Exploring the crypt: Analysis of the WannaCrypt ransomware SMB exploit propagation

On May 12, there was a major outbreak of WannaCrypt ransomware. WannaCrypt directly borrowed exploit code from the ETERNALBLUE exploit and the DoublePulsar backdoor module leaked in April by a group calling itself Shadow Brokers. Using ETERNALBLUE, WannaCrypt propagated as a worm on older platforms, particularly Windows 7 and Windows Server 2008 systems that haven’t…

0

Windows 10 platform resilience against the Petya ransomware attack

The Petya ransomware attack on June 27, 2017 (which we analyzed in-depth in this blog) may have been perceived as an outbreak worse than last month’s WannaCrypt (also known as WannaCry) attack. After all, it uses the same SMB exploit used by WannaCrypt and adds a second exploit and other lateral movement methods. However, our…

3

Windows 10 Creators Update provides next-gen ransomware protection

Multiple high-profile incidents have demonstrated that ransomware can have catastrophic effects on all of us. From personally losing access to your own digital property, to being impacted because critical infrastructure or health care services are unexpectedly unavailable for extended periods of time, destructive attacks have grown in severity and scale on all platforms – including…


WannaCrypt ransomware worm targets out-of-date systems

On May 12, 2017 we detected a new ransomware that spreads like a worm by leveraging vulnerabilities that have been previously fixed. While security updates are automatically applied in most computers, some users and enterprises may delay deployment of patches. Unfortunately, the ransomware, known as WannaCrypt, appears to have affected computers that have not applied…

110

World Backup Day is as good as any to back up your data

In today’s security landscape, there are more threats to data than ever before. Beyond corruption caused by hardware or human failure, malware and cyberattacks can put data in serious danger.  That’s why it’s imperative for enterprises, small-and-medium businesses, and individuals to back up data. It must be implemented systematically, not just on World Backup Day…

2

Ransomware operators are hiding malware deeper in installer packages

We are seeing a wave of new NSIS installers used in ransomware campaigns. These new installers pack significant updates, indicating a collective move by attackers to once again dodge AV detection by changing the way they package malicious code. These changes are observed in installers that drop ransomware like Cerber, Locky, and others. Cybercriminals have…

2

Ransomware: A declining nuisance or an evolving menace?

The volume of ransomware encounters is on a downward trend. Are we seeing the beginning of the end of this vicious threat? Unfortunately, a look at the attack vectors, the number of unique families released into the wild, and the improvements in malware code reveals otherwise. Ransomware was arguably the biggest security story of 2016….

2

Improved scripts in .lnk files now deliver Kovter in addition to Locky

Cybercriminals are using a combination of improved script and well-maintained download sites to attempt installing Locky and Kovter on more computers. A few months ago, we reported an email campaign distributing .lnk files with a malicious script that delivered Locky ransomware. Opening the malicious .lnk files executed a PowerShell script that performed a download routine. More…

2

Averting ransomware epidemics in corporate networks with Windows Defender ATP

Microsoft security researchers continue to observe ransomware campaigns blanketing the market and indiscriminately hitting potential targets. Unsurprisingly, these campaigns also continue to use email and the web as primary delivery mechanisms. Also, it appears that most corporate victims are simply caught by the wide nets cast by ransomware operators. Unlike cyberespionage groups, ransomware operators do…

3