We are seeing another outbreak of ransomware that appears to be a combination of previous other ransomware campaigns. As is always the case, criminal gangs learn from each other.
Petya was successful in 2016 using email attack campaigns and a ransomware-as-a-service business model. Wannacry introduced new worm propagation techniques proving highly successful in hitting thousands of systems in a short time span last month.
This latest ransomware attack appears to be a variant of Petya, called Goldeneye, which combines capabilities of both Petya and WannaCry, specifically the worm-like spreading by exploiting a Windows operating system vulnerability.
Vectra Threat Labs analyzed this latest ransomware to understand its inner workings. They learned that the way it infects computers is a combination of previously seen attacks, and the behaviors it performs are business as usual.
Because Goldeneye's worm-like spreading behaves similarly to WannaCry, Conficker and other forms of malware that Vectra has detected, our customers were already enabled to detect and respond to the attack in real time. This is a direct benefit of detecting the early signs of ransomware behaviors, such asreconnaissance and lateral movement inside the network,rather than specific exploits or malware.
The information below describes the Vectra detections related to Goldeneye and explains how enterprise can respond quickly to stop it from spreading.
Does Vectra detect the new variant of ransomware?
Yes. Vectra detects Goldeneye ransomware in your network. It is important to remember that before ransomware can encrypt files, it needs to locate file shares on the network. This requires performing internal reconnaissance and lateral movement.
Vectra detects reconnaissance behaviors and triages all detections associated with infected hosts. Host infected with ransomware represent a critical risk and these detections receive the highest threat and certainty scores to prioritize those hosts for immediate incident response.
The best part is, Vectra customers had this detection capability well before Goldeneye struck.
The Vectra Threat Labs and data science teams determined that infected hosts are likely to exhibit the following behaviors:
How can I improve the response to Goldeneye and its variants?
To speed-up and prioritize investigations, we recommend configuring email alerts specific to the Vectra detections related to Goldeneye and its variants.
Vectra found that giving high priority to activity on Port 445 provided early indicators of the Goldeneye attack:
By scoring all attacker behavior detections for threat level and certainty, you can quickly prioritize hosts for incident response by selecting the thresholds for email alerts.
It is important to note that since GoldenEye only encrypts the master boot record of the local machine, a Ransomware File Activity detection is not expected.
How do I respond to a detected Goldeneye attack?
Vectra puts all the information at a security analyst’s fingertips to make an informed decision. If Vectra detects one or more Goldeneye attacker behaviors on a host, you can automatically trigger one of several actions, depending on the threat level and your internal policy.
Option 1: Quarantine or remove the infected host from the network. Goldeneye has viral or wormlike spreading tendencies, so isolating a host from the network is the quickest way to stop its spread.
Option 2: Quarantine all hosts listed as destination IP addresses in an automated replication detection if they were contacted by a host suspected of being infected by Goldeneye.
Option 3: Re-image infected hosts and restore files from an offline backup to avoid reinfection. In the case of a ransomware file activity detection, restore encrypted files on the file shares from an offline backup.
What happens next?
Patch your systems. Microsoft has issued patches for MS17-010, even for unsupported versions like Windows XP. Many other patches have been issued by software vendors for vulnerabilities released by Shadow Brokers. Organizations who implemented patches were spared from GoldenEye.
We mentioned in our previous coverage, we anticipate that many more ransomware attacks will occur. They will have different names and use different exploits. What won’t change is the nature of the attacks and their associated behavior.
While we don’t know when the next big attack will occur, you need to be ready for it. Ongoing advances in AI have allowed technology to augment the efforts of cybersecurity teams. And there must be a seismic shift in the cybersecurity industry to identify attacker behaviors fast and early.
Christopher Morales is Head of Security Analytics at Vectra, where he advises and designs incident response and threat management programs with nearly two decades of information security experience in an array of cybersecurity consulting, sales, and research roles.