Fighting the Ransomware Pandemic

May 13, 2017
Vectra AI Security Research team
Fighting the Ransomware Pandemic

What just happened?

A ransomware attack is spreading very rapidly among unpatched Windows systems worldwide. This morning, the attack was initially believed to target the UK National Health Service, but throughout the day, it has become apparent this is a global attack.

Kaspersky labs reported on Friday afternoon that at least 45,000 hosts in 74 countries were infected. Avast put the tally at 57,000 infections in 99 countries. All this, during just 10 hours. Of those infected hosts, Russia, Ukraine and Taiwan were the top targets.

One report identified a bitcoin wallet is being used by the ransomware to collect incoming transactions of between 0.15 and 0.3 BTC, worth around $250-$500 today. This means people are paying to unlock files encrypted as part of the attack. The amount is an interesting value as it is low enough to entice a person to pay in hopes of restoring their data, enabling the attacker to make a substantial windfall due to the large number of infected computers. It is an economy-of-scale ransomware attack.

How is such a massive attack possible?

Shadow Brokers dumped a powerful set of tools on the world, enabling anyone able to download a file to do a lot of hacking. The contents of the Shadow Brokers’ treasure trove included compiled binaries for exploits that targeted vulnerabilities in a long line of Windows operating systems, including Windows 8 and Windows 2012. These are claimed to be hacking tools once used by the NSA.

One of the Windows vulnerabilities in the cache is dubbed EternalBlue. It exploits a remote code-execution bug in Windows 7 and 2008 using the server message block (SMB) and NetBT protocols. The vulnerability exploited allows remote code execution if an attacker sends specially crafted messages to a Microsoft Server Message Block 1.0 (SMBv1) server. Looking at the ransomware code shows indicators it is using this EternalBlue exploit EternalBlue.

How is it getting in?

It could use a phishing attack, watering hole attack, or it could be an already infected machine that is part of a botnet that has been purchased by the attacker to spread the ransomware inside the organization. It just needs to infect one person’s computer in a network via a phishing attack and then using the exploit it's based on, propagate out via the network to other Windows computers.

So, a user wouldn’t always be able to protect themselves just by being careful about not opening a phishing email from an unknown source or opening a suspect document.

This is spreading very fast and very wide

Given the speed and scale of the attacks, it seems likely that it enters via one machine and spreads laterally on the inside using some form of scan/exploit playback. Ransomware like this does not require external command and control signaling, and so traditional perimeter defenses are useless because they look for a ransomware call-back to detect and prevent the spread of a ransomware attack.

Getting a single infected host inside a thousand networks is not hard for an unpatched vulnerability. This is the arms race between the attacker exploiting the Windows vulnerabilities dumped by Shadow Brokers and the organizations who still need to implement the patch issued by Microsoft.

Fight back

Unsupported software is an ongoing problem that highlights the limitations of software updates and patching as a primary line of defense. Microsoft provided a patch for this vulnerability that is available, but it doesn’t mean it was implemented on every Windows computer. The first step of any defense is an active patching strategy around known exploitable vulnerabilities. This would have closed the door on the Windows vulnerabilities exposed by the Shadow Brokers dump.

In the event where the vulnerability is unknown or there hasn’t been sufficient time to patch, organizations need a method for rapid detection and response. This should include monitoring internal traffic for attacker behaviors like reconnaissance, lateral movement and file encryption rather than attempting to detect specific ransomware variants in network flows or executables.

To prevent future attacks, we need to move to a model of detecting behavior rather than detecting the specific tool or malware. Behavior detection is much more effective, but requires in-depth analysis of network traffic. But with advances in AI augmenting security teams, we’re seeing the industry shift to identifying attacker behavior in real time.

For more information about countering ransomware, get this report.