New Variant of Dharma Ransomware spotted in the wild.

/in /by

The SonicWall Threats Research team observed reports of a new variant family of Dharma Ransomware [GAV: Dharma.RSM and Dharma.RSM_2] actively spreading in the wild.

Dharma encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

The Malware adds the following files to the system:

  • Malware.exe

    • %SystemRoot%Malware.exe

    • %Userprofile%Start MenuProgramsStartupInfo.hta

The Trojan adds the following files to the Windows to ensure persistence upon reboot:

  • % Userprofile%Start MenuProgramsStartupMalware.exe”

The Trojan adds the following keys to the Windows registry startup:

Once the computer is compromised, the malware copies its own executable file to %SystemRoot% folder and deletes the primary executable file and rename all your personal files to .wallet extension.

The Malware encrypts all personal documents and files, it shows the following webpage:

It demands that victims pay using Bitcoin in order to receive the decryption key that allows them to recover their files.

We have been monitoring varying hits over the past few days for the signature that blocks this threat:

SonicWALL Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Dharma.RSM (Trojan)

  • GAV: Dharma.RSM_2 (Trojan)

Whycry Ransomware Spotted in the Wild

/in /by

The SonicWall Threats Research team observed reports of a new variant family of Whycry Ransomware [GAV: Whycry.RSM] actively spreading in the wild.

Whycry encrypts the victims files with a strong encryption algorithm until the victim pays a fee to get them back.

Infection Cycle:

Once the computer is compromised a fake Windows Update Screen will show up, to try and trick targets into leaving their PC running:

The Malware encrypts all personal documents and files it shows the following webpage:

The malware states that your files are encrypted and that you must pay $300 US dollars in the Bitcoin currency for potentially unlocking your files. Also, there is a threat that states that if you turn off your computer you will lose your files, but that threat it’s empty.

During our research we discovered the malware uses a master key for its own decryption:

SonicWall Gateway AntiVirus provides protection against this threat via the following signatures:

  • GAV: Whycry.RSM (Trojan)

Ransomware: Are You Protected From the Next Outbreak?

/0 Comments/in /by

Will you be ransomware’s next victim? Can ransomware encrypt your data and hold it hostage until you pay a ransom?

Organizations large and small across industries and around the globe are at risk of a ransomware attack. The media mostly reports attacks at large institutions, such as the Hollywood Hospital that suffered over a week offline in 2016 after a ransomware attack encrypted files and demanded ransom to decrypt the data. However, small businesses are affected also. In fact, Kaspersky research reported that small and medium-size businesses were hit the hardest, 42 percent of them falling victim to a ransomware attack over a 12-month period. Of those, one in three paid the ransom, but one in five never got their files back, despite paying. Whether you are part of a large organization or a small business, you are at risk.

The recent WannaCry ransomware attack was the largest ransomware campaign ever. In the course of a weekend, WannaCry spread to over 250,000 computers in 150 countries, crippling operations at hospitals, telecom providers, utility companies, and other businesses around the globe.

Once primarily an issue for Windows desktops, ransomware attacks have now occurred across many device types and operating systems, including KeRanger, a ransomware variant that emerged in 2016 that targeted Apple OS X. This variant was hidden in a compromised version of the Transmission BitTorrent client and affected about 6,500 computers within a day and a half.

These attacks often start with an internet file download or email attachment that seems innocuous but actually is hiding malware that encrypts files. End user productivity grinds to a halt and your help desk lights up. Worse, your business can suffer both financially and also from damage to your reputation.

Can your security solutions protect from this threat? Maybe. Legacy security technologies are often signature based, great for detecting “known” malware, but ineffective against “unknown” or zero-day attacks. To better detect unknown threats, security professionals are adding an additional layer of security and deploying advanced threat detection technologies, such as network sandboxes specifically SonicWall Capture ATP, that analyze the behavior of suspicious files and uncover hidden malware. To learn more about what it takes to keep malicious code out of your network, read our whitepaper: Why Network Sandboxing is Required to Stop Ransomware.

DOWNLOAD EXECUTIVE BRIEF

Microsoft Security Bulletin Coverage for July 2017

/in /by

SonicWall has analyzed and addressed Microsoft’s security advisories for the month of June, 2017. A list of issues reported, along with SonicWall coverage information are as follows:

Microsoft Coverage

  • CVE-2017-0173 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0193 Hypervisor Code Integrity Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0215 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0216 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0218 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0219 Device Guard Code Integrity Policy Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0260 Microsoft Office Remote Code Execution
    There are no known exploits in the wild.

  • CVE-2017-0282 Windows Uniscribe Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0283 Windows Uniscribe Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0284 Windows Uniscribe Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0285 Windows Uniscribe Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0286 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0287 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0288 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0289 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0291 Windows PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0292 Windows PDF Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0294 Windows Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0295 Windows Default Folder Tampering Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0296 Windows TDX Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0297 Windows Kernel Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0298 Windows COM Session Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0299 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-0300 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8460 Windows PDF Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8461 Windows SMB Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8462 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8464 LNK Remote Code Execution Vulnerability
    SPY:1493 Malformed-File lnk.MP.2

  • CVE-2017-8465 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8466 Windows Cursor Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8468 Win32k Elevation of Privilege Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8469 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8470 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8471 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8472 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8473 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8474 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8475 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8476 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8477 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8478 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8479 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8480 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8481 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8482 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8483 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8484 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8485 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8487 Windows olecnv32.dll Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8488 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8489 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8490 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8491 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8492 Windows Kernel Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8493 Windows Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8494 Windows Elevation of Privilege V
    ulnerability
    There are no known exploits in the wild.

  • CVE-2017-8496 Microsoft Edge Memory Corruption Vulnerability
    IPS:12846 Microsoft Edge Memory Corruption Vulnerability (JUN 17) 1

  • CVE-2017-8497 Microsoft Edge Memory Corruption Vulnerability
    IPS:12845 Microsoft Browser Memory Corruption Vulnerability (JUN 17) 1

  • CVE-2017-8498 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8499 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8504 Microsoft Edge Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8506 Microsoft Office Remote Code Execution
    There are no known exploits in the wild.

  • CVE-2017-8507 Microsoft Office Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8508 Microsoft Office Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8509 Microsoft Office Remote Code Execution Vulnerability
    SPY:1489 Malformed-File doc.MP.44

  • CVE-2017-8510 Microsoft Office Remote Code Execution Vulnerability
    SPY:1492 Malformed-File rtf.MP.19

  • CVE-2017-8511 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8512 Microsoft Office Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8513 Microsoft PowerPoint Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8514 Microsoft SharePoint Reflective XSS Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8515 Windows VAD Cloning Denial of Service Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8517 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8519 Internet Explorer Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8520 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8521 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8522 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8523 Microsoft Edge Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8524 Scripting Engine Memory Corruption Vulnerability
    IPS:12843 Scripting Engine Memory Corruption Vulnerability (JUN 17) 1

  • CVE-2017-8527 Windows Graphics Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8528 Windows Uniscribe Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8529 Microsoft Browser Information Disclosure Vulnerability
    IPS:12844 Microsoft Browser Information Disclosure Vulnerability (JUN 17) 1

  • CVE-2017-8530 Microsoft Edge Security Feature Bypass Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8531 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8532 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8533 Windows Graphics Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8534 Windows Uniscribe Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8543 Windows Search Remote Code Execution Vulnerability
    IPS:12847 Windows Search Remote Code Execution Vulnerability (JUN 17) 1

    • IPS:12848 Windows Search Remote Code Execution Vulnerability (JUN 17) 2

  • CVE-2017-8544 Windows Search Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8545 Microsoft Outlook for Mac Spoofing Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8547 Internet Explorer Memory Corruption Vulnerability
    SPY:6315 HTTP Client Shellcode Exploit 86

  • CVE-2017-8548 Scripting Engine Memory Corruption Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8549 Scripting Engine Remote Code Execution Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8550 Skype for Business Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8551 SharePoint XSS vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8553 GDI Information Disclosure Vulnerablity
    There are no known exploits in the wild.

  • CVE-2017-8554 Win32k Information Disclosure Vulnerability
    There are no known exploits in the wild.

  • CVE-2017-8555 Microsoft Edge Security Feature Bypass
    There are no known exploits in the wild.

Adobe Coverage

APSB17-17 Security updates for Adobe Flash Player:

  • CVE-2017-3075 Adobe Flash Player Use After Free Vulnerability
    Spy:1494 Malformed-File swf.MP.562

  • CVE-2017-3081 Adobe Flash Player Use After Free Vulnerability
    Spy:1499 Malformed-File swf.MP.565
    Spy:1500 Malformed-File swf.MP.566

  • CVE-2017-3083 Adobe Flash Player Use After Free Vulnerability
    Spy:1502 Malformed-File swf.MP.568

  • CVE-2017-3084 Adobe Flash Player Use After Free Vulnerability
    Spy:1503 Malformed-File swf.MP.569

  • CVE-2017-3076 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1495 Malformed-File swf.MP.563

  • CVE-2017-3077 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1496 Malformed-File png.MP.3

  • CVE-2017-3078 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1497 Malformed-File atf.MP.1

  • CVE-2017-3079 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1498 Malformed-File swf.MP.564

  • CVE-2017-3082 Adobe Flash Player Memory Corruption Vulnerability
    Spy:1501 Malformed-File swf.MP.567

PDF spam attachment delivers Jaff Ransomware with $3400 ransom

/in /by

This week, SonicWall Threat Research Team has observed a new wave of email spam campaign carrying malicious PDF attachment which installs Jaff ransomware. The PDF carries an attached Word macro file which is held as a stream object so when the PDF is opened, the embedded attachment is opened as well.

Infection Cycle:

The malicious file comes as an attachment to an email purporting to be an important document such as a receipt.

It may use the following filenames:

  • document_****.pdf
  • scan_***.pdf
  • receipt_****.pdf
  • file_***.pdf
  • copy_***.pdf

Once the PDF document is opened, it also tries to open the embedded macro file:

Upon successful execution, it makes the following GET request:

It then starts encrypting the files in the victim’s machine. It appends “.jaff” file extension to all encrypted files.

It also changes the desktop wallpaper and drops the files ReadMe.html, ReadMe.txt and ReadMe.bmp to every directory that contains an encrypted file.

Following the ReadMe file to visit a page on the onion network for further instructions reveals that Jaff ransoware is asking for 2 bitcoins or an equivalent of roughly 3,400 USD in the current exchange rate. This amount is significantly higher than what most ransomware programs we have seen ask for.

The graph below shows an increase in hits for the signature we created to detect this ransomware in the past 24 hours:

Because of the prevalence of these types of malware attacks, we urge our users to back up their files regularly.

SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: JaffPDF.RSM* (Trojan)


    • (*This signature was previously named Downloader.PDF_2 and later renamed to JaffPDF.RSM)

SQL Injection Vulnerability in Joomla! (CVE-2017-8917)

/in /by

Joomla! is an content management system (CMS), which enables you to build Web sites and powerful online applications.Joomla! is an open source solution that is freely available to everyone.

SQL injection vulnerability exists in Joomla! In an SQL injection attack a SQL query is passed on to the application via the input data from the client. The query is then passed to the backend database.
The malicious data then produces database query results. The vulnerability lies in the getListQuery method of /administrator/components/com_fields/models/fields.php.$query->order does not sanitize the user input,
instead just concatenates it to form the SQL query.

A remote, unauthenticated attacker could exploit this vulnerability by sending a crafted HTTP request with an sql statement as shown in the image below.
Successful exploitation could result in disclosure of sensitive information.

SonicWALL Threat Research Team has researched this vulnerability and released following signature to protect their customers.

  • IPS 12823: Joomla! com_fields SQL Injection

Resurrection ransomware plays audio from a horror movie

/in /by

The SonicWALL Threat research team receives reports of ransomware daily and new strains seem to pop up every week. This week we analyzed this malware called Resurrection Ransomware. Like others that we have seen in the past, it exhibited predictable behavior only this time, its ransom note plays an eerie music in the background reminiscent of a horror film.

Infection Cycle:

The malicious file pretends to be a PDF file and uses the following icon:

Upon successful execution, it then proceeds to encrypt files in the victim’s machine. It appends “[random 6 characters].resurrection” file extension to all encrypted files as seen in the screenshot below:

It drops the file README.html to every directory with an encrypted file. It then opens a browser to launch the html file which reads its ransom note. It is asking the victim to pay 1.77 Bitcoin and to confirm payment by sending an email to resurrection777 at protonmail dot com:

The html file plays an eerie music in the background. Upon careful inspection of the file we found the source for the music embedded on the html file.

We found that it plays Charlie Clouser’s music which is the theme song of a horror movie called Dead Silence.



SonicWALL Gateway AntiVirus provides protection against this threat with the following signature:

  • GAV: Hiddentear.RSM_2 (Trojan)

Innovate More, Fear Less with SonicWall’s Automated Breach Prevention at Gartner Security & Risk Management Summit 2017

/0 Comments/in /by

The Gartner Security & Risk Management Summit 2017 runs June 12-14 in the Gaylord National Convention Center, National Harbor, Maryland, promising the insight you need to guide your organization to a secure digital business future. As the world’s leading research and advisory company, Gartner helps business leaders across all major functions in every industry and enterprise size with the objective insights they need to make the right decisions. SonicWall is proud to be among the premier security, risk management and business continuity management leaders brought together for this major event.

To stay competitive today, organizations need to embrace the benefits of new technology, while managing its risks. Yet as recent headline-grabbing attacks such as WannaCry demonstrate, the global cyber arms race is continually evolving.

SonicWall is committed to enabling you to stay ahead of cybercriminals with cutting-edge security solutions that leverage continual threat updates from our global SonicWall Capture Threat Network. As a result, SonicWall customers were protected from WannaCry weeks before its first public attack. And with our comprehensive, multi-layered security approach, SonicWall is ready to help you secure your organization from the next emerging threat.

Join us at booth 503 to learn about the latest trends in cybercrime, as well as the advances SonicWall and the cybersecurity industry have made to counter them (as outlined in our 2017 Annual Threat Report). Take this opportunity to attend our expert presentations and demonstrations on how to prevent breaches, uncover encrypted threats, stop phishing and ransomware attacks, identify compromised IoT devices and stop threats targeting weak spots in your network.

  • Prevent zero-day and advanced threats. Watch a demo of our award-winning multi-engine sandbox, SonicWall Capture ATP, as it scans network traffic in the cloud to prevent threats from entering your network. See how you can block unknown files until Capture reaches a verdict, which is rendered by our Capture Threat Network in near real-time.
  • The majority of web traffic is now encrypted, as well as the malware that it carries. Learn how our Encrypted Threats solutions inspect SSL/TLS traffic to uncover hidden malicious behavior, block C&C communications and stop data exfiltration.
  • Because email is a primary vector for many attacks, you will also want to learn about our revolutionary next-gen Email Security solution to protect email files, stop phishing and block ransomware. Learn how you can block spoofed email and attacks with our hosted service for SMB or via our on premise enterprise email security solutions.

Don’t just detect breaches after they’ve already been in the headlines. We are holding a boardroom session titled: Automated Breach Prevention with Multi-Engine Sandboxing and Encrypted Traffic Visibility. Attendees will learn how to protect users from ransomware and how to deal with the increase of encrypted traffic. SonicWall Capture Labs built a multi-engine cloud sandbox to power the world’s first automated breach prevention platform. It was specifically designed to block the latest ransomware – whether it comes in via clear text traffic or through an SSL/TLS connection.

Let SonicWall help you prevent attacks in real time. Please join us at our “SonicWall Pub” hospitality suite on June 13 5:30-8:30 National Harbor 8 and see how SonicWall can help your organization innovate more, and fear less. Tune in via Twitter #GartnerSEC and follow @SonicWall. If you want a head start, you can play with our security solutions online by visiting our Live Demo site.

Securing Email in the Age of Ransomware and Phishing Attacks

/0 Comments/in /by

Email security has become a big concern for organizations, thanks to phishing campaigns that deliver ransomware. Recently, there has been no shortage of notable cyber attacks. The Google Docs attack, Docusign phishing attackGannet phishing attack, and Jaff ransomware and its variants were all delivered through phishing emails.  Most recently, the WannaCry ransomware attack was spread through an SMB vulnerability.

According to a survey by the SANS institute, spear-phishing and whaling attacks are increasing dramatically. Spear phishing was identified as the second most significant type of attack (ransomware takes the honors for the top spot).  In the case of spear phishing attacks, cyber criminals are carrying out extensive social engineering activities to gather personal information and craft messages that appear from trusted sources to gain the victim’s confidence.

It is becoming increasingly difficult to accurately detect all bad emails, especially those containing attachments, without slowing down email to such an extent that it impacts employee productivity. In many cases, critical business communications need to be delivered promptly, without any delay or being lost in junk or spam folders. In addition, traditional signature-based technologies are proving to be ineffective in stopping phishing emails that contain malicious payloads such as zero-day/unknown malware and ransomware.

In today’s landscape, an effective email security solution should:

  • Align with and complement your network security solutions
  • Integrate with network sandboxing to scan all you SMTP traffic and email attachments
  • Provide granular administrative control over settings and must be able to set policies such as “Tag a subject line” or “Strip email attachment” in cases where communication is of the utmost importance
  • Feature anti-spoofing authentication mechanisms such as DKIM, SPF and DMARC, to protect against impostor emails
  • Offer encryption and data leakage prevention (DLP) capabilities for outbound protection

Email is the top attack vector, and most cyber attacks typically start with a phishing or spear phishing attack. Almost every organization has deployed some sort of email security solution. However, the threat landscape is constantly evolving and today’s advanced threats are designed to bypass traditional security techniques. Now is the right time to evaluate the currently deployed solution and analyze gaps in your security posture. To reduce risk exposure, email security must use a multi-layered approach. Read our solution brief to learn about the critical capabilities of next-generation email security here.

DOWNLOAD TECH BRIEF

Did WannaCry Perpetrators Ever Get Their Ransom?

/0 Comments/in /by

Cyber criminals prefer to receive ransom in the cyber currency Bitcoin because it is anonymous. The truth is “sort of.” Let’s take a closer look at how Bitcoins work, and how the WannaCry perpetrators, possibly the Lazarus Group, want to be paid.

Bitcoins are different from fiat currencies because, with Bitcoins, no actual coins or bills exist, not even digital ones. With a fiat currency like the dollar, money is represented by actual coins and bills that can be physically stored. Depending on how you pay, your transaction is not recorded or, more often, either recorded anonymously or via an account number, such as a credit card number.

In any case, the number of coins and bills, either in actual money that you have on your hand, or what is recorded on your bank account, are decreased. With Bitcoins, you only have the transaction. Transactions are always public, and can be viewed by anyone. That is right: public, anyone. Anybody can see that money was paid from your account to that of WannaCry. Though, what is different from fiat currencies is that the actual ownership of an account is not necessarily know to anyone. It can be completely anonymous. This is a bit similar to a Swiss number account.

Let’s summarize this, the ownership of an account in Bitcoin may or may not be known to anyone, or generally public. The transaction, however, is always public. Bitcoin tracks transactions in so called Blocks that are linked in a Blockchain. In order to find out how much money somebody has, a “wallet” application would have to browse through the entire Blockchain and select out any transaction that involves the owner’s account number(s).

Different from fiat currencies, though, with Bitcoin, account numbers are free and one can have an endless amount of them. If somebody wants to be completely anonymous, they would use a new account number for every single transaction. Wallet or Account software would make it easy to keep track of them.

WannaCry made use of only three hard-coded account numbers:

Why didn’t WannaCry use a new account number for every instance of WannaCrypt0r to be installed? The answer might be: because in order to get the money from a Bitcoin account, one has to first generate the account number/private key pair, AND be in possession of the private key. Without the private key, they could not get their money: if the private key is being generated within WannaCrypt0r it would need to be communicated reliably where the hostage takers would have real-time access to it. That would give the perpetrators away. If the keys are generated somewhere in the cloud, the communication of private keys may be disguised in some layers of Darknet labyrinth, but it would be easy to shut them down by taking the key servers offline which would be easy to sniff. Also using hundreds or thousands of account numbers would not make it necessarily significantly more difficult for security experts to track payments.

The bigger question how can the perpetrators associate payment with a specific instance of WannaCry. With a uniquely generated account number that might be easy. But there does not appear any way to link the two, other than manually via the Contact Us button in WannaCrypt0r. In fact, the function of the Check Payment appears dubious at best. Supposedly, it is supposed to fetch the private key, but there is no public record of anybody ever having received it. The question is whether it actually works.

How would the perpetrators get the money after people paid ransom? Good question. Since transactions are public, we would know the account numbers to which the money is being transferred. In order to exchange the BTC into a fiat currency, the perpetrators would need to go to an exchange that are more and more government regulated. While a small-scale thug might slip through, the likelihood that a group of Lazarus’ size would stay anonymous is small. The WannaCry perpetrators also could exchange their account numbers for different ones in so called Mixer services as well in Account or Wallet services. Again, a small time thief might stay anonymous, but not when the NSA and every other state actor is after you.

In short, it is very possible that the WannaCry perpetrators never get their money. However, at the same time it is very possible that you never get the key either to recover your files. Even worse, your organization will be on the public record for having paid the extortionists, something which is not good publicity.

For so many reasons it is not a good idea to ever pay ransom, but specifically in the case of WannaCry is practically pointless.

Download EBook