Posts

How SonicWall Signature “Families” Block Emerging Ransomware Variants

When you look at the most damaging network security invasions over the last year, you see a recurring pattern: leaked government cyber tools being repurposed by cybercriminals. The compromised NSA toolset leaked by Shadow Brokers was devastating in many respects. These were highly targeted tools that many nation states wish they had the operational capacity to deploy.

But the tools developed by the NSA fell into criminal hands, who used them not for state-backed cyber espionage, but for capital gain. They repurposed these tools into WannaCry, Petya and, most recently, BadRabbit, as a means to install ransomware, encrypt information and keep it hostage until a targeted victim pays to release it, typically via Bitcoin.

Alas, sometimes victims pay and the data is still not released.  Sometimes, other actors see an organization has been held hostage and sends their own ransom demands, even though they are not affiliated with the original ransomware creators. The victim organization pays for this misdirection but still cannot unlock their files. They are out of the money and damages are incurred. “There is no honor among thieves,” as they say.

WannaCry, Petya and BadRabbit form a “family” of ransomware variants developed from the same leaked NSA tools. It is when there are these multiple attacks using the same family of exploits that SonicWall can give you breathing room and help you sleep at night.

To explain, first let me discuss how signatures work in our next-generation firewalls (NGFWs). Individual signatures exactly match bit patterns from IP-based frame payloads to detect a specific variant of malware. Our award-winning Capture ATP technology, a multi-engine network sandbox,  not only stops unknown and zero-day threats from entering networks, but also helps create new signatures for detecting emerging malware.

Few vendors look at both incoming and outgoing packets for malware, as it can be a large performance hit to do both. Most vendors are only concerned with traffic going from the internet to the trusted zones and only inspect this pattern. Yet SonicWall inspects every single packet in each direction.

Why? Well, if you own a network and somehow a device is compromised, the only way you will find out is by seeing what it sends out. Is it talking to a command-and-control server (C&C)? Is it sending malware out, as infected machines do? Without scanning every packet, you do not have visibility of your internal network. While it is important to block incoming malware, it’s also important to determine what machines may have been infected and are trying to send data outside your organization.

This brings us back to our “family” of signatures. Have you ever wondered why SonicWall uses a different naming convention than other well-known malware strands?  It’s because we find them first, and give them their own names. Other vendors do this too, but we are vastly different. I am proud to say that SonicWall is extremely competent in creating a family of signatures to cover many individual signatures with one pass. SonicWall uses a fast memory-tree lookup as packets pass through the NGFW with our family of signatures, so only one lookup is needed. This is an extremely fast method of traffic processing.

Sometimes in sales, we have to quote statistics in answer to questions, such as “How many signatures do you store on the firewall?” And we dutifully respond, “Over 32,000 locally, with more in the cloud.” But this only tells part of the story. With our family of signatures, one family will catch 100 or more variation of one signature.

Going back to WannaCry, SonicWall created a family that caught WannaCry right after it was announced to the public. Since the NSA leak variants caused Petya and BadRabbit derivatives, the family signature in your SonicWall firewall blocked all these new attack vectors.

Even though these new variants were targeted delivery to networks, SonicWall blocked all these different bit patterns as part of our WannaCry signature family.  The signature updates were performed in the background – as you enjoyed the holidays with your friends and family.

Bad Rabbit Ransomware: The Latest Attack

What Is Bad Rabbit Ransomware?

On Tuesday, Oct. 24, a new strand of ransomware named Bad Rabbit appeared in Russia and the Ukraine and spread throughout the day. It first was found after attacking Russian media outlets and large organizations in the Ukraine, and has found its way into Western Europe and the United States. The initial installer masquerades as a Flash update but is believed to be an updated version of NotPetya, since the infection chain and component usage is identical.  Interestingly, this malware contains a list of hardcoded Windows credentials, most likely to brute force entry into devices on the network.  According to SonicWall Capture Labs Threat researchers, Bad Rabbit spreads using the SMB protocol within Windows. We should think of it as a bug fix maintenance release of NotPetya (within EternalBlue method of propagation removed). The purpose of using the SMB protocol is to spread laterally across an organization. 

Are SonicWall Customers Protected from Bad Rabbit?

Yes. SonicWall Capture Labs released signatures to protect against Bad Rabbit malware, which are available for anyone with an active Gateway Security subscription (GAV/IPS).  In addition, SonicWall Capture Advanced Threat Protection (ATP) sandboxing service is designed to provide real-time protection against new strains of malware, even before signatures are available on the firewall. SonicWall Capture ATP customers will be protected against new forms and copycat versions of this malware. Multiple variations of this ransomware strain have been processed in Capture ATP, with a 100 percent success rate of catching it.

How Can I Stop Ransomware Like Bad Rabbit?

SonicWall customers should immediately ensure they have the Capture Advanced Threat Protection sandbox service turned on with their next-generation firewalls, and have the Block Until Verdict feature activated.  For Bad Rabbit, there is no need to manually update the signatures on SonicWall firewalls, as they are automatically propagated to the worldwide installed base upon deployment.

General recommendations for everybody, regardless of their security vendor, include:

  • Apply all patches to operating systems
  • Protect endpoints with an up-to-date anti-virus solution
  • Promote good password hygiene policies
  • Ensure firewall and end point firmware is current
  • Implement a network sandbox to discover and mitigate new threats
  • Deploy a next-generation firewall with a gateway security subscription to stop known threats

I will update this post as analysis of Bad Rabbit ransomware develops.  For more information, read the SonicAlert posting from SonicWall Capture Labs Threat Research Team. To learn more about ransomware defense, please read our Solution Brief: Eight Ways to Protect Your Network Against Ransomware.