large percentage of victims don’t even report their cases. Even though there have been some big, successful takedowns recently, less than 0.05% of cybercriminals are arrested and prosecuted. And the bad guys like those odds. This giant cybercrime enforcement gap gives bad actors the confidence to continue without fear of being caught, charged, or punished. The cybercrime supply chain has exploded, and there are so many moving parts and participants at the ready at each point that it takes concerted, global, collaborative efforts to track them all down and stop them.

A Collaborative Effort

Our mission at FortiGuard Labs is to provide Fortinet customers with the industry’s best threat intelligence to protect them from malicious activity and sophisticated cyber-attacks. But we don’t stop at protecting our customers—Fortinet is actively engaged with and has bi-directional threat intelligence–feed relationships with more than 200 partners. These partnerships are vital to providing increased visibility to FortiGuard Labs’ operations. They include threat-intelligence peers, national community emergency response teams (CERTs), computer security incident response teams (CSIRTs), government agencies, international law enforcement organizations (including NATO and INTERPOL), and other critical partners such as MITRE and the World Economic Forum’s Centre for Cybersecurity.

Fortinet also belongs to INTERPOL ICGEG (Global Expert Group), and we work with the FBI to help counter cybercrime and cyber-terrorism. (We were one of several private sector companies that provided support to an INTERPOL-led operation targeting cybercrime across the ASEAN region.)

We are increasing our efforts and focus to go beyond our own research to lead, interact, share, and foster the sharing of actionable threat intelligence. For example, Fortinet co-founded the Cyber Threat Alliance (CTA). Today, the CTA organization has grown from four founding members to actively bring threat researchers, security vendors, and alliance partners together to share threat information and improve defenses against advanced cyber adversaries across member organizations and their customers. The goal of the CTA is to disrupt cybercrime and attacks by raising resiliency—the more we share, the better equipped we will all be to fight the war on cybercrime.

Fortinet is also a founding member of and supports multiple initiatives for the World Economic Forum’s (WEF) Centre for Cybersecurity, holding one of only two permanent seats on this international council. The Centre for Cybersecurity was designed to shape the future of cybersecurity and digital trust worldwide, safeguard innovation, protect institutions, businesses, and individuals, and secure our growing reliance on the digital economy.

Fighting the Good Fight

The main goals of the Centre for Cybersecurity are to:

• Build cyber resilience by developing and scaling forward-looking solutions and promoting effective practices across digital ecosystems
• Strengthen global cooperation among public and private stakeholders by fostering a collective response to cybercrime and jointly addressing key security challenges
• Understand future networks and technology to identify and prepare for future cybersecurity challenges and opportunities

In addition, the Partnership Against Cybercrime brings together a dedicated community including leading law enforcement agencies, international organizations, cybersecurity companies, service and platform providers, global corporations, and leading not-for-profit alliances. Following the 2020 Working Group recommendations, the Partnership will support the establishment of a global network of hubs for operational public-private cooperation. The Partnership will serve as the platform for interactions and insight sharing on a global and strategic level.

Other actionable insights gleaned from Fortinet’s participation in the first INTERPOL High-Level Forum on Ransomware are to:

• Prevent ransomware by raising awareness, partnerships, and information sharing
• Aim for pre-exploit disruption of ransomware and its ecosystem through global law enforcement actions both reactively and proactively
• Provide in-event emergency support against ransomware attacks
• Ensure post-event support following ransomware attacks to increase resilience, agility, and responsiveness

Good News

In cybersecurity, not every action has an immediate or lasting effect, but several events in 2021 show positive developments specifically for defenders. Aligning forces through collaboration is being prioritized to disrupt cybercriminal supply chains. Shared data and partnership can enable more effective responses and better predict future techniques to deter adversary efforts. Some results of this cooperation were the coordinated takedown of Emotet, one of the most prolific malware operations in recent history, and the disruption of the Egregor, NetWalker, and Cl0p ransomware operations which represent significant wins by global governments and law enforcement to curb cybercrime. The US Department of Justice (DOJ) sent a strong message when they charged a NetWalker affiliate. Recently, two ransomware operators were arrested in Ukraine. FortiGuard Labs’ data showed a slowdown of threat activity following the Emotet takedown. Activity related to TrickBot and Ryuk variants persisted after the Emotet botnet was taken offline, but it was at a reduced volume.

It may sometimes seem like cybercriminals have the upper hand because their criminal empire has become so large and unruly that it’s becoming harder to contain it. However, efforts are paying off. Cybersecurity is a long game, and not all actions have an immediate effect. But increasing pressure from critical voices is having an impact.

The post Global Cyber Threat Intelligence Partnerships: An Opportunity to Work Together appeared first on The Integrator.

The pioneer of Endpoint Detection and Response (EDR), FireEye cloud and virtual Endpoint Security are part of major upgrades available for customers in 2017 – aimed at delivering an intelligence-led Endpoint Protection Platform (EPP) that simplifies, integrates, and automates security.

Additional 2017 upgrades will include anti-virus (AV) replacement & remediation in Q3, behavior-based ransomware protection, Linux support for protection of all major computing platforms including macOS and Windows, continued investment in simplified security driven by the company’s decades of data science and artificial intelligence (AI) research and products.

“Every day we see endpoint security solutions with big tech buzzwords and more alerts failing our partners and customers as we respond to their breaches. By applying what we learn to our Endpoint Security, we can relentlessly protect our customers while simplifying their security operations,” said Kevin Mandia, CEO, FireEye.

“We started the year with a goal to protect our clients with the best next-generation endpoint platform in 2017; the addition of cloud and virtual offerings is a critical step towards that goal,” said John Laliberte, SVP of Engineering at FireEye.

“These new form factors enable our clients and partners to deliver the best intelligence-led endpoint security at scale while reducing costs and increasing deployment flexibility.”

For partners, the new form factors make delivering FireEye Endpoint faster and more efficient. Partners can immediately deploy FireEye endpoint with no hardware required, and provide options to host or virtually manage for customers. These new options drive down cost and complexity for new deployments and provide proven scalability from a global security vendor.

Additionally, with FireEye Helix, partners can simplify customers’ security operations with integrating endpoint, network, and 3rd party alerts into a unified view of the most dangerous threats in an environment. Helix can be managed by customers or partners, with FireEye providing scalable experts at the moment a customer should need additional expertise.

The post FireEye announces new Cloud and Virtual Endpoint Security offerings appeared first on The Integrator.

WannaCry Ransomware hit globally and has been referred to as a weapon of mass destruction based on its ability to spread like wildfire once it has gained access to unpatched computers. The impact has been significant and has targeted financial, energy, transportation, government, and hospitals. In Britain, attacks not only blocked doctors’ access to patient files, but also forced emergency rooms to divert people seeking urgent care.

The malicious software behind the onslaught appeared to exploit a vulnerability in Microsoft Windows that was supposedly identified by the National Security Agency for its own intelligence-gathering purposes and was later leaked to the internet.
“There are solutions in the marketplace today that can isolate ransomware immediately upon an attacker’s attempted access to networked drives or their in-network lateral movement,” added Kafity. “It is noted that Attivo’s high interaction deception techniques have been Attivo Labs tested to slow down the encryption process by 25x. This slows down the WannaCry Ransomware and provides incident response teams valuable time to respond and isolate the attacks either manually or automatically through 3rd party integrations”.

The Attivo Networks solution for ransomware starts by providing a “motion sensor” that alerts the organization of an attacker that tries to encrypt the decoy drive or compromise a Windows SMB vulnerability. The decoy drives are set up as networked drives and designed with high-interaction technology and lures to attract the attacker to engage with the deception asset instead of production drives. What makes this solution unique is its ability to slow down and block the ransomware by tricking the attacker into believing it is being successful, where in reality, the attacker is being occupied with technology that is engaging and occupying the attention of the attacker. Capturing the attention of the ransomware provides security organizations the much-needed time-to-respond advantage to quarantine the infected system off of the network and prevent further infections. Third party integrations with current security infrastructure can also be set up for automated quarantine and isolation of an infected system. This time-to-respond advantage can make the critical difference between the loss of a single system or widespread outage.

Another important differentiator of this technology is that the solution does not depend upon signatures, so the decoys are accurate and effective regardless of the variant of ransomware (WannaCry, WannaCrypt0r, WannaCrypt, WCry or Wana Decrypt0r or other ransomware strains). Technology that is based on signatures or pattern matching can often miss new strains of ransomware and the alerts often become lost in what appears to be a benign looking alert, buried in streams of log data.

“Ransomware attacks can be highly damaging, but this can be avoided if the right early detection tools are deployed” Kafity concludes. “Regardless of the threat vector of an attack, organizations using deception technology are efficiently alerted to in-network breaches and are provided the tools for accelerated cyber incident response. Moreover, upon breach, deception technology automates the containment of the infected system.”

The Attivo advanced ransomware detection solution that added high-interaction engagement techniques was announced as part of its 4.0 release and was made generally available in April of 2017.

The post Attivo urges need to adopt new technology designed to derail ransomware attacks appeared first on The Integrator.

Several reports conflated the two outbreaks based on the evidence at hand and the common use of ransomware. Subsequent investigation revealed that they were separate attacks utilizing different distribution capabilities and malware. It is important to understand the difference between the two attacks because each one requires slightly different remediation measures.

The first attack, WannaCry, is a self-propagating worm, which leverages a known and patched vulnerability in Microsoft Server Message Block (SMB). It leverages an exploit called ETERNALBLUE and goes on to establish a backdoor known as DOUBLEPULSAR to allow for future access to the infected systems. WannaCry spreads by connecting to SMB services on local and Internet-facing systems with the vulnerability or running the backdoor. The malware then spreads laterally by attempting connections to all systems on the local network.

During its initial infection WannaCry checks whether an external domain (killswitch domain) is available. If the killswitch domain can be contacted, the encryption function does not run. The killswitch domains are not a command-and-control server for the malware and should be monitored but not blocked. Before May 12, the domains were not registered. Shortly after the attack started, a malware researcher registered and sinkholed the first domain. This helped prevent a lot of later infections since the malware was able to resolve the domain. If left to run normally, WannaCry will encrypt most files on a machine. Once the files are encrypted, users will be prompted to pay $300 in Bitcoin to get their files back. The cost goes up to $600 if a user takes too long to pay, and eventually the user will be unable to pay to have files returned. Note that Microsoft had issued a patch for the SMB vulnerability that was being exploited in March 2017. That patch was not universally implemented.

While the world was preoccupied with WannaCry, there was another ransomware attack in progress called Jaff. The Jaff ransomware was launched by Necurs, one of the largest botnets in the world, notorious for spreading threats such as the Locky ransomware and the Dridex banking Trojan. It sends misleading emails to its victims encouraging them to open an attached PDF document. This document asks for additional permissions when opened and if approved, allows the delivery and execution of the ransomware payload. The emails used to deliver Jaff employ standard spam techniques, but the exact details vary between each of the concurrent campaigns.

Once Jaff has been downloaded and executed by the malicious document it connects to its C2 servers to communicate that encryption of the victim’s files has begun. Jaff then proceeds to encrypt the victim’s files, instructs the victim to install Tor Browser, and directs the users to a specific web site that displays a ransom note and payment instructions. The exact amount demanded by the ransom varies over time, but currently averages around 2 Bitcoin (roughly $3,500 dollars).

Best Practice Recommendations:
In the face of these attacks, organizations in the Middle East are asking what they can do.
• Implementing patches in a timely manner: WannaCry’s reliance on a known vulnerability and network scanning indicates that some traditional defenses may be effective. Ensuring timely software updates and keeping systems patched would eliminate the vulnerability and the worm’s ability to spread through that exploit.
• Sinkholing: Unlike the typical command-and-control domains, which should be blocked, WannaCry used a killswitch domain which had to be resolved in order to avoid activating the ransomware’s encryption function. One best practice is for an enterprise to redirect its internal request for those domains to an internal sinkhole. Permitting the infected client to successfully connect to the killswitch domain will prevent the encryption function from completing. It will also enable the enterprise to identify its internal hosts that have been impacted by the malware.
• DNS Response Policy Zone (RPZ) capability: Using RPZ capability on the DNS server to monitor any hits to the killswitch domain helps identify infected clients.
• Using up-to-date threat intelligence: organizations should leverage up-to-date and curated threat intelligence across their entire security and DNS infrastructures to protect against malicious activity and DNS

The post Best practises key to combating ransomeware attacks appeared first on The Integrator.