In the morning of May 12th, a global outbreak of a large-scale extortion software incident made headlines, impacting a total of 99 countries, and at least 75,000 Windows computer systems. It affected Education, Medical and other critical institutions, and is continuing to spread rapidly.
Background
The ransomware is a new type called “WanaCrypt0r 2.0” and it is currently impossible to decrypt files infected by this type of ransomware. It is reported that these viruses leaked out of the US National Security Agency (NSA) hacker arsenal over the last month. These tools can break into roughly 70% of the windows system, globally via remote access.
According to the cybersecurity agency, this attack is caused by the illegal use of “Eternal Blue” leaked from the NSA hacker arsenal. “Eternal Blue” will scan 445 file sharing ports from Windows endpoints, without the need of user intervention. And if there is internet access, criminals can implant malicious programs, such as ransomware, remote control Trojans, virtual currency mining machine, into the computer and server.
Attack Process
The WanaCrypt0r ransomware attack process consists of primarily three steps: the spread of the virus, virus infection, and extortion:
- The virus spreads using “Eternal Blue” for the initial exploitation of the SMB vulnerability.
- Upon execution, “WanaCrypt0r 2.0” encrypts critical local files and network shared folders.
- Once encryption is complete, the ransomware pops up a window on the user system, demanding ransom in return for recovering the encrypted files.
Hillstone Solution
Multilayered Ransomware Detection and Prevention via Hillstone solution:
Stage: Detection and exploit
- Policy control—— prohibit SMB traffic from the external network to the internal network, and block the 135/137/139/445 port access from the firewall; prohibit forwarding SMB service traffic between different zones within the internal network, thus prohibiting WanaCrypt0rpt0r malicious traffic to infect different areas of the network.
- Intrusion prevention system (IPS)——Updating the Hillstone Intrusion Prevention System (IPS) signature to 2.1.187, user can enable the MS17-010 signature, along with 1905385, 1905387, 1905388, 1905389, 1905390 rules. The user can detect and defend against vulnerability leveraging the MS17-010 signature.
Stage: Virus infection
- Anti-Virus (AV) —— The Hillstone Virus signature library has been fully updated with the signature for WanaCrypt0r in May 12. and the enabled Anti-Virus (AV) feature can detect and intercept WanaCrypt0r.
- Sandbox ——The Hillstone sandbox can detect WanaCrypt0r and its variants
Stage: Ransomware Execution
If the WanaCrypt0r ransomware enters the network by breaking through the intrusion prevention and anti-virus detection, or through BYOD, bypassing network protection set in place, the Hillstone detection technology will become the last line of defense against the execution stage.
Domain Generation Algorithms (DGA) detection technology from Hillstone solution can detect a suspicious domain access from WanaCrypt0r and flag it as a domain related threat event. Upon notification of this event, enterprise security admins should be aware that some internal hosts have been infected by WanaCrypt0r, and immediate policy enforcement needs to be employed to stop further spreading of this virus.
In this case, it detects the WanaCrypt0r ransomware attack by querying a “www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com” DGA domain.
(from ETOpen)
For more information, please read our white paper.