Posts

Celebrating 2023 With Expanded “3 & Free”

In December, we announced our limited-time “3 & Free” promotion on SonicWall TZ370 and TZ470 firewalls. While promotions that include a free firewall have always been popular, the response to our TZ promotion has been tremendous.

As a result, we’ve decided to celebrate the arrival of the new year by dramatically expanding the scope of our offer: Our 3 & Free pricing now applies to almost every TZ Series firewall that SonicWall carries.

3 & Free: What’s New for 2023

While we’ve added new models to the promotion, qualifying for an upgrade to the latest TZ Series firewall is as simple as ever. Through March 31, current SonicWall customers or those looking to swap out a competitor’s appliance can purchase three years of SonicWall’s Advanced Protection Service Suite (APSS), and they’ll receive a TZ appliance absolutely free. 

Protect your brand, customers and data while stopping advanced cyberattacks, filtering dangerous content and enjoying 24x7 support

The APSS suite offers all the tools you need to protect against today’s sophisticated malware, ransomware, encrypted threats, viruses, spyware, zero-day exploits and more. The comprehensive package includes:

  • Capture Advanced Threat Protection with RTDMI™
  • Gateway Anti-Virus
  • Anti-Spyware
  • Intrusion Prevention
  • Application Firewall Service
  • Content Filtering Services
  • Comprehensive Anti-Spam
  • NSM Essential with Management and 7-Day Reporting and 24×7 Firmware Support

In addition, you’ll get all the benefits of our latest operating system, SonicOS 7. Built from the ground up to be simpler, more capable and more flexible than any OS before it, SonicOS 7 features advanced security, simplified policy management, and critical networking and management capabilities — all designed to meet the needs of distributed enterprises with next-gen SD-Branches and small- to medium-sized businesses.

“3 & Free”: More than just TZ

Our TZ Series promo is just one of three 3 & Free promotions we’re running to ring in the new year: We also have great deals on NSa Series NGFWs and SonicWave Access Points.

NSa Series “3 & Free”

Despite its remarkable versatility, the entry-level TZ Series isn’t a fit for every use case: Some larger and more complex deployments call for a more robust appliance. That’s why we’re also offering a 3 & Free promotion on two of our most popular NSa Series firewalls.

Through Jan. 31, 2023, when you purchase an NSa 2700 or NS3700 High Availability appliance and three years of Advanced Protection Service Suite, you’ll also get the primary NSa 2700 or NS3700 NGFW and a stateful HA Upgrade Service License free.

This promotion is for every SonicWall upgrade that qualifies, regardless of whether you’re a current SonicWall customer or you’re making the switch from a competing product.

More on the NSa Series 3 & Free promotion and what sets the NSa Series apart from its competitors.

SonicWave Access Points “3 & Free”

If you’re all set for firewalls, but your wireless connectivity could use an upgrade, we also have a promo for you.

SonicWall’s 600 Series SonicWave Wireless Access Points leverage 802.11ax — the most advanced technology available — to deliver superior performance in complex, multi-device environments. These access points offer enterprises ‘always on, always secure’ access point operations, all while simplifying the user experience.

Best of all, while supplies last, when you buy three SonicWave 621, SonicWave 641 or SonicWave 681 access points, you’ll get the fourth absolutely free. This offer applies to access points purchased individually as well as four-packs and eight-packs, allowing you to multiply your savings.

10 Reasons to Upgrade to the Latest SonicWall Gen 7 TZ Firewall

People often struggle to say goodbye to their things. We grow attached and comfortable with the stuff we use on a regular basis. For instance, I have an old couch that I seldom use, but am nonetheless unable to part with. This comfort zone can be dangerous, as it makes you hold on to things you may no longer need.

We similarly get used to our old network devices. But unlike keeping an old couch, not updating your security gear on time can compromise your entire network. There’s no time like right now to evaluate your needs and adapt. Eliminate things that aren’t needed so that your network is simplified, and update those devices that are critical to the operation.

A good firewall is a cornerstone of a secure network. It’ll stop advanced cyberattacks, as well as keep up with the speed, performance and productivity needs demanded by today’s workplace. Here are the top 10 reasons you should consider updating your legacy firewall to one of the latest 7th generation SonicWall TZ Series firewall (TZ270, TZ370, TZ470, TZ570 and TZ670 Series):

1. Multi-gigabit support in desktop form factor with high port density
Organizations require increased throughput to support bandwidth-intensive applications — and as such, need multi-gigabit ports. Additionally, having a greater number of ports allows organizations to connect more devices directly to the firewall.

Why Upgrade: Gen 7 TZ series next-generation firewalls are the first desktop form factor to bring multi-gigabit (2.5/5/10G) interfaces or fiber (SFP+, SFP) interfaces, while the legacy or Gen 6 firewalls support only gigabit interfaces. Gen 7 TZs also support a minimum of 8 ports, while Gen 6 supports only 5.


2. Superior hardware upgrades with expandable storage and redundant power supply
Gen 7 TZs come with an expandable storage that enables various features, including logging, reporting, caching, firmware backup and more. A secondary power supply is available for redundancy in case of failure, ensuring business continuity.

Why Upgrade: Gen 7 TZ series models come with an expandable storage slot on the bottom of the device that provides the ability to expand up to 256GB, while Gen 6 does not. TZ670 comes preloaded with 32GB expandable storage, and TZ570/670 series firewalls support two AC power supplies for redundancy. The optional redundant power supply is available for purchase with TZ570/670 Series, while all other Gen 6 and Gen 7 firewalls support one power supply.


3. Groundbreaking firewall inspection, DPI performance and IPSec VPN performance
Network bandwidth requirements from apps, HD video streaming, social media and more continue to increase. And keeping up requires faster firewall inspection, DPI and IPSec VPN performance, which provide a secure network without performance degradation. Having faster firewall performance provides organizations with a greater capacity to utilize higher internet speeds and support more concurrent and remote users.

Why Upgrade: Gen 7 TZs offer up to 3 times firewall, DPI and IPSec VPN performance over Gen 6 firewalls.


4. Scale higher with increased connection count (per second, SPI, DPI, DPI-SSL)
Having a higher number of concurrent connections provides greater scalability by enabling more simultaneous user sessions to be active and tracked by the firewall.

Why Upgrade: Gen 7 TZs offer up to 15 times as many maximum connections as Gen 6 firewalls.


5. Deploy at scale
With easy onboarding and single-pane of glass management, organizations can reduce complexity, scale quickly, and get business running without additional IT personnel.

Why Upgrade: Gen 7 is simplified by Zero-Touch Deployment, with the ability to simultaneously roll out these devices across multiple locations with  minimal IT support.


6. Increased VPN connectivity
For organizations with remote and branch locations, such as retail POS businesses, the ability to create a larger number of site-to-site VPN tunnels is essential. It enables organizations to connect distributed networks together and securely share data.

Why Upgrade: Gen 7 offers up to eight times more site-to-site VPN tunnels than Gen 6 firewalls.


7. High VLAN interfaces
VLANs support the logical grouping of network devices, reduce broadcast traffic and allow more control when implementing security policies. This provides logical separation of devices on the same network. High VLAN interfaces allow better segmentation and performance for organizations.

Why Upgrade: Gen 7 TZ series offers up to five times more VLAN interfaces than Gen 6 TZ series.


8. 802.11ac Wave 2 technology with higher max number of access points
11ac Wave 2 technology enhances Wi-Fi user experience by supporting MU-MIMO technology. An integrated Wi-Fi option enables organizations to extend their wireless network farther without purchasing additional hardware. Alternatively, high number of APs supported by the firewall provide better scalability of the Wi-Fi network.

Why Upgrade: Gen 7 TZs (with the exception of TZ670) offer integrated 802.11ac Wave 2 support, while Gen 6 supports only 802.11ac Wave 1 or 802.11n technologies. Gen 7 TZs support up to four times as many access points as Gen 6 series.


9. Brand-new SonicOS 7.0 support
The feature-rich SonicOS 7.0 operating system features modern UI/UX, topology view, enhanced policy, advanced security and networking and management capabilities, along with TLS 1.3 and default support for BGP routing without the need for additional license.

Why Upgrade:SonicOS 7.0 support is available on Gen 7 Series, but not available on Gen 6 Series. Gen 7 includes BGP support as default with every firewall purchase, as well as Stateful HA support.


10. 5G USB Modem Support
The USB 3.0 port in the Gen 7 TZs could be used to plug in a 5G dongle for 5G connectivity. They’re backward compatible with 4G/LTE/3G technologies with the use of corresponding dongles.

Why Upgrade: 5G technology support is available on Gen 7 TZ series, but not Gen 6 TZ series.

 

About SonicWall TZ Next-Generation Firewalls

Get high-speed threat prevention in a flexible, integrated security solution with the SonicWall TZ Series. Designed for small networks and distributed enterprises with remote and branch locations, SonicWall TZ next-generation firewalls offer various models that can be tuned to meet your specific needs.

Ready to upgrade to the newest SonicWall TZ firewall? Take advantage of the SonicWall Customer Loyalty Program to save money when you replace your existing SonicWall firewall or other eligible security appliance.

Botnets Targeting Obsolete Software

Overview: This is not a disclosure of a new vulnerability in SonicWall software. Customers with the current SonicWall Global Management System (GMS) 8.2 and above have nothing to worry about. The reported vulnerability relates to an old version of GMS (8.1), which was replaced in December 2016. Customers with GMS 8.1 and earlier releases should patch, per SonicWall guidance, as they are running out-of-support software. Best practice is to deploy a SonicWall next-generation firewall (NGFW) or a web application firewall (WAF) in front of GMS and other web servers to protect against such attacks. Look for global third-party validation on protection effectiveness, such as the 2018 NSS Labs NGFW Group Test. After rigorous testing, SonicWall firewalls earned the NSS Labs coveted ‘Recommended’ rating five times.


On Sept. 9, Palo Alto Networks Unit 42 published a blog post highlighting a developing trend of botnets picking up publicly known CVE exploits and weaponizing them against enterprise infrastructure. This marks a change in the botnet authors’ tactics from targeting consumer-grade routers and IP cameras to searching for higher-profile enterprise targets to harness additional endpoints for DDoS attacks.

The first botnet, Mirai, targeted the Apache Struts vulnerability from early 2017, which affects web servers around the world. On March 6, 2017, SonicWall provided protection against the Apache Struts vulnerability with the Intrusion Prevention Service (IPS) on the NGFW line, rolling out protection to all firewalls with licensed IPS service.

The second botnet highlighted in the Palo Alto Networks post, Gafgyt, picked up the Metasploit code for an XML-RPC vulnerability for an obsolete version of SonicWall GMS (8.1) central management software, which was replaced by GMS 8.2 in December 2016.

The bottom line: the reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

Implementing Cybersecurity Best Practices

Current SonicWall GMS users are not at risk. However, there are broader lessons here for the industry and business owners:

  • Take End-of-Life and End-of-Support announcements seriously and update proactively. They become a compliance and security risk for critical systems and compromise an enterprise’s compliance and governance posture.
  • Security best practices dictate that you never expose a web server directly to the internet without a NGFW or WAF deployed in front.
  • A security layer between the internet and critical enterprise infrastructure, like web servers or centralized firewall management, provides the ability to virtually patch zero-day vulnerabilities and exploits while working out a sensible patching strategy. For example, a SonicWall NGFW with Intrusion Prevention or a SonicWall WAF can easily handle this task.

Using Third-Party Validation

The blog post does, however, underscore the rapidly-evolving nature of today’s threat landscape, evidenced by the mixing of malware and exploits to create new malware cocktails, and the need to use the latest and most effective security solutions to protect against them.

When selecting a product to protect your critical infrastructure, go beyond listening to vendor claims and look at globally recognized independent testing, such as the NSS Labs NGFW report, to validate security efficacy. Items that you should consider when selecting a security product for the modern threat landscape:

  1. NSS Labs specifically tests for protection on non-standard ports (not just 80/443, for example) because malware often uses non-standard ports to bypass traffic inspection. Products that lack inspection on non-standard ports are blind to many malware attacks, and are easily fooled into missing dangerous traffic and allowing malware and exploits to sail right through.

2018 NSS Labs NGFW Group Test Report — Evasion Resistance

2018 NSS Labs Next Generation Firewall Security Value MapTM (SVM)

  1. Evaluate your NGFW on security efficacy, and how it deals with malware cocktails, such as the recently exposed Intel-based, processor-level vulnerabilities like Spectre, Meltdown and Foreshadow.
  • SonicWall patented and patent-pending Real-Time Deep Memory Inspection (RTDMITM) technology is proven to catch chip/processor attacks through its unique approach to real-time memory inspection.
  • SonicWall RTDMI protection can also be applied to mitigate malicious PDFs, Microsoft Office documents and executables. The focus on PDF and Office document protection is especially important. Attacks are shifting into this delivery mechanism as browsers clamped down on Flash and Java content, drying up a fertile area of exploit and malware delivery. For example, RTDMI discovered more than 12,300 never-before-seen attack variants in the first half of 2018 alone.
  • The SonicWall Capture Client endpoint suite plugs into the RTDMI engine to offer the same protection for users that are outside a protected network.

 

The Bottom Line

The reported botnet attack is misguided and presents no threat to SonicWall GMS in production since December 2016.

New NIST Cybersecurity Policy Provides Guidance, Opportunities for SMBs

Small- and medium-sized business (SMB) are often one of the segments most targeted by cybercriminals. Now, SMBs are backed by legislation signed by U.S. President Trump and unanimously supported by Congress.

On Aug. 14, President Trump signed into law the new NIST Small Business Cybersecurity Act. The new policy “requires the Commerce Department’s National Institute of Standards and Technology (NIST) to develop and disseminate resources for small businesses to help reduce their cybersecurity risks.”

The legislation was proposed by U.S. Senators Brian Schatz (D-Hawai‘i) and James Risch (R-Idaho). This new policy is a follow-on effort to the Cybersecurity Enhancement Act of 2014, which was the catalyst for the NIST Cybersecurity Framework.

“As businesses rely more and more on the internet to run efficiently and reach more customers, they will continue to be vulnerable to cyberattacks. But while big businesses have the resources to protect themselves, small businesses do not, and that’s exactly what makes them an easy target for hackers,” said Senator Schatz, lead Democrat on the Commerce Subcommittee on Communications, Technology, Innovation, and the Internet, in an official statement. “With this bill set to become law, small businesses will now have the tools to firm up their cybersecurity infrastructure and fight online attacks.”

Per the NIST Small Business Cybersecurity Act (S. 770), within the next year the acting director of NIST, collaborating with the leaders of appropriate federal agencies, must provide cybersecurity “guidelines, tools, best practices, standards, and methodologies” to SMBs that are:

  • Technology-neutral
  • Based on international standards to the extent possible
  • Able to vary with the nature and size of the implementing small business and the sensitivity of the data collected or stored on the information systems
  • Consistent with the national cybersecurity awareness and education program under the Cybersecurity Enhancement Act of 2014
  • Deployed in practical applications and proven via real-world use cases

The law follows the structure presented by U.S. Rep. Dan Webster (R-Florida) and passed by the House of Representatives. He originally presented the bill to the U.S. House Science, Space, and Technology Committee in March 2017.

SonicWall President and CEO Bill Conner also was instrumental in helping form the groundwork for U.S. cybersecurity laws. In 2009, Conner worked with U.S. Senator Jay Rockefeller (D-West Virginia) and other security-conscious leaders on the Cybersecurity Act of 2010 (S.773). And while the proposal was not enacted by Congress in March 2010, it served as a critical framework to today’s modern policies. Rockefeller was eventually the sponsor of the aforementioned Cybersecurity Enhancement Act of 2014 (S.1353), which became law in December 2014.

SMBs Highly Targeted by Cybercriminals, Threat Actors

According to a recent SMB study by ESG, 46 percent of SMB decision-makers said security incidents resulted in lost productivity in their small- or medium-sized business. Some 37 percent were affected by disruption of a business process or processes.

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

In fact, in July 2018 alone, the average SonicWall customer faced escalated volumes of ransomware attacks, encrypted threats and new malware variants.

  • 2,164 malware attacks (28 percent increase from July 2017)
  • 81 ransomware attacks (43 percent increase)
  • 143 encrypted threats
  • 13 phishing attacks each day
  • 1,413 new malware variants discovered by Capture Advanced Threat Protection (ATP) service with RTDMI each day

“Criminals target SMBs to extort money or steal valuable data, while nation states use small businesses as a beachhead for attacking connected partners,” wrote ESG senior principal analyst Jon Oltsik for CSO.

Leverage NIST Policy, Frameworks

While SMBs await guidance from the new NIST Small Business Cybersecurity Act, they can leverage best practices from the NIST Cybersecurity Framework, which helps organizations of all sizes leverage best practices to better safeguard their networks, data and applications from cyberattacks.

At a high level, the framework is broken down into three components — Implementation Tiers, Framework Core and Profiles — that each include additional subcategories and objectives. Use these key NIST resources to familiarize your organization to the framework:

Applying Cybersecurity Designed for SMBs

The NIST framework provides a solid foundation to improve an SMB’s security posture. But the technology behind it is critically important to achieving a safe outcome. SonicWall, for instance, is the No. 2 cybersecurity vendor in the SMB space, according to Gartner’s Market Share: Unified Threat Management (SMB Multifunction Firewalls), Worldwide, 2017 report.

With more than 26 years of defending SMBs from cyberattacks, SonicWall has polished and refined cost-effective, end-to-end cybersecurity solutions. These solutions are tailored specifically for small- and medium-sized businesses and can be further customized to meet the needs of specific security or business objectives. A sound, end-to-end SMB cybersecurity should include:

For example, the SonicWall TZ series of NGFWs is the perfect balance of performance, value and security efficacy for SMBs, and delivers access to the SonicWall Capture ATP sandbox services and Real-Time Deep Memory Inspection.TM This integrated combo protects your organization from zero-day attacks, malicious PDFs and Microsoft Office files, and even chip-based Spectre, Foreshadow and Meltdown exploits.

For organizations that want to take it a step further, the SonicWall NSa series of firewall appliances were given a ‘Recommended’ rating by NSS Labs in a 2018 group test. SonicWall topped offerings from Barracuda Networks, Check Point, Cisco, Forcepoint, Palo Alto Networks, Sophos and WatchGuard in both security efficacy and total cost of ownership.

Contact SonicWall to build or enhance your cybersecurity posture for true end-to-end protection from today’s most malicious cyberattacks, online threats and even the latest Foreshadow exploits.

SonicWall solutions are available to SMBs through our vast channel of local security solution providers, many of which are SMBs themselves. In fact, many SonicWall SecureFirst Partners even provide security-as-a-service (SECaaS) offerings to ensure it’s easy and cost-effective for SMBs to protect their business from advanced cyberattacks.

 

Upgrade Your Firewall for Free

Are you a SonicWall customer who needs to stop the latest attacks? Take advantage of our ‘3 & Free’ program to get the latest in SonicWall next-generation firewall technology — for free. To upgrade, contact your dedicated SecureFirst Partner or begin your upgrade process via the button below.

IoT & Mobile Threats: What Does 2017 Tell Us About 2018?

“SPARTANS! Ready your breakfast and eat hearty. For tonight, WE DINE IN HELL!!”

Remember this passionate line by King Leonidas from the movie “300”? We are at the brink of another war — the modern cyber arms race. You need to gear up and be prepared for the thousands of malicious “arrows” that shoot down on you.

This cyber arms race is aimed against governments, businesses and individuals alike, and it’s comprised of different types and forms of cyber attacks. These attacks grow more sophisticated each year, with over 12,500 new Common Vulnerabilities and Exposures (CVE) reported in 2017 — 78 percent of which were related to network attacks.

It’s critical we learn from the past experiences — successes and failures. So, what can 2017 teach us to be better prepared in 2018? Let’s first look at the hard data.

According to the 2018 SonicWall Cyber Threat Report, SonicWall Capture Labs detected 184 million ransomware attacks and a 101.2 percent increase in new ransomware variants from more than 1 million sensors across more than 200 countries. The increase in new variations signifies a shift in attack strategies.

In addition, SonicWall Capture Labs logged 9.32 billion malware attacks. Network attacks using encryption tactics are also on the rise. Without the ability to inspect such traffic, an average organization would have missed over 900 file-based attacks per year hidden by SSL/TLS encryption.

IoT attacks loom

Internet of Things (IoT) threats and memory attacks are also impending challenges that we face across wired and wireless solutions. According to Gartner, by 2020, IoT technology will be in 95 percent of electronics for new product designs.

Recently, Spiceworks performed a survey that resulted in IoT devices being the most vulnerable to Wi-Fi attacks. This makes IoT and chip processors the emerging battlegrounds. IoT was also a big target as “smart” (pun intended) hardware is not updated regularly and is often physically located in unknown or hard-to-reach places, leading to memory attacks and vulnerabilities.

IoT ransomware attacks are alone on the rise and gain control of a device’s functionality. While many of the IoT devices may not hold any valuable data, there is a risk for owners or individuals to be held at ransom for personal data. Gartner also predicts, through 2022, half of all security budgets for IoT will go to fault remediation, recalls and safety failures rather than protection.

There are many smart devices and IoT devices in the market that connect over Wi-Fi, such as cameras, personal and TVs. Imagine an attack on your personal privacy and a hacker gaining control over your device. Distributed Denial of Service (DDoS) attacks still remain a major threat to these devices. Each compromised device can send up to 30 million packets per second to the target, creating an IoT powered botnet.

In fact, at one point in 2017, SonicWall Capture Labs was recording more than 62,000 IoT Reaper hits each day. Considering there could be an estimated 6 billion mobile devices in circulation by 2020, it wouldn’t be totally surprising if the next wave of ransomware targets mobile devices,

How to secure wired, wireless and mobile networks

It is critical to secure your network, both from a wireless and wired perspective. Total end-to-end security is the key to prevent such attacks from happening in the first place. To survive this cyber war, you can follow certain best practices to ensure your protection:

  • Layer security across your wired, wireless, mobile and cloud network
  • Deploy next-gen firewalls that can provide real-time intrusion detection and mitigation
  • Patch your firewalls and endpoint devices to the latest firmware
  • Secure your IoT devices to prevent device tampering and unauthorized access
  • Educate your employees on the best practices
  • Change default login and passwords across your devices

SonicWall solutions include next-generation firewalls, 802.11ac Wave 2 access points, secure mobile access appliances and the Capture Advanced Threat Protection (ATP) cloud sandbox service, all of which combine to provide an effective zero-day threat protection ecosystem.

To protect customers against the increasing dangers of zero-day threats, SonicWall’s cloud-based Capture ATP service detects and blocks advanced threats at the gateway until a verdict is returned. In addition, Capture ATP also monitors memory-based exploits via Real-Time Deep Memory InspectionTM (RTDMI). With innovative SonicWall solutions, rest assured your IoT and mobile devices are protected for the cyberwar.

Download the 2018 SonicWall Cyber Threat Report

The cyber arms race is a challenge we face together. And it’s the core reason we’re committed to passing our findings, intelligence, analysis and research to the global public via the SonicWall 2018 Cyber Threat Report.

READ THE FULL REPORT

RSA Conference 2018: SonicWall is Hot

Fresh off of April’s massive SonicWall Capture Cloud Platform launch, SonicWall has been featured in a pair of CRN articles highlighting the hottest products at RSA Conference 2018.

The SonicWall Capture Cloud Platform is lauded in CRN’s “10 Hot New Cloud Security Products Announced at RSA 2018” listing. CRN recaps the platform’s ability to integrate security, management, analytics and real-time threat intelligence across SonicWall’s portfolio of network, email, mobile and cloud security products.

Complementing that accolade, a pair of new SonicWall products were listed in the “20 Hot New Security Products Announced at RSA 2018” category. The new SonicWall NSv virtual firewall (slide 7) and SonicWall Capture Client (slide 12) endpoint protection were showcased.

SonicWall Capture Client is a unified endpoint offering with multiple protection capabilities. With a next-generation malware protection engine powered by SentinelOne, Capture Client delivers advanced threat protection techniques, such as machine learning and system rollback.

SonicWall Network Security virtual (NSv) firewalls protect all critical components of your private/public cloud environment from resource misuse attacks, cross virtual machine attacks, side channel attacks and common network-based exploits and threats. It captures traffic between virtual machines (VM) and networks for automated breach prevention and establishes access control measures for data confidentiality and ensures VMs safety and integrity.

Did WannaCry Perpetrators Ever Get Their Ransom?

Cyber criminals prefer to receive ransom in the cyber currency Bitcoin because it is anonymous. The truth is “sort of.” Let’s take a closer look at how Bitcoins work, and how the WannaCry perpetrators, possibly the Lazarus Group, want to be paid.

Bitcoins are different from fiat currencies because, with Bitcoins, no actual coins or bills exist, not even digital ones. With a fiat currency like the dollar, money is represented by actual coins and bills that can be physically stored. Depending on how you pay, your transaction is not recorded or, more often, either recorded anonymously or via an account number, such as a credit card number.

In any case, the number of coins and bills, either in actual money that you have on your hand, or what is recorded on your bank account, are decreased. With Bitcoins, you only have the transaction. Transactions are always public, and can be viewed by anyone. That is right: public, anyone. Anybody can see that money was paid from your account to that of WannaCry. Though, what is different from fiat currencies is that the actual ownership of an account is not necessarily know to anyone. It can be completely anonymous. This is a bit similar to a Swiss number account.

Let’s summarize this, the ownership of an account in Bitcoin may or may not be known to anyone, or generally public. The transaction, however, is always public. Bitcoin tracks transactions in so called Blocks that are linked in a Blockchain. In order to find out how much money somebody has, a “wallet” application would have to browse through the entire Blockchain and select out any transaction that involves the owner’s account number(s).

Different from fiat currencies, though, with Bitcoin, account numbers are free and one can have an endless amount of them. If somebody wants to be completely anonymous, they would use a new account number for every single transaction. Wallet or Account software would make it easy to keep track of them.

WannaCry made use of only three hard-coded account numbers:

Why didn’t WannaCry use a new account number for every instance of WannaCrypt0r to be installed? The answer might be: because in order to get the money from a Bitcoin account, one has to first generate the account number/private key pair, AND be in possession of the private key. Without the private key, they could not get their money: if the private key is being generated within WannaCrypt0r it would need to be communicated reliably where the hostage takers would have real-time access to it. That would give the perpetrators away. If the keys are generated somewhere in the cloud, the communication of private keys may be disguised in some layers of Darknet labyrinth, but it would be easy to shut them down by taking the key servers offline which would be easy to sniff. Also using hundreds or thousands of account numbers would not make it necessarily significantly more difficult for security experts to track payments.

The bigger question how can the perpetrators associate payment with a specific instance of WannaCry. With a uniquely generated account number that might be easy. But there does not appear any way to link the two, other than manually via the Contact Us button in WannaCrypt0r. In fact, the function of the Check Payment appears dubious at best. Supposedly, it is supposed to fetch the private key, but there is no public record of anybody ever having received it. The question is whether it actually works.

How would the perpetrators get the money after people paid ransom? Good question. Since transactions are public, we would know the account numbers to which the money is being transferred. In order to exchange the BTC into a fiat currency, the perpetrators would need to go to an exchange that are more and more government regulated. While a small-scale thug might slip through, the likelihood that a group of Lazarus’ size would stay anonymous is small. The WannaCry perpetrators also could exchange their account numbers for different ones in so called Mixer services as well in Account or Wallet services. Again, a small time thief might stay anonymous, but not when the NSA and every other state actor is after you.

In short, it is very possible that the WannaCry perpetrators never get their money. However, at the same time it is very possible that you never get the key either to recover your files. Even worse, your organization will be on the public record for having paid the extortionists, something which is not good publicity.

For so many reasons it is not a good idea to ever pay ransom, but specifically in the case of WannaCry is practically pointless.

SonicWall Protects Customers from the Latest Massive WannaCry Ransomware Attack

Note: This blog was updated on Monday, May 15.

First, if you are a SonicWall customer and you are using our Gateway Anti-Virus, Intrusion Prevention service, and Capture Advanced Threat Protection then your SonicWall firewall has been protecting your network from WannaCry ransomware and the worm that spreads it since 17 April, 2017. Since the release of the first version of the code, we have identified several new variants and have released additional counter measures. We will continue to update this blog as our Capture Labs research team uncovers more information and as additional protection is automatically rolled out to our customers’ firewalls.

Here’s more:

The Attack

This massive ransomware attack became infamous by shutting down a number of hospitals in the UK’s National Health Service (NHS) system and thus preventing patients from receiving critical care. The attack hit over 100 countries across the world with an untold number of victims. WannaCry is a combination of a Trojan/ransomware and a worm that leverages an SMB file sharing protocol exploit named EternalBlue. The Shadow Brokers leaked EternalBlue in April 2017 as part of a bigger dump of NSA developed exploits. This exploit affects various versions of Microsoft Windows operating systems, including a number of versions that are in end-of-life status. Although Microsoft released a large number of patches on March 14 to address this vulnerability, the attack remains dangerous as many organizations have not applied the patch.

The first version of the worm/ransomware package had a kill switch that was accidently used to disable the worm feature which slowed its advance on Friday, 12 May 2017. However, new variants are appearing in the wild without this weakness. While the first version of the worm code can no longer spread the ransomware code, systems encrypted by WannaCry 1.0 will remain encrypted. Unfortunately, there is no known decryption method to recover files affected by WannaCry without paying cyber criminals (which is not advised).

Since Friday, 12 May 2017, SonicWall’s Capture Labs released six new signatures to block all known versions of WannaCry.  It is also worth noting that SonicWall security services on the firewall have built-in protections against the many components of this code, ranging from blocking contact with WannaCry Command and Control (C&C) servers to blocking attempts at exploitation of any unpatched SMB Microsoft vulnerabilities (such as EternalBlue).

WannaCry Ransomware

The Protection

SonicWall Capture Labs analyzed the EternalBlue attack in mid-April immediately after the Shadow Brokers file dump and rolled out protection for all SonicWall firewall customers well in advance of the first public attack.  All known versions of this exploit can be blocked from SonicWall protected networks via active next-generation firewall security services.

As a SonicWall customer, ensure that your next-generation firewall has an active Gateway Security subscription to receive automatic real-time protection from known ransomware attacks such as WannaCry. Gateway Security includes Gateway Anti-virus (GAV), Intrusion Prevention (IPS), Botnet Filtering, and Application Control. This set of technology has signatures against WannaCry (part of GAV), protections against vulnerabilities outlined in Microsoft’s security bulletin MS17-010 (part of IPS), and it blocks communication with the C&C servers where WannaCry’s payload comes from (part of botnet filtering).

Since SonicWall Email Security uses the same signatures/definitions as Gateway Security, we can effectively block the emails that deliver the initial route to infection. Ensure all email security services are also up to date to block malicious emails.  Since 65% of all ransomware attacks happen through phishing emails, this needs to be a major focus when giving security awareness training. Additionally, customers with SonicWall Content Filtering Service should activate it to block communication with malicious URLs and domains, which works in a similar way Botnet filtering disrupts C&C communication.

As a best practice always deploy Deep Packet Inspection of all SSL/TLS (DPI-SSL) traffic since more than 50% of malware is encrypted. This will enable your SonicWall security services to identify and block all known ransomware attacks. Enabling DPI-SSL also allows the firewall to examine and send unknown files to SonicWall Capture Advanced Threat Protection for multi-engine processing to discover and stop unknown ransomware variants.

View our webpage to learn more on how SonicWall protects against ransomware.

WannaCrypt Signatures

The most recent list of GAV/IPS signatures against EternalBlue and WannaCrypt as of 14 May 2017 at 11:45 AM PST

What’s Next

The party behind this attack has already released several variations of this attack for which we have established protections in place (see above). To ensure you are safe from newly developed updates and similar copycat attacks, first apply the Windows patch provided by Microsoft listed in the resources section.  Second, apply Capture Advanced Threat Protection (Capture ATP), SonicWall’s multi-engine network sandbox, to examine suspicious files coming into your network to discover and stop the latest threats just as we did with Cerber ransomware. Enable the service’s block until verdict feature to analyze all files at the gateway to eliminate malware before it can enter your network. Additionally, Capture Labs will continue to email customers Sonic Alerts on new threats.

Finally, phishing emails are the most common delivery mechanism for ransomware. It is possible that future variants of this ransomware will be delivered via emails. SonicWall’s email security solution uses Advanced Reputation Management (ARM) to inspect not only the sender IP but also the message content, embedded URLs and attachments. In addition, make sure you enable SPF, DKIM and DMARC advanced email authentication to identify and block spoofed emails and protect from spam and phishing attacks. For the best possible protection against such attacks, deploy SonicWall’s email security solution with Capture ATP service to inspect every email attachment in a multi-engine sandbox environment.

Apart from SonicWall security protections in place (listed above), as a best practice we recommend to disallow or block inbound SMB traffic (TCP 445, UDP ports 137-138, and TCP 139) and RDP traffic coming  from the internet on edge-facing Firewalls. If such access is required, implement secure remote access solutions like IPsec or SSL-VPN with proper authentication mechanisms in place.

Apply vulnerability patches on servers and PCs as recommended in Microsoft MS17-010 bulletin (listed above and below), disable SMBv1 communication (limit access via SMBv2/v3), as well as monitor for any suspicious activity on TCP 445.

Resources

Infographic: 300 Companies Defend Their Data from Zero-Day Threats with SonicWall Capture

To understand how SonicWall Capture Advanced Threat Protection Service (ATP) protects the average company we looked at the data for 300 networks. SonicWall Capture ATP examines suspicious code and files to discover never-before-seen zero-day attacks.  So, in one day, how many of these new variants did Capture find?  See the infographic below to see what you could be up against without it. Read more about SonicWall Capture in my earlier blog: We are Sparta; the Battle to Defend Our Data From Invaders. Already a fan of SonicWall Capture? Share the infographic with your followers.

Infographic on zero-day threats

Explore Advantages of SonicWall Security As A Service

Don’t try this at home”¦.go with next-gen firewall experts

Cyber attacks are relentless, and increasing in volume, intensity and sophistication. The sophistication of these attacks is beyond your wildest imagining. Do you have the security expertise to guard your business and customer data yourself? Today, more organizations are outsourcing to Security-as-a-Service (SECaaS).

In this two-part blog, I will discuss the top advantages to securing your business with enterprise-class security solutions provided to you as a service. In this first blog, I’ll cover the first four core advantages of SECaaS. In the second, I’ll explore more why this service could work to fit your infrastructure.

Optimally, a Security-as-a-Service provider should enable you to do the following:

1. Outsource your network security to an experienced security provider

Maximize your security position by utilizing certified partners skilled in your next-gen firewalls and associated security technologies. With the right SECaaS solution, you can easily realize the benefits of having an experienced partner overseeing everything for you.

2. Have your SECaaS firewall solution expertly configured by certified engineers

Each business is unique and the firewalls should be built and configurable to fit your needs. Your Security-as-a-Service next-gen firewall solution should block threats on multiple entry points including those from employee laptops, mobile devices and desktops. (Now, even cameras have had malware loaded on them.) You will want custom SECaaS protection for retail, and address the need high-speed wireless network security. For private schools, you will want to protect students and the devices issued to them.

3. The efficiencies of a turn-key solution delivered to your doorstep

You will want your SECaaS solution to have a next-gen firewall, with gateway anti-malware, intrusion prevention and content filtering. All of it should be installed, configured, deployed and managed as one unit. Event data should be available through one reporting system to enable proactive monitor and reporting. Your SECaaS solution should identify threats before your business is impacted.

4. Mobile Mobile Mobile

Allow your employees to access your network while on the road on any device at any time. Your SECaaS should include secure mobile access and VPN for Windows, Apple iOS, Android devices, and enable guest vendors/contractors be able to use the network securely.

Find out how SonicWall Security-as- a-Service (SECaaS) can do it all for you. SonicWall SECaaS provides you with the same level of network security that NASA demands and protects your network from a wide range of emerging threats. Pay month to month for a solution that fits your security needs. SonicWall certified partners are relied upon every day and have gone through rigorous training and education. You will be so happy you did not try this at home.